I have successfully got HTTP Basic Auth working in a vhost. However, I need to make an exception for a particular directory which should be accessible without authentication (in particular I want to open up .well-known/acme-challenge so that we can automatically renew our LetsEncrypt SSL certificate).
I thought I could do this by adding a more specific context at the top of the list. So I now have this in my vhost config:
<contextList>
<context>
<type>NULL</type>
<uri>/.well-known/acme-challenge/</uri>
<allowBrowse>1</allowBrowse>
<addDefaultCharset>off</addDefaultCharset>
<apacheConf>Header always set X-MS-Context challenge</apacheConf>
</context>
<context>
<type>NULL</type>
<uri>/</uri>
<allowBrowse>1</allowBrowse>
<realm>Staginghub</realm>
<addDefaultCharset>off</addDefaultCharset>
<apacheConf>Header always set X-MS-Context base</apacheConf>
</context>
</contextList>
Note, I added the X-MS-Context headers to help with troubleshooting.
However this is not working. If we make a request to a url that isn't in /.well-known/acme-challenge/ then we get the 401 response and I see the X-MS-Context header set to 'base', and we are forced to authenticate (good). If we make a request to a url that is in /.well-known/acme-challenge/ then I see the X-MS-Context header set to 'challenge' (not 'base'), so I know the <uri> setting is correct, but we still get the 401 response and are forced to authenticate with Basic realm="Staginghub", even though there's no <realm> in that context.
Is this expected behaviour? Or a bug? Is there some other way to allow access to the /.well-known/acme-challenge/ directory without authentication?
I thought I could do this by adding a more specific context at the top of the list. So I now have this in my vhost config:
<contextList>
<context>
<type>NULL</type>
<uri>/.well-known/acme-challenge/</uri>
<allowBrowse>1</allowBrowse>
<addDefaultCharset>off</addDefaultCharset>
<apacheConf>Header always set X-MS-Context challenge</apacheConf>
</context>
<context>
<type>NULL</type>
<uri>/</uri>
<allowBrowse>1</allowBrowse>
<realm>Staginghub</realm>
<addDefaultCharset>off</addDefaultCharset>
<apacheConf>Header always set X-MS-Context base</apacheConf>
</context>
</contextList>
Note, I added the X-MS-Context headers to help with troubleshooting.
However this is not working. If we make a request to a url that isn't in /.well-known/acme-challenge/ then we get the 401 response and I see the X-MS-Context header set to 'base', and we are forced to authenticate (good). If we make a request to a url that is in /.well-known/acme-challenge/ then I see the X-MS-Context header set to 'challenge' (not 'base'), so I know the <uri> setting is correct, but we still get the 401 response and are forced to authenticate with Basic realm="Staginghub", even though there's no <realm> in that context.
Is this expected behaviour? Or a bug? Is there some other way to allow access to the /.well-known/acme-challenge/ directory without authentication?