0

We have an apache2 serving a PHP application, with kerberos authentication We developed an API within the PHP application, and we want to access it without Kerberos auth But we cannot manage to exclude the API from Apache authentication mechanism

Our previous Apache configuration without the API:

    DocumentRoot /var/www/html/public
    
    <Directory />
            AllowOverride None
            Order Allow,Deny
            Allow from All
            Header always append X-Frame-Options "DENY"
            Header always append X-Content-Type-Options "nosniff"
            AuthName "Login Kerberos"
            Require valid-user
            AuthType GSSAPI
            AuthName "Kerberos Authentication"
            GssapiCredStore keytab:/etc/krb5.keytab
            GssapiAcceptorName HTTP
            GssapiAllowedMech krb5
            GssapiBasicAuth off
            GssapiNegotiateOnce On
            GssapiLocalName On

            <LimitExcept GET POST-OPTIONS>
              Require all denied
            </LimitExcept>

            FallbackResource /index.php
    </Directory>

    Header always set Strict-Transport-Security "max-age=600; includeSubDomains: preload"
    ErrorLog /var/log/apache2/error.log
    CustomLog /var/log/apache2/access.log proxy

and to serve the API without auth

    DocumentRoot /var/www/html/public
    
    <Directory />
            AllowOverride None
            Order Allow,Deny
            Allow from All
            Header always append X-Frame-Options "DENY"
            Header always append X-Content-Type-Options "nosniff"
            AuthName "Login Kerberos"
            Require valid-user
            AuthType GSSAPI
            AuthName "Kerberos Authentication"
            GssapiCredStore keytab:/etc/krb5.keytab
            GssapiAcceptorName HTTP
            GssapiAllowedMech krb5
            GssapiBasicAuth off
            GssapiNegotiateOnce On
            GssapiLocalName On

            <LimitExcept GET POST-OPTIONS>
              Require all denied
            </LimitExcept>

            FallbackResource /index.php
    </Directory>

    <Location /api/>
            Allow from All
            AuthType None
            Require all granted
            Satisfy any
            FallbackResource /index.php
    </Location>
    Header always set Strict-Transport-Security "max-age=600; includeSubDomains: preload"
    ErrorLog /var/log/apache2/error.log
    CustomLog /var/log/apache2/access.log proxy

But it does not want to work, in Apache log, we can see that auth_gssapi is waiting for auth data even when requesting /api

[Tue Jan 30 10:32:14.500425 2024] [auth_gssapi:info] [pid 25] [client] NO AUTH DATA Client did not send any authentication headers
[Tue Jan 30 10:32:14.506344 2024] [ssl:info] [pid 22] [client] AH01964: Connection to child 1 established (server)

I did try to filter over our api path with LocationMatch

<LocationMatch "^/(?!api)">
            #AllowOverride None
            Order Allow,Deny
            Allow from All
            Header always append X-Frame-Options "DENY"
            Header always append X-Content-Type-Options "nosniff"
            AuthName "Login Kerberos"
            Require valid-user
            AuthType GSSAPI
            AuthName "Kerberos Authentication"
            GssapiCredStore keytab:/etc/krb5.keytab
            GssapiAcceptorName HTTP
            GssapiAllowedMech krb5
            GssapiBasicAuth off
            GssapiNegotiateOnce On
            GssapiLocalName On

            <LimitExcept GET POST-OPTIONS>
              Require all denied
            </LimitExcept>

            FallbackResource /index.php
    </LocationMatch>

    <Location /api>
            SetEnvIf Request_URI "^/api" noauth
            Allow from All
            AuthType None
            Require env noauth
            Satisfy any
            FallbackResources /index.php
    </Location>

I also did try to put the gsspi authentication block within an If

    <Directory />
             <If "! %{REQUEST_URI} =~ /api/">
                    AuthName "Login Kerberos"
                    Require valid-user
                    AuthType GSSAPI
                    AuthName "Kerberos Authentication"
                    GssapiCredStore keytab:/etc/krb5.keytab
                    GssapiAcceptorName HTTP
                    GssapiAllowedMech krb5
                    GssapiBasicAuth off
                    GssapiNegotiateOnce On
                    GssapiLocalName On
            </If>

            Order Allow,Deny
            Allow from All
            Header always append X-Frame-Options "DENY"
            Header always append X-Content-Type-Options "nosniff"

            <LimitExcept GET POST-OPTIONS>
              Require all denied
            </LimitExcept>

            FallbackResource /index.php
    </Directory>

But no luck either May be I am missing Apache logic, any Ideas on how to disable authentication for this specific path?

0

You must log in to answer this question.

Browse other questions tagged .