We have an apache2 serving a PHP application, with kerberos authentication We developed an API within the PHP application, and we want to access it without Kerberos auth But we cannot manage to exclude the API from Apache authentication mechanism
Our previous Apache configuration without the API:
DocumentRoot /var/www/html/public
<Directory />
AllowOverride None
Order Allow,Deny
Allow from All
Header always append X-Frame-Options "DENY"
Header always append X-Content-Type-Options "nosniff"
AuthName "Login Kerberos"
Require valid-user
AuthType GSSAPI
AuthName "Kerberos Authentication"
GssapiCredStore keytab:/etc/krb5.keytab
GssapiAcceptorName HTTP
GssapiAllowedMech krb5
GssapiBasicAuth off
GssapiNegotiateOnce On
GssapiLocalName On
<LimitExcept GET POST-OPTIONS>
Require all denied
</LimitExcept>
FallbackResource /index.php
</Directory>
Header always set Strict-Transport-Security "max-age=600; includeSubDomains: preload"
ErrorLog /var/log/apache2/error.log
CustomLog /var/log/apache2/access.log proxy
and to serve the API without auth
DocumentRoot /var/www/html/public
<Directory />
AllowOverride None
Order Allow,Deny
Allow from All
Header always append X-Frame-Options "DENY"
Header always append X-Content-Type-Options "nosniff"
AuthName "Login Kerberos"
Require valid-user
AuthType GSSAPI
AuthName "Kerberos Authentication"
GssapiCredStore keytab:/etc/krb5.keytab
GssapiAcceptorName HTTP
GssapiAllowedMech krb5
GssapiBasicAuth off
GssapiNegotiateOnce On
GssapiLocalName On
<LimitExcept GET POST-OPTIONS>
Require all denied
</LimitExcept>
FallbackResource /index.php
</Directory>
<Location /api/>
Allow from All
AuthType None
Require all granted
Satisfy any
FallbackResource /index.php
</Location>
Header always set Strict-Transport-Security "max-age=600; includeSubDomains: preload"
ErrorLog /var/log/apache2/error.log
CustomLog /var/log/apache2/access.log proxy
But it does not want to work, in Apache log, we can see that auth_gssapi is waiting for auth data even when requesting /api
[Tue Jan 30 10:32:14.500425 2024] [auth_gssapi:info] [pid 25] [client] NO AUTH DATA Client did not send any authentication headers
[Tue Jan 30 10:32:14.506344 2024] [ssl:info] [pid 22] [client] AH01964: Connection to child 1 established (server)
I did try to filter over our api path with LocationMatch
<LocationMatch "^/(?!api)">
#AllowOverride None
Order Allow,Deny
Allow from All
Header always append X-Frame-Options "DENY"
Header always append X-Content-Type-Options "nosniff"
AuthName "Login Kerberos"
Require valid-user
AuthType GSSAPI
AuthName "Kerberos Authentication"
GssapiCredStore keytab:/etc/krb5.keytab
GssapiAcceptorName HTTP
GssapiAllowedMech krb5
GssapiBasicAuth off
GssapiNegotiateOnce On
GssapiLocalName On
<LimitExcept GET POST-OPTIONS>
Require all denied
</LimitExcept>
FallbackResource /index.php
</LocationMatch>
<Location /api>
SetEnvIf Request_URI "^/api" noauth
Allow from All
AuthType None
Require env noauth
Satisfy any
FallbackResources /index.php
</Location>
I also did try to put the gsspi authentication block within an If
<Directory />
<If "! %{REQUEST_URI} =~ /api/">
AuthName "Login Kerberos"
Require valid-user
AuthType GSSAPI
AuthName "Kerberos Authentication"
GssapiCredStore keytab:/etc/krb5.keytab
GssapiAcceptorName HTTP
GssapiAllowedMech krb5
GssapiBasicAuth off
GssapiNegotiateOnce On
GssapiLocalName On
</If>
Order Allow,Deny
Allow from All
Header always append X-Frame-Options "DENY"
Header always append X-Content-Type-Options "nosniff"
<LimitExcept GET POST-OPTIONS>
Require all denied
</LimitExcept>
FallbackResource /index.php
</Directory>
But no luck either May be I am missing Apache logic, any Ideas on how to disable authentication for this specific path?