I’ve never seen this happen. In the words of Lews Black, “I am confused.”
Apache.conf file for virtual host:
<Directory "/websites/this.domain.com/web/pluto">
AllowOverride None
AuthType Basic
AuthName "plutoLivesHere"
AuthUserFile /etc/apache2/passwords/webauth
Require user plutoAdmin
</Directory>
So, when I point my browser to
https://this.domain.com/pluto
Apache asks for my credentials.
BUT… when I open a fresh browser window (quit Firefox, clear all history, etc. and re-launch Firefox), and point to
https://this.domain.com/pluto/index.cfm
No auth required.
I can do this on any protected directory. Just accessing the directory itself requires credentials. Any CFM file will process and load without credentials. And that’s after multiple attempts to fix this, tinker with /conf/server.xml, clear out passwords in browser, clear history, cache, etc.
All web CFM files are www-data:www-data
What the?
After a long night and morning… the problem is “User-error!” Or, more appropriatly, admin error.
The TL;DR solution was to use the “Location” directive properly.
I also decided to use the “Define” directive and move some common directories to a separate include conf file.
How to use the Define directive:
Define a variable called ‘listofusers’ who can access certain directories (see core - Apache HTTP Server Version 2.4)
It takes form of parameter-name parameter-value
ex: Define myVar foobar
ex: Define myVar “foobar foobar1 foobar2”
Here is a virtual host conf file that works as intended (I have tested it) with CFM/AJP, and in this example, I am also redirecting any non SSL requests to SSL.
SSLStrictSNIVHostCheck on
<VirtualHost *:443>
ServerAdmin adin@www.this-site.org
ServerName www.this-site.org
ServerAlias this-site.org w.this-site.org ww.this-site.org wwww.this-site.org
DocumentRoot /websites/this-site/www.this-site.org/web
DirectoryIndex index.cfm index.html
RewriteEngine On
RewriteOptions Inherit
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule ^(.*)$ https://www.this-site.org/ [R=301,L]
SSLEngine on
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/www.this-site.org/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.this-site.org/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/www.this-site.org/chain.pem
# Various common virtual host includes used in this CFM site
Include /etc/apache2/my-apache-cf-ajp.conf
Include /etc/apache2/my-apache-cf-secure-lucee.conf
# Secured directories list of users and include conf
Define listofusers "adminuser1 adminuser2 simpleuser1"
Include /etc/apache2/my-apache-secure-directories.conf
<Directory "/websites/this-site/www.this-site.org/web">
AllowOverride None
</Directory>
CustomLog /websites/this-site/www.this-site.org/log/www.this-site.org.ssl.access.log vhost_combined
ErrorLog /websites/this-site/www.this-site.org/log/www.this-site.org.ssl.error.log
# Possible values include: debug, info, notice, warn, error, crit, alert, emerg.
LogLevel error
</VirtualHost>
And the critical include conf where the variable “listofusers” is passed in:
Contents of “Include /etc/apache2/my-apache-secure-directories.conf”
# Any subdirectories named admin which derrick works with
<Location /admin>
SSLRequireSSL
AuthType Basic
AuthName "AdminAarea"
AuthUserFile /etc/apache2/passwords/webauth
Require user ${listofusers}
</Location>
1 Like