Faulty logic in Require directive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

I'm having trouble with the speed of execution of authorization for a webdav site.  After a lot of trial and error I think there are two parts to this problem.  This email is addressing just the first part.  The problem, as I describe it, may sound trivial but I have cut the configuration down as far as I can to get at the root of the problem.  In its cut down state there is no noticeable response delay, but in the normal state of operation it can take 10 seconds to get a response from the server.  If anyone can point out what I might be doing wrong that would be great.

As is evident in the error log, with LogLevel set to trace 8, authorization checks are being executed twice when they should be executed only once.  The first execution fails with the message "authorization result of Require valid-user : denied (no authenticated user yet)".  That isn't correct because the Authorization header has been sent by the browser.  Indeed, the same check succeeds on the second execution of the authorization.  Here are the authorization directives:

  # To begin, allow read access to all valid users on the local network.

  <Limit GET OPTIONS PROPFIND>
    <RequireAll>
      Require ip 192.168 10
      Require valid-user
    </RequireAll>
  </Limit>

  # Deny write access to all folders.

  <LimitExcept GET OPTIONS PROPFIND>
    Require all denied
  </LimitExcept>

And here is the trace8 output for a single request

[Wed Apr 15 19:31:54.899702 2020] [mpm_event:notice] [pid 24958:tid 139697261241472] AH00494: SIGHUP received.  Attempting to restart
[Wed Apr 15 19:31:54.910688 2020] [mpm_event:notice] [pid 24958:tid 139697261241472] AH00489: Apache/2.4.43 (Unix) configured -- resuming normal operations
[Wed Apr 15 19:31:54.910754 2020] [core:notice] [pid 24958:tid 139697261241472] AH00094: Command line: '/usr/local/apache2/bin/httpd'
[Wed Apr 15 19:31:57.870021 2020] [authz_core:debug] [pid 25551:tid 139697242527488] mod_authz_core.c(818): [client 192.168.1.3:56123] AH01626: authorization result of Require ip 192.168 10: granted
[Wed Apr 15 19:31:57.870121 2020] [authz_core:debug] [pid 25551:tid 139697242527488] mod_authz_core.c(818): [client 192.168.1.3:56123] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Wed Apr 15 19:31:57.870142 2020] [authz_core:debug] [pid 25551:tid 139697242527488] mod_authz_core.c(818): [client 192.168.1.3:56123] AH01626: authorization result of <RequireAll>: denied (no authenticated user yet)
[Wed Apr 15 19:31:57.870159 2020] [authz_core:debug] [pid 25551:tid 139697242527488] mod_authz_core.c(737): [client 192.168.1.3:56123] AH01625: authorization result of Require all denied: neutral (directive limited to other methods)
[Wed Apr 15 19:31:57.870175 2020] [authz_core:debug] [pid 25551:tid 139697242527488] mod_authz_core.c(818): [client 192.168.1.3:56123] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Wed Apr 15 19:31:57.871234 2020] [authz_core:debug] [pid 25551:tid 139697242527488] mod_authz_core.c(818): [client 192.168.1.3:56123] AH01626: authorization result of Require ip 192.168 10: granted
[Wed Apr 15 19:31:57.871302 2020] [authz_core:debug] [pid 25551:tid 139697242527488] mod_authz_core.c(818): [client 192.168.1.3:56123] AH01626: authorization result of Require valid-user : granted
[Wed Apr 15 19:31:57.871346 2020] [authz_core:debug] [pid 25551:tid 139697242527488] mod_authz_core.c(818): [client 192.168.1.3:56123] AH01626: authorization result of <RequireAll>: granted
[Wed Apr 15 19:31:57.871362 2020] [authz_core:debug] [pid 25551:tid 139697242527488] mod_authz_core.c(818): [client 192.168.1.3:56123] AH01626: authorization result of <RequireAny>: granted
[Wed Apr 15 19:31:57.872029 2020] [http:trace3] [pid 25551:tid 139697242527488] http_filters.c(1127): [client 192.168.1.3:56123] Response sent with status 200, headers:

If I change the "Require valid-user" directive to "Require all granted" the authorization is executed only once, which makes sense, but this is what I would expect in the case above.  For completeness, here is the entire configuration.

# Configure a webdav folder at /webdav on our server.

# This is where the webdav directory is served from on the local file
# system. 

ServerName skyler

Define ROOT /home/webdav

Alias /webdav ${ROOT}

# Configure the webdav directory.

<Directory ${ROOT}>

  LogLevel trace8

  Options MultiViews Indexes
  AllowOverride AuthConfig
  DAV On

  # Authentication is done by the Basic method using the postgres
  # database.  Webdav access generates a lot of requests so
  # mod_authn_socache is added for performance.
 
  AuthType Basic
  AuthName "henka"
  AuthBasicProvider file
  AuthUserFile htpasswd
  AuthGroupFile htgroup

  # To begin, allow read access to all valid users on the local
  # network.

  <Limit GET OPTIONS PROPFIND>
    <RequireAll>
      Require ip 192.168 10
      Require valid-user
    </RequireAll>
  </Limit>

  # Deny write access to all folders.

  <LimitExcept GET OPTIONS PROPFIND>
    Require all denied
  </LimitExcept>

</Directory>

And this is the request

192.168.1.3 - mal [15/Apr/2020:19:31:57 +1000] "GET /webdav/ HTTP/1.1" 200 324

Thanks in advance
Mal
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux