Thanks Daniel and @lbutlr!
OK, did that. I moved the auth user file lines from the *:80 to the
*:443 vhosts. I also in desperation added
<Directory / >
Require all denied
</Directory>
to the :443 vhost.
Suddenly, going to the subdir gives me the login prompt!
But of course the top dir and all the other subdirs are not available.
Now I've put
<Directory /subdir>
Require all denied
</Directory>
<Location /subdir>
# <Location "/var/www/aeolian/" >
AllowOverride All
AuthType Basic
AuthName "admins only"
AuthUserFile /etc/apache2/userpass.txt
AuthGroupFile /etc/apache2/group
Require group admins
</Location>
...and it works!
So the lessons learned are (as I understand it)
If you have anything that is redirecting http to https, any config in
*:80 vhosts is ignored.
To add any restriction such as the auth login above, you must first add
an overall restriction so that the login opens a way in through a door
closed by default.
I'm happy with any config that does the job, but if either of you would
improve the above please let me know. In particular, where do I need
AllowOverride lines?
Thanks
Adrian
On Tue, 20 Apr 2021 15:08:21 +0200
Daniel <dferradal@xxxxxxxxx> wrote:
> Just define the appropriate *:80 virtualhosts with the redirects and
> without taking any shortcuts in the configuration like I showed you,
> if it works for you then you can worry later about making it all fancy
> and brief.
>
> El mar, 20 abr 2021 a las 15:00, Adrian
> (<adrian@xxxxxxxxxxxxxx.invalid>) escribió:
> >
> > Thanks again
> >
> > So if I redirect to the https version I can out all my per-directory
> > config into the *:443 vhost entry?
> >
> > My worry is where that leaves some primitive browsers that don't
> > support SSL. Can they not access the page at all? Do they use the
> > *:80 vhost entry and bypass any config that's in the *:443 one?
> >
> > Or should I copy all config into both?
> >
> > Adrian
> >
> > On Tue, 20 Apr 2021 14:50:18 +0200
> > Daniel Ferradal <dferradal@xxxxxxxxxx> wrote:
> >
> > > Generally I would never define virtualhosts with <Virtualhost *>,
> > > I think it is better and more straightforward to specify
> > > everything, specially when starting to admin your first apache
> > > servers. For example purposes, let's say I would define them like
> > > these in a more straightforward way:
> > >
> > > Listen 80
> > > Listen 443
> > >
> > > <Virtualhost *:80>
> > > ServerName whatever.example.com
> > > Redirect / https://whatever.example.com/
> > > CustomLog logs/whatevever.example.com.log common
> > > </VirtualHost>
> > >
> > > <VirtualHost *:443>
> > > ServerName whatever.example.com
> > > CustomLog logs/whatevever.example.com-ssl.log combined
> > > ..
> > > .
> > > .
> > > </VirtualHost>
> > >
> > > <Virtualhost *:80>
> > > ServerName somethingelse.example.com
> > > CustomLog logs/somethingelse.example.com.log common
> > >
> > > Redirect / https://somethingelse.example.com/
> > > </VirtualHost>
> > >
> > > <VirtualHost *:443>
> > > ServerName somethingelse.example.com
> > > CustomLog logs/somethingelse.example.com-ssl.log combined
> > > .
> > > .
> > > .
> > > </VirtualHost>
> > >
> > > I think this way it is quite hard to get lost.
> > > There are more brief setups you can go for but for a couple of
> > > domains it pays off to go like this, I would recommend you to
> > > define everything clearly to know where everything is going
> > > instead of trying to take shortcuts.
> > >
> > > Also make sure to restart between chances gracefully or with a
> > > restart.
> > >
> > > And for testing use a client which does not cache contents, aka,
> > > "curl -Ik https://whatever.example.com/";
> > >
> > > A sidenote:
> > > Also, about the files you mention, take into account that for
> > > apache, config files do not mean much when interpreting the
> > > configuration, but context/sections and order in which directives
> > > have been defined really do, most times you mention different
> > > config files people in this list may not pay too much attention
> > > to their names because of it. Debian and other distros tend to
> > > convolute config files making it look like a difficult mess for
> > > newcomers, when for small configurations sometimes with few
> > > virtualhosts it may pay off to go smaller or even single file.
> > >
> > > El mar, 20 abr 2021 a las 14:29, Adrian
> > > (<adrian@xxxxxxxxxxxxxx.invalid>) escribió:
> > > >
> > > > Thanks again Daniel
> > > >
> > > > I've added a ServerName line to the top level vhost with the
> > > > name of my server. No change.
> > > >
> > > > Yes, there are two files in sites-enabled, 000-default and
> > > > 000-ssl. I suspect that's the cause of the problem.
> > > >
> > > > I'd thought that 000-ssl only had SSL-related things and had
> > > > assumed that the other settings defaulted to the values in
> > > > 000-default, but maybe not. I see that both versions contain a
> > > > DocumentRoot.
> > > >
> > > > So that raises the question that if only one of these is being
> > > > used, and it's the SSL one using port 443, how do I configure
> > > > the change to work for port 80 requests? Do I have to add the
> > > > same lines to both?
> > > >
> > > > Though in practice my http:// URLs are being redirected to
> > > > https:// somehow, so I can't tell how a port 80 request would
> > > > behave.
> > > >
> > > > Thanks
> > > > Adrian
> > > >
> > > > On Tue, 20 Apr 2021 13:38:08 +0200
> > > > Daniel Ferradal <dferradal@xxxxxxxxxx> wrote:
> > > >
> > > > > Hello,
> > > > >
> > > > > This says you have two virtualhosts pointing to the same
> > > > > name, so only the first one will be used:
> > > > >
> > > > > (/etc/apache2/sites-enabled/000-default.conf:46) *:443
> > > > > is a NameVirtualHost default server www.example.org
> > > > > (/etc/apache2/sites-enabled/000-ssl:2) port 443 namevhost
> > > > > www.example.org
> > > > >
> > > > > But still that virtualhost you just pasted has no servername,
> > > > > so that one may be very well catching everything.
> > > > >
> > > > > These things can be quite easy to see if you are still in
> > > > > doubt. Define a specific access log for each virtualhost with
> > > > > different file names, check where you land.
> > > > >
> > > > > When defining several virtualhosts define a unique servername
> > > > > for each always. Remember first match wins.
> > > > >
> > > > > El mar, 20 abr 2021 a las 12:35, Adrian
> > > > > (<adrian@xxxxxxxxxxxxxx.invalid>) escribió:
> > > > > >
> > > > > > Thanks Daniel.
> > > > > >
> > > > > > I had one redundant .htaccess file in the vhost domain, now
> > > > > > removed. Restarted and no change.
> > > > > >
> > > > > > Results of apachectl -S below:
> > > > > >
> > > > > > apachectl -S
> > > > > > [Tue Apr 20 11:22:05.839049 2021] [so:warn] [pid 2744]
> > > > > > AH01574: module ssl_module is already loaded, skipping
> > > > > > VirtualHost configuration: *:* is a
> > > > > > NameVirtualHost default server myserver.io
> > > > > > (/etc/apache2/sites-enabled/000-default.conf:1) port *
> > > > > > namevhost myserver.io
> > > > > > (/etc/apache2/sites-enabled/000-default.conf:1) port *
> > > > > > namevhost www.example.org
> > > > > > (/etc/apache2/sites-enabled/000-default.conf:46) *:443 is a
> > > > > > NameVirtualHost default server www.example.org
> > > > > > (/etc/apache2/sites-enabled/000-ssl:2) port 443 namevhost
> > > > > > www.example.org (/etc/apache2/sites-enabled/000-ssl:2)
> > > > > > ServerRoot: "/etc/apache2" Main DocumentRoot:
> > > > > > "/var/www/html" Main ErrorLog: "/var/log/apache2/error.log"
> > > > > > Mutex mpm-accept: using_defaults Mutex watchdog-callback:
> > > > > > using_defaults Mutex rewrite-map: using_defaults Mutex
> > > > > > ssl-stapling-refresh: using_defaults Mutex ssl-stapling:
> > > > > > using_defaults Mutex proxy: using_defaults
> > > > > > Mutex ssl-cache: using_defaults
> > > > > > Mutex default: dir="/var/lock/apache2" mechanism=fcntl
> > > > > > PidFile: "/var/run/apache2.pid"
> > > > > > Define: DUMP_VHOSTS
> > > > > > Define: DUMP_RUN_CFG
> > > > > > User: name="www-data" id=33
> > > > > > Group: name="www-data" id=33
> > > > > >
> > > > > > There is a top-level vhost which maps "http://myserver.io";
> > > > > > to the top-level docroot, though oddly it doesn't seem to
> > > > > > see the files there. Here is the content. Below this is
> > > > > > the vhost I originally listed, and below that another vhost
> > > > > > which maps a different domain to a different docroot.
> > > > > >
> > > > > > <VirtualHost *> ServerAdmin webmaster@localhost
> > > > > >
> > > > > > DocumentRoot /var/www/
> > > > > > <Directory / >
> > > > > > Options FollowSymLinks
> > > > > > AllowOverride All
> > > > > > </Directory>
> > > > > > <Directory /var/www/>
> > > > > > Options Indexes FollowSymLinks MultiViews
> > > > > > AllowOverride All
> > > > > > Require all granted
> > > > > > # This directive allows us to have apache2's
> > > > > > default start page # in /apache2-default/, but still have /
> > > > > > go to the right place # RedirectMatch ^/$ /apache2-default/
> > > > > > </Directory>
> > > > > >
> > > > > > ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
> > > > > >
> > > > > > <Directory "/usr/lib/cgi-bin">
> > > > > > AllowOverride None
> > > > > > Options ExecCGI MultiViews
> > > > > > SymLinksIfOwnerMatch Require all granted
> > > > > > </Directory>
> > > > > >
> > > > > > ErrorLog /var/log/apache2/error.log
> > > > > >
> > > > > > # Possible values include: debug, info, notice,
> > > > > > warn, error, # crit, alert, emerg.
> > > > > > LogLevel warn
> > > > > >
> > > > > > LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\"
> > > > > > \"%{User-agent}i\"" combined
> > > > > > CustomLog /var/log/apache2/access.log combined
> > > > > > ServerSignature On
> > > > > >
> > > > > > Alias /doc/ "/usr/share/doc/"
> > > > > > <Directory "/usr/share/doc/">
> > > > > > Options Indexes MultiViews FollowSymLinks
> > > > > > AllowOverride None
> > > > > > Require local
> > > > > > </Directory>
> > > > > > </VirtualHost>
> > > > > >
> > > > > > There's nothing in apache2.conf that looks suspicious to me
> > > > > > but I can list it if it helps.
> > > > > >
> > > > > > Adrian
> > > > > >
> > > > > > On Tue, 20 Apr 2021 12:10:09 +0200
> > > > > > Daniel Ferradal <dferradal@xxxxxxxxxx> wrote:
> > > > > >
> > > > > > > Check "apachectl -S" output in case there is some other
> > > > > > > virtualhost there getting the requests.
> > > > > > >
> > > > > > > That virtualhost as it is should deny access, if it is
> > > > > > > not, then there is something missing in what you show.
> > > > > > > Not sure if it may be another virtualhost or another
> > > > > > > virtualhost and .htaccess, etc.
> > > > > > >
> > > > > > > El mar, 20 abr 2021 a las 12:01, Adrian
> > > > > > > (<adrian@xxxxxxxxxxxxxx.invalid>) escribió:
> > > > > > > >
> > > > > > > > using Apache/2.4.38 (Debian)
> > > > > > > > with Debian-style split config.
> > > > > > > >
> > > > > > > > Here are the relevant bits of a vhost. This is
> > > > > > > > in /etc/apache2/sites-enabled/000-default.
> > > > > > > >
> > > > > > > > <VirtualHost *>
> > > > > > > > ServerName www.example.org
> > > > > > > > DocumentRoot /var/www/example
> > > > > > > > CustomLog /var/log/apache2/example/access.log combined
> > > > > > > >
> > > > > > > > <Directory "/var/www/example/" >
> > > > > > > > # DISABLE THE ENTIRE DOCROOT
> > > > > > > > Require all denied
> > > > > > > > </Directory>
> > > > > > > > </VirtualHost>
> > > > > > > >
> > > > > > > > I restarted Apache and browsed a page that isn't in
> > > > > > > > cache. It loaded as normal.
> > > > > > > >
> > > > > > > > My real question is that basic file auth is also
> > > > > > > > ignored, but I thought I'd start simple.
> > > > > > > >
> > > > > > > > Things that might be related, to rule them out:
> > > > > > > > ${APACHE_LOCK_DIR} and ${APACHE_RUN_DIR} are not
> > > > > > > > defined.
> > > > > > > >
> > > > > > > > I have the compatibility module loaded, as I migrated
> > > > > > > > from 2.2, but as far as I can see I have no remaining
> > > > > > > > 2.2 syntax in my config.
> > > > > > > >
> > > > > > > > Let me know what else you may need and I'll provide it.
> > > > > > > >
> > > > > > > > Thanks
> > > > > > > >
> > > > > > > >
> > > > > > > > ---------------------------------------------------------------------
> > > > > > > > To unsubscribe, e-mail:
> > > > > > > > users-unsubscribe@xxxxxxxxxxxxxxxx For additional
> > > > > > > > commands, e-mail: users-help@xxxxxxxxxxxxxxxx
> > > > > > >
> > > > > > >
> > > > > >
> > > > > > ---------------------------------------------------------------------
> > > > > > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
> > > > > > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
> > > > > >
> > > > >
> > > > >
> > > >
> > > > ---------------------------------------------------------------------
> > > > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
> > > > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
> > > >
> > >
> > >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
> > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
> >
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|