Ht credentials avoided by direct URL

Hawkeye · April 9, 2023, 3:06pm

Hi, have the following code in /etc/httpd/conf.d/ssl.conf

> <VirtualHost  xxx.xxx.xxx.xxx:443>
> DocumentRoot "/var/www/html"
> 
> .
> .
> .
> ```
> </VirtualHost>
> 
> > <Directory "/var/www/html">
> >       AllowOverride All
> >       AuthType Basic
> >       AuthUserFile /etc/httpd/conf/webpass
> >       AuthName "RESTRICED ACCESS"
> >       require valid-user
> >       satisfy any
> >       Order allow,deny
> >       Deny from all
> >       Options -Indexes
> > </Directory>

Going to https://server.domain.tld  the htpasswd dialogue pops up as it should. However going to http://server.domain.tld/admin/config.php   No htpasswd dialgue box appears.  

What might be the cause of this since it was thought anything below /var/www/html requires credentials such as /var/www/html/admin

Thanks.

BlazeStudios · April 9, 2023, 3:54pm

Because there is an .htaccess file in /var/www/html/admin that is overriding the Apache config. You should update your Apache config to not allow overrides, which it is allowing currently.

Hawkeye · April 10, 2023, 1:17pm

Hi,
Regardless of what is put into <Directory “/var/www/html”> it doesn’t stop anyone from getting to FreePBX login page. ht is ignored. What does work is mv .htaccess htaccess in /var/www/html/admin. This way no one gets to FreePBX login page if they can’t get passed entering correct credentials for htpasswd box.

BlazeStudios · April 10, 2023, 1:18pm

And how are you attempting to disallow the overrides? Show your actual work here so there isn’t guessing.

Hawkeye · April 10, 2023, 5:51pm

Already stated the fix above. In

/var/www/html/admin # mv .htaccess htaccess

.
In httpd ssl.conf have:

<Directory “/var/www/html”>
AllowOverride AuthConfig FileInfo Options
AuthType Basic
AuthUserFile /etc/httpd/conf/webpass
AuthName “RESTRICTED ACCESS”
require valid-user
satisfy any
Order allow,deny
Deny from all
Options -Indexes

BlazeStudios · April 10, 2023, 6:14pm

You are still allowing access here. Instead of allowing All directive access you are now allowing three specific directives. AuthConfig is the directive for authentication so you are still telling the server to allow .htaccess to override the auth configuration. Changing .htaccess to htaccess isn’t a proper fix as FreePBX could/probably will just write out the .htaccess file again.

Properly configuring your ssl.conf file will fix the problem. AllowOverride None << stops the .htaccess file from doing anything.

Hawkeye · April 11, 2023, 6:14am

ssl.conf now has:

<Directory "/var/www/html">
      AllowOverride None
      # AuthConfig FileInfo Options
      AuthType Basic
      AuthUserFile /etc/httpd/conf/webpass
      AuthName "RESTRICTED ACCESS"
      require valid-user
      satisfy any
      Order allow,deny
      Deny from all
      Options -Indexes
</Directory>

Also
# mv /var/www/html/admin/htaccess /var/www/html/admin/.htaccess

# systemctrl restart httpd

Tried the URL for both / and /admin/config.php and you were right on, htpasswd dialogue box pops up.

Thank you for your help with this.

Hawkeye · April 14, 2023, 8:07am

Now what is being seen with AllowOverride None is constant htpasswd dialogue box popup. Even when exiting FreePBX it displays htpasswd dialogue box. So far the only solution is to add require ip xx.xx.xx.0/24 for the range allowed into the FreePBX server. I think the problem lies in the .htaccess in /admin but as you’ve written, that file would probably be overwritten on an update. There is a way to fix that too but it might impact other URLs used to access other parts of FreePBX.

system · April 21, 2023, 8:08am

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.