Hi,
I am trying to prevent unauthorized access to http(s)://support.domain.local/scp using this Apache basic ldap auth, interesting enough I found a similar issue since 2014 but no solution, issue here has nothing to do with HTTP-Passthru:
<VirtualHost *:80>
ServerName support.domain.local
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteCond %{HTTP_HOST} !^(support.domain.local/)$ [NC]
RewriteRule .* - [F]
<IfModule mod_headers.c>
Header unset X-Forwarded-Host
Header always set X-Frame-Options DISABLE
</IfModule>
<Directory /var/www/html/osTicket>
Options -Indexes
Options FollowSymLinks
AllowOverride All
Require all granted
</Directory>
</VirtualHost>
<VirtualHost *:443>
ServerName support.domain.local
<IfModule mod_headers.c>
Header always set Referrer-Policy "same-origin"
Header set X-XSS-Protection "1; mode=block"
Header always set X-Frame-Options DISABLED
Header set X-Content-Type-Options "nosniff"
RequestHeader set X-HTTPS 1
Header set Strict-Transport-Security "max-age=10886400; includeSubDomains; preload; always"
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
Header unset X-Forwarded-Host
Header always edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
</IfModule>
SSLEngine on
SSLProtocol -all +TLSv1.2
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder on
SSLCertificateFile /etc/pki/tls/certs/certificate.crt
SSLCertificateKeyFile /etc/pki/tls/private/private.key
SSLCertificateChainFile /etc/pki/tls/certs/ca_bundle.crt
DocumentRoot /var/www/html/osTicket
<Directory "/var/www/html/osTicket/scp">
SetHandler ldap-status
AuthType Basic
AuthName "Private Area"
AuthBasicProvider ldap
LDAPReferrals Off
AuthLDAPBindAuthoritative off
AuthLDAPURL "ldap://dc01.domain.local/DC=domian,DC=local?sAMAccountName?sub?(objectClass=user)"
AuthLDAPBindDN bind@domain.local
AuthLDAPBindPassword passwprd
require ldap-user some_allowed_user
</Directory>
<Directory /var/www/html/osTicket>
Options -Indexes
Options FollowSymLinks
AllowOverride None
Require all granted
</Directory>
</VirtualHost>
However, when visiting http(s)://support.domain.local the browser shows the credentials dialog which is not supposed to happen, the funny thing is that I can click cancel two times to override that dialog for http(s)://support.domain.local.
I only need to prevent access to /scp directory, the dialog appears and clicking cancel shows unauthorized message which what I want, but I don't know why it shows the credentials dialog for http(s)://support.domain.local
I am also willing to hear more about this config ingeneral, and if
<Directory /var/www/html/osTicket>
Options -Indexes
Options FollowSymLinks
AllowOverride None
Require all granted
</Directory>
is correctly configured.
