Apache 2.4 config too permissive / PerlAuthenHandler integration problem
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Evergreen |
Fix Released
|
Critical
|
Unassigned | ||
2.6 |
Fix Released
|
Critical
|
Unassigned | ||
2.7 |
Fix Released
|
Critical
|
Unassigned |
Bug Description
Ubuntu 14.04
Apache 2.4
Evergreen master.
Stock Evergreen install w/ Apache 2.4 is not enforcing authentication when using OpenILS:
https:/
I traced this to the presence of "require all granted" in the <Location /opac/extras/circ> block (and similar blocks). When present, Apache never calls the handler for OpenILS:
"require all granted" was added in the early 2.4 days because, IIRC, it was intended as a replacement for "allow from all" -- i.e. don't restrict by IP.
Removing "require all granted" allows the authentication check to proceed within Authen.pm, but Apache eventually produces a 500 error:
AH00027: No authentication done but request not allowed without authentication for /opac/extras/
Can someone please confirm this on another Apache 2.4 server? I hope I'm just missing something...
FWIW, reverting to the old-style OpenILS::WWW::Proxy configuration works as expected.
information type: | Private Security → Public Security |
Changed in evergreen: | |
importance: | Undecided → Critical |
status: | New → Fix Released |
Sounds bad, and possibly like something dating way back to my early work with Apache 2.4, which makes me feel worse.
What do you mean by "old-style OpenILS::WWW::Proxy configuration"?