Combining Basic Authentication and LimitExcept in Apache 2.2 Virtual Host

Question

I'm trying to satisfy the following requirements (in Apache HTTPD 2.2):

• If the HTTP method is anything but HEAD, POST, or GET do not allow access, regardless of any of the following.
• If the user is internal, allow access without the basic authentication challenge.
• If the user is external, challenge with basic authentication, and allow in if they have good credentials.

This is one of the many things I've tried, but none of the things I've tried achieved all three of the requirements:

<Directory /path/to/wwwroot>
    Options FollowSymLinks
    AllowOverride FileInfo

    # Basic Authentication
    AuthType Basic
    AuthName "Enter your site username and password."
    AuthUserFile /path/to/stage.passwords
    AuthGroupFile /path/to/stage.groups
    Require group stageusers

    # there's more logic for this variable in the real virtual_host.
    # for this simplified example, manually set (using the following)
    # or unset (using !internal_user).
    SetEnv internal_user

    Order deny,allow
    Deny from all
    Allow from env=internal_user

    <LimitExcept HEAD POST GET>
        Deny from all
    </LimitExcept>

    Satisfy all

</Directory>

I've read the docs on Satisfy, Limit, LimitExcept, Order, and basic authentication, but I'm having trouble putting the pieces together.

What's a viable way to do this?

Answer 1

AFAICT in Apache 2.2 you need to go back to a "Satisfy Any" approach then handle the method checks using mod_rewrite. This is the best route because your method checks are totally independent.

In 2.4, Limit/LimitExcept are replaced/simplified by mod_allowmethods, but require can also check methods directly. It's much simpler there.

The rewrite portion is pretty straightforward:

RewriteEngine ON
RewriteCond %{REQUEST_METHOD} !^(GET|HEAD|POST)$
RewriteRule .* - [F]

But you will need to make sure it appears in each vhost + main server that can access the directory, unlike the other directives.

Putting it All Together

# Only allow expected HTTP methods.
RewriteCond %{REQUEST_METHOD} !^(GET|HEAD|POST)$
RewriteRule .* - [F]

<Directory /path/to/wwwroot>
    Options FollowSymLinks
    AllowOverride FileInfo

    Satisfy any

    # Basic Authentication
    AuthType Basic
    AuthName "Enter your site username and password."
    AuthUserFile /path/to/stage.passwords
    AuthGroupFile /path/to/stage.groups
    Require group stageusers

    # there's more logic for this variable in the real virtual_host.
    # for this simplified example, manually set (using the following)
    # or unset (using !internal_user).
    SetEnv internal_user

    Order deny,allow
    Deny from all
    Allow from env=internal_user

</Directory>