具有 GSSAPI 身份验证的 Apache2,无法从身份验证中排除一个位置

具有 GSSAPI 身份验证的 Apache2,无法从身份验证中排除一个位置

我们有一个 apache2 为 PHP 应用程序提供服务,并使用 kerberos 身份验证。我们在 PHP 应用程序中开发了一个 API,我们希望在没有 Kerberos 身份验证的情况下访问它。但我们无法将该 API 从 Apache 身份验证机制中排除。

我们以前没有 API 的 Apache 配置:

    DocumentRoot /var/www/html/public
    
    <Directory />
            AllowOverride None
            Order Allow,Deny
            Allow from All
            Header always append X-Frame-Options "DENY"
            Header always append X-Content-Type-Options "nosniff"
            AuthName "Login Kerberos"
            Require valid-user
            AuthType GSSAPI
            AuthName "Kerberos Authentication"
            GssapiCredStore keytab:/etc/krb5.keytab
            GssapiAcceptorName HTTP
            GssapiAllowedMech krb5
            GssapiBasicAuth off
            GssapiNegotiateOnce On
            GssapiLocalName On

            <LimitExcept GET POST-OPTIONS>
              Require all denied
            </LimitExcept>

            FallbackResource /index.php
    </Directory>

    Header always set Strict-Transport-Security "max-age=600; includeSubDomains: preload"
    ErrorLog /var/log/apache2/error.log
    CustomLog /var/log/apache2/access.log proxy

无需授权即可提供 API

    DocumentRoot /var/www/html/public
    
    <Directory />
            AllowOverride None
            Order Allow,Deny
            Allow from All
            Header always append X-Frame-Options "DENY"
            Header always append X-Content-Type-Options "nosniff"
            AuthName "Login Kerberos"
            Require valid-user
            AuthType GSSAPI
            AuthName "Kerberos Authentication"
            GssapiCredStore keytab:/etc/krb5.keytab
            GssapiAcceptorName HTTP
            GssapiAllowedMech krb5
            GssapiBasicAuth off
            GssapiNegotiateOnce On
            GssapiLocalName On

            <LimitExcept GET POST-OPTIONS>
              Require all denied
            </LimitExcept>

            FallbackResource /index.php
    </Directory>

    <Location /api/>
            Allow from All
            AuthType None
            Require all granted
            Satisfy any
            FallbackResource /index.php
    </Location>
    Header always set Strict-Transport-Security "max-age=600; includeSubDomains: preload"
    ErrorLog /var/log/apache2/error.log
    CustomLog /var/log/apache2/access.log proxy

但它不起作用,在 Apache 日志中,我们可以看到 auth_gssapi 甚至在请求 /api 时也在等待身份验证数据

[Tue Jan 30 10:32:14.500425 2024] [auth_gssapi:info] [pid 25] [client] NO AUTH DATA Client did not send any authentication headers
[Tue Jan 30 10:32:14.506344 2024] [ssl:info] [pid 22] [client] AH01964: Connection to child 1 established (server)

我确实尝试使用 LocationMatch 过滤我们的 api 路径

<LocationMatch "^/(?!api)">
            #AllowOverride None
            Order Allow,Deny
            Allow from All
            Header always append X-Frame-Options "DENY"
            Header always append X-Content-Type-Options "nosniff"
            AuthName "Login Kerberos"
            Require valid-user
            AuthType GSSAPI
            AuthName "Kerberos Authentication"
            GssapiCredStore keytab:/etc/krb5.keytab
            GssapiAcceptorName HTTP
            GssapiAllowedMech krb5
            GssapiBasicAuth off
            GssapiNegotiateOnce On
            GssapiLocalName On

            <LimitExcept GET POST-OPTIONS>
              Require all denied
            </LimitExcept>

            FallbackResource /index.php
    </LocationMatch>

    <Location /api>
            SetEnvIf Request_URI "^/api" noauth
            Allow from All
            AuthType None
            Require env noauth
            Satisfy any
            FallbackResources /index.php
    </Location>

我也尝试将 gsspi 身份验证块放在 If 中

    <Directory />
             <If "! %{REQUEST_URI} =~ /api/">
                    AuthName "Login Kerberos"
                    Require valid-user
                    AuthType GSSAPI
                    AuthName "Kerberos Authentication"
                    GssapiCredStore keytab:/etc/krb5.keytab
                    GssapiAcceptorName HTTP
                    GssapiAllowedMech krb5
                    GssapiBasicAuth off
                    GssapiNegotiateOnce On
                    GssapiLocalName On
            </If>

            Order Allow,Deny
            Allow from All
            Header always append X-Frame-Options "DENY"
            Header always append X-Content-Type-Options "nosniff"

            <LimitExcept GET POST-OPTIONS>
              Require all denied
            </LimitExcept>

            FallbackResource /index.php
    </Directory>

但也没有运气。也许是我缺少 Apache 逻辑,关于如何禁用此特定路径的身份验证有什么想法吗?

相关内容