Question

Working setup with PHP 7.4 & 8.2 breaks with AuthType Basic

Thanks for the clear and easy-to-follow instructions on how to set up several PHP environments. All went fine, until I needed to add AuthType Basic to the virtual host. I wonder if you could help. Here’s the Apache2 conf:

<VirtualHost *:80>
        ServerName mytest.com
        ServerAdmin admin@mytest.com

        DocumentRoot /www/mytest/www-root
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>

        <Directory /www/mytest/www-root/>
                Options Includes FollowSymLinks MultiViews
                Require all granted
                AllowOverride All

                <Limit GET POST OPTIONS PROPFIND>
                        Require all granted
                </Limit>
                <Limit PUT DELETE PATCH PROPPATCH MKCOL COPY MOVE LOCK UNLOCK>
                        Require all denied
                </Limit>
        </Directory>

        <Directory /www/mytest/www-root/>
          AuthName "MyTest Intranet"
          AuthType Basic
          Require expr %{REQUEST_URI} =~ m#^/.*#

          AuthBasicProvider dbd
          AuthDBDUserPWQuery "SELECT auth_passwd from authentication where auth_username = %s"
          Require dbd-group mytest_admin
          AuthzDBDQuery "SELECT groups FROM authentication WHERE auth_username = %s"
        </Directory>

        <FilesMatch \.php$>
             # From the Apache version 2.4.10 and above, use the SetHandler to run PHP as a fastCGI process server
             SetHandler "proxy:unix:/run/php/php7.4-fpm.sock|fcgi://localhost"
        </FilesMatch>

        ErrorLog /var/log/apache2/www/mytest.com/error.log

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel debug

        CustomLog /var/log/apache2/www/mytest.com/access.log combined
        ServerSignature Off

</VirtualHost>

If I remove the FilesMatch part, authentication works.

Accessing the site with Apache2 debug verbosity produces this:

[Fri Jul 21 09:14:11.484728 2023] [authz_core:debug] [pid 33353] mod_authz_core.c(815): [client 127.0.0.1:56364] AH01626: authorization result of Require expr %{REQUEST_URI} =~ m#^/.*#: granted
[Fri Jul 21 09:14:11.484806 2023] [authz_core:debug] [pid 33353] mod_authz_core.c(815): [client 127.0.0.1:56364] AH01626: authorization result of <RequireAny>: granted
[Fri Jul 21 09:14:11.484874 2023] [proxy:debug] [pid 33353] mod_proxy.c(1503): [client 127.0.0.1:56364] AH01143: Running scheme unix handler (attempt 0)
[Fri Jul 21 09:14:11.484893 2023] [proxy_fcgi:debug] [pid 33353] mod_proxy_fcgi.c(1054): [client 127.0.0.1:56364] AH01076: url: fcgi://localhost/www/mytest/www-root/index.php proxyname: (null) proxyport: 0
[Fri Jul 21 09:14:11.484903 2023] [proxy_fcgi:debug] [pid 33353] mod_proxy_fcgi.c(1063): [client 127.0.0.1:56364] AH01078: serving URL fcgi://localhost/www/mytest/www-root/index.php
[Fri Jul 21 09:14:11.484910 2023] [proxy:debug] [pid 33353] proxy_util.c(2531): AH00942: FCGI: has acquired connection for (*)
[Fri Jul 21 09:14:11.484921 2023] [proxy:debug] [pid 33353] proxy_util.c(2587): [client 127.0.0.1:56364] AH00944: connecting fcgi://localhost/www/mytest/www-root/index.php to localhost:8000
[Fri Jul 21 09:14:11.484948 2023] [proxy:debug] [pid 33353] proxy_util.c(2623): [client 127.0.0.1:56364] AH02545: fcgi: has determined UDS as /run/php/php7.4-fpm.sock
[Fri Jul 21 09:14:11.485087 2023] [proxy:debug] [pid 33353] proxy_util.c(2810): [client 127.0.0.1:56364] AH00947: connected /www/mytest/www-root/index.php to httpd-UDS:0
[Fri Jul 21 09:14:11.485135 2023] [proxy:debug] [pid 33353] proxy_util.c(3177): AH02823: FCGI: connection established with Unix domain socket /run/php/php7.4-fpm.sock (*)
[Fri Jul 21 09:14:11.488088 2023] [proxy:debug] [pid 33353] proxy_util.c(2546): AH00943: FCGI: has released connection for (*)

As said, commenting the FilesMatch part, auth works and opens the page with log:

[Fri Jul 21 09:26:34.387042 2023] [authz_core:debug] [pid 34045] mod_authz_core.c(815): [client 127.0.0.1:53150] AH01626: authorization result of Require expr %{REQUEST_URI} =~ m#^/.*#: granted
[Fri Jul 21 09:26:34.387122 2023] [authz_core:debug] [pid 34045] mod_authz_core.c(815): [client 127.0.0.1:53150] AH01626: authorization result of <RequireAny>: granted
127.0.0.1 - - [21/Jul/2023:09:26:34 +0300] "GET /index.php HTTP/1.1" 401 429 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0"
[Fri Jul 21 09:26:39.430936 2023] [authz_core:debug] [pid 34043] mod_authz_core.c(815): [client 127.0.0.1:53152] AH01626: authorization result of Require expr %{REQUEST_URI} =~ m#^/.*#: granted
[Fri Jul 21 09:26:39.431008 2023] [authz_core:debug] [pid 34043] mod_authz_core.c(815): [client 127.0.0.1:53152] AH01626: authorization result of <RequireAny>: granted
[Fri Jul 21 09:26:39.513753 2023] [deflate:debug] [pid 34043] mod_deflate.c(869): [client 127.0.0.1:53152] AH01384: Zlib: Compressed 26026 to 8111 : URL /index.php
127.0.0.1 - my.username [21/Jul/2023:09:26:39 +0300] "GET /index.php HTTP/1.1" 200 8492 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0"

Any help would be highly appreciated.

Ari

Submit an answer


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

KFSys
Site Moderator
Site Moderator badge
July 25, 2023

Heya,

The problem you’re facing seems to be related to the interaction between the AuthType Basic directive and the FilesMatch directive for PHP-FPM. Apache’s mod_proxy_fcgi doesn’t handle authentication headers properly. Hence, the PHP script being executed doesn’t have the necessary environment variables set to handle authentication.

One way to work around this is to use mod_rewrite in order to bypass the problem.

  1. Comment out or remove the <FilesMatch> section you currently have.

  2. Add the following block to the <Directory /www/mytest/www-root/> section in your Apache configuration:

RewriteEngine On
RewriteCond %{REQUEST_FILENAME} \.php$
RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_URI} !-d
RewriteRule (.*\.php)$ fcgi://127.0.0.1:9000/%{DOCUMENT_ROOT}/$1 [P,L]

Replace 9000 with the port PHP-FPM is listening on. If PHP-FPM is listening on a Unix socket, use the path to the socket file instead of 127.0.0.1:9000.

Remember, for this to work, the mod_rewrite module must be enabled. You can enable it with the command sudo a2enmod rewrite.

After making these changes, remember to restart Apache for the changes to take effect. This can typically be done with a command like sudo systemctl restart apache2.

This might solve the issue you’re facing.

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!

Sign up

card icon
Get our biweekly newsletter

Sign up for Infrastructure as a Newsletter.

Sign up
card icon
Hollie's Hub for Good

Working on improving health and education, reducing inequality, and spurring economic growth? We’d like to help.

Learn more
card icon
Become a contributor

You get paid; we donate to tech nonprofits.

Learn more
Featured on Community
Kubernetes CourseLearn Python 3Machine Learning in PythonGetting started with GoIntro to Kubernetes
DigitalOcean Products
CloudwaysVirtual MachinesManaged DatabasesManaged KubernetesBlock StorageObject StorageMarketplaceVPCLoad Balancers
Welcome to the developer cloud

DigitalOcean makes it simple to launch in the cloud and scale up as you grow – whether you’re running one virtual machine or ten thousand.

Learn more ->
DigitalOcean Cloud Control Panel
Get started for free

Enter your email to get $200 in credit for your first 60 days with DigitalOcean.

New accounts only. By submitting your email you agree to our Privacy Policy.

© 2023 DigitalOcean, LLC.