Apache Config - Exclude Location from Authentication

Question

I have a web application that is being protected by a Shibboleth authentication module. My current config is as below

 AuthType shibb         


        

Answer 1

My comment towards the end regarding the exclusion of additional files being loaded by Login.html ended up being correct. I used the following format to exclude the files that were being loaded by the html file

<Location ~ "/MyApp/(Login.html|SessionTimeout.html|accessDenied.html|/badRequest.html|status|css/*|login/*|images/*|style/*|js/*|javascript/*|)">   
  Satisfy Any   
  Allow from all   
  AuthType None   
  Require all granted   
</Location>

Answer 2

When using Apache 2.4 instead of 2.2, in order to exclude "/server-status", the following was enough:

<LocationMatch "^(?!/server-status)">
    AuthType Basic
    AuthUserFile /etc/apache2/.htpasswd
    <RequireAll>
        Require ssl
        Require user valid_user_name
    </RequireAll>
</LocationMatch>

Analyzing:

• <LocationMatch "regex"> is equivalent to <Location ~ "regex">.
• The regex used, is pcre (perl compatible regular expressions).
• ^(?!/server-status) means:
  • ^: "starts with"
  • (?!): "negative look ahead (instead of positive (?=))"