SSI Broken in Apache 2.4.x when Basic Auth is used

Description

When using Basic Auth on a non shibboleth enabled web site, Server Side Includes no longer function. I attempted to mitigate this by using ShibDisable On in the directories that are affected, however that does not seem to fix these sites.

I will upload a trace of an affected web server.

Environment

CentOS 6.4 OpenSSL 1.0.1e

Activity

Scott Cantor 
June 17, 2013 at 4:22 PM

Nothing is behaving unexpectedly right now with the latest code.

Scott Cantor 
June 17, 2013 at 2:07 PM

Apache can be very complex when it comes to interactions.

ShibCompatValidUser is a server/host-level setting, rather than a per-directory one, so it can't go inside htaccess or Directory.

ShibDisable should be per-directory. That order shouldn't matter at all.

Also, you shouldn't need ShibDisable anymore, that bug was fixed in the branch. I will verify that in my sandbox before I mark "cannot reproduce".

gibsonb@imsweb.com 
June 17, 2013 at 11:57 AM

Okay as I moved a bunch of the settings around in the vhost I believe I have the magic order set up properly now. I tried moving each statement around in the vhost and found that the following order appears to be the one that fixed them all:
ShibCompatValidUser On
XBitHack Full
<Directory /whatever>
ShibDisable On
Include .htaccess
</Directory>

I had to put the disable before the include in order for it to work. I'm not sure why though since that is the include for the .htaccess which should be covered by the shibcompatvaliduser statement.

Either way though I think we can mark this resolved and move on since it appears that the includes are now parsing as expected.

Scott Cantor 
June 14, 2013 at 11:34 PM

No difference. Mac at least is working, any way I try things.

Worked with ShibDisable set to on or off, though off requires the ShibCompatValidUser setting to be on, or require user fails per the other bug.

I can only assume you're getting affected by the other fixed bugs here, and that the latest revision of mod_shib.cpp should work. Otherwise I'm not able to reproduce so far.

gibsonb@imsweb.com 
June 14, 2013 at 8:56 PM

Not sure if it matters but I figure I'll throw it out there.

These are old sites that we don't have a ton of money to throw at. So instead of having the developers change anything, I'm using XBitHack option to enable SSI on these sites. Specifically I set it to XBitHack Full in the VHost configuration.

The specific error I get is instead of the page loading the included header / footer I get
"[an error occurred while processing this directive] "

This is the same behavior I get when I don't have the xbithack enabled. So it might be that something is interfering there.

Cannot Reproduce

Details

Assignee

Reporter

Components

Affects versions

Created June 14, 2013 at 6:04 PM
Updated June 27, 2013 at 4:42 PM
Resolved June 17, 2013 at 8:48 PM