keesuuuuh, my apache's BasicAuth directives just all failed open. Cool update.03:41
amurraykees: eeek... I just got back from a week of leave so am playing catchup - what update are you referring to (or do you have an inkling what you just updated that could have caused this?)04:22
keesamurray: I haven't managed to bisect updates yet, but I assume apache updates. (there have been 3 in a week or so.) I just noticed all my sasl-backed basicauth isn't requiring any auth.04:40
keesI shut down my server until I'm back home to figure out what's happening04:40
amurraykees: what Ubuntu release(s)?04:43
amurraykees: I can't reproduce on focal - will try other releases too though 05:41
keesamurray: I'm on bionic. this poor server is on bionic. I'm trying stuff now...05:57
amurrayok no worries - I'm trying to reproduce there as well now too05:59
keeswelp, still broken in 2.4.29-1ubuntu4.16 so I'm going to assume something broke something else...06:04
keesI'll keep digging.06:04
keesI've just never seen BasicAuth fail _open_ before.06:05
amurrayyep... it doesn't get much face-palmier (is that even a word) than that..06:06
amurrayI can't reproduce on bionic either - my test is basically: https://pastebin.ubuntu.com/p/j7nTjsnJNp/06:11
amurrayand then some more tests of the actual auth - all fail until I use the correct password - https://pastebin.ubuntu.com/p/6Xq4Bn2sBm/06:12
keeshah. I'm not encouraged by seeing the most recent build of libapache2-mod-authn-sasl installed on my system:06:25
keeslibapache2-mod-authn-sasl (1.2-2build1) trusty; urgency=medium06:26
kees  * No-op rebuild to resync with Apache 2.4.06:26
kees -- Kees Cook <kees@ubuntu.com>  Thu, 04 Dec 2014 23:11:42 -080006:26
keeswhich is not in the archive. ;)06:26
keeshow am I still the only person on the planet using apache sasl auth? don't other people want to authenticate apache things against PAM?06:44
keeshm, but it's not exclusively sasl auth06:59
amurrayah SASL.. sorry I missed that bit earlier... was just testing normal basic auth..06:59
keesamurray: so, file is broken for me too. what's the config you used?07:06
keesI'm really puzzled07:06
amurrayI did a very simple test - https://pastebin.ubuntu.com/p/j7nTjsnJNp/ - based off of the upstream docs - https://cwiki.apache.org/confluence/display/HTTPD/PasswordBasicAuth07:08
amurraykees: I gotta run soon but will check scrollback later - let me know if you find any more clues, otherwise I'll keep investigating tomorrow (unless someone else gets there before me)07:10
keesamurray: thanks! I assume this is a problem of my own making, but I've not touched this machine except for updates. so I'm puzzled.07:12
keesweirdly, this prompts: https://www.outflux.net/osu/devops/secret  but this doesn't: https://www.outflux.net/cacti/07:12
keesI'll continue to narrow07:12
amurraykees: ok but I would still like to understand it myself so if you figure it out, let me know :)07:13
keesamurray: new progress, no less confusing, all the auth directives I have in <Directory> are ignored, but work in <Location>. Your examples use <Directory> though...07:36
keesI feel like I'm going crazy. I'm slowly removing various conflicts (I had a mix of old and new style authnz configs). I've converted everything to "Require ..." syntax -- still broken.08:56
keesbut it's got to be something I broke because reverting apache all the way back to 2.4.29-1ubuntu4 doesn't fix it.08:56
keesamurray: finally found it.09:42
keesMy own foot-gun, I think I made this change and maybe never restarted apache. :P09:42
kees# Disable CONNECT since it makes it look like mod_proxy is enabled.09:42
kees<Location />09:42
kees        <Limit CONNECT>09:42
kees                Require all denied09:42
kees        </Limit>09:42
keesthis was in my conf-enabled/security.conf and did NOT have the expected results.09:43
keesapologies for the alarm, and thank you for checking. I really felt like I was losing my mind :P10:01
amurrayhehe am glad you got to the bottom of it kees 23:01

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!