[03:41] <kees> uuuuh, my apache's BasicAuth directives just all failed open. Cool update.
[04:22] <amurray> kees: eeek... I just got back from a week of leave so am playing catchup - what update are you referring to (or do you have an inkling what you just updated that could have caused this?)
[04:40] <kees> amurray: I haven't managed to bisect updates yet, but I assume apache updates. (there have been 3 in a week or so.) I just noticed all my sasl-backed basicauth isn't requiring any auth.
[04:40] <kees> I shut down my server until I'm back home to figure out what's happening
[04:43] <amurray> kees: what Ubuntu release(s)?
[05:41] <amurray> kees: I can't reproduce on focal - will try other releases too though 
[05:57] <kees> amurray: I'm on bionic. this poor server is on bionic. I'm trying stuff now...
[05:59] <amurray> ok no worries - I'm trying to reproduce there as well now too
[06:04] <kees> welp, still broken in 2.4.29-1ubuntu4.16 so I'm going to assume something broke something else...
[06:04] <kees> I'll keep digging.
[06:05] <kees> I've just never seen BasicAuth fail _open_ before.
[06:06] <amurray> yep... it doesn't get much face-palmier (is that even a word) than that..
[06:11] <amurray> I can't reproduce on bionic either - my test is basically: https://pastebin.ubuntu.com/p/j7nTjsnJNp/
[06:12] <amurray> and then some more tests of the actual auth - all fail until I use the correct password - https://pastebin.ubuntu.com/p/6Xq4Bn2sBm/
[06:25] <kees> hah. I'm not encouraged by seeing the most recent build of libapache2-mod-authn-sasl installed on my system:
[06:26] <kees> libapache2-mod-authn-sasl (1.2-2build1) trusty; urgency=medium
[06:26] <kees>   * No-op rebuild to resync with Apache 2.4.
[06:26] <kees>  -- Kees Cook <kees@ubuntu.com>  Thu, 04 Dec 2014 23:11:42 -0800
[06:26] <kees> which is not in the archive. ;)
[06:44] <kees> how am I still the only person on the planet using apache sasl auth? don't other people want to authenticate apache things against PAM?
[06:59] <kees> hm, but it's not exclusively sasl auth
[06:59] <amurray> ah SASL.. sorry I missed that bit earlier... was just testing normal basic auth..
[07:06] <kees> amurray: so, file is broken for me too. what's the config you used?
[07:06] <kees> I'm really puzzled
[07:08] <amurray> I did a very simple test - https://pastebin.ubuntu.com/p/j7nTjsnJNp/ - based off of the upstream docs - https://cwiki.apache.org/confluence/display/HTTPD/PasswordBasicAuth
[07:10] <amurray> kees: I gotta run soon but will check scrollback later - let me know if you find any more clues, otherwise I'll keep investigating tomorrow (unless someone else gets there before me)
[07:12] <kees> amurray: thanks! I assume this is a problem of my own making, but I've not touched this machine except for updates. so I'm puzzled.
[07:12] <kees> weirdly, this prompts: https://www.outflux.net/osu/devops/secret  but this doesn't: https://www.outflux.net/cacti/
[07:12] <kees> I'll continue to narrow
[07:13] <amurray> kees: ok but I would still like to understand it myself so if you figure it out, let me know :)
[07:36] <kees> amurray: new progress, no less confusing, all the auth directives I have in <Directory> are ignored, but work in <Location>. Your examples use <Directory> though...
[08:56] <kees> I feel like I'm going crazy. I'm slowly removing various conflicts (I had a mix of old and new style authnz configs). I've converted everything to "Require ..." syntax -- still broken.
[08:56] <kees> but it's got to be something I broke because reverting apache all the way back to 2.4.29-1ubuntu4 doesn't fix it.
[09:42] <kees> amurray: finally found it.
[09:42] <kees> My own foot-gun, I think I made this change and maybe never restarted apache. :P
[09:42] <kees> # Disable CONNECT since it makes it look like mod_proxy is enabled.
[09:42] <kees> <Location />
[09:42] <kees>         <Limit CONNECT>
[09:42] <kees>                 Require all denied
[09:42] <kees>         </Limit>

[09:43] <kees> this was in my conf-enabled/security.conf and did NOT have the expected results.
[10:01] <kees> apologies for the alarm, and thank you for checking. I really felt like I was losing my mind :P
[23:01] <amurray> hehe am glad you got to the bottom of it kees