Defect #16948
closedBroken anonymous repository access for public projects with Apache 2.4 (redmine.pm)
0%
Description
Hi there. I recently upgraded my redmine from 2.3 to 2.5.1. Now i have the same problem described in this stackoverflow post:
http://stackoverflow.com/questions/22638972/debug-apache-2-4-perlauthenhandler
Detailed: When my project is not public everything works fine (authentication with subsequent git clone). But when my project is public (Authentication required is disabled) than i get the internal server error message 500. In my error log on the server the following message appears:
"AH00027: No authentication done but request not allowed without authentication for $PATH. Authentication not configured?"
Before upgrading it was possible for me to clone a public repository without authentication. Why it is currently disabled?
Environment: Redmine version 2.5.1.stable Ruby version 2.0.0-p457 (2014-03-03) [x86_64-linux-gnu] Rails version 3.2.17 Environment production Database adapter Mysql2 SCM: Subversion 1.8.8 Git 1.9.1 Filesystem Redmine plugins: redmine_embedded 0.0.2 redmine_http_auth 0.3.0-dev redmine_mylyn_connector 2.8.2.stable redmine_scm 0.4.2 redmine_webdav 0.6.0
Files
Updated by Martin Denizet (redmine.org team member) over 10 years ago
I experienced the same problem with Ubuntu 14.04 (Apache 2.4).
Though the patch which consists in removing the "if" for anonymous access worked, I was not able to get Git Smart HTTP to work.
Updated by Suppasit Chuwatsawat over 10 years ago
I have the same problem as Christian and Martin.
Does anybody solve this problem yet?
Updated by nicholas tanner over 10 years ago
Same troubles here on different instances (all Ubuntu 14.04 64 Bit,) and also on a freshly installed test instance..
Updated by Mark Anderson about 10 years ago
Am stuck here too - Ubuntu 14/Apache 2.4 combo, 2.5.1 Redmine
Can anyone clarify this - do I remove the whole "if" construct or somehow modify it? removing it means NO handler will be set - is that the hack?
thanks folks!
Martin Denizet (redmine.org team member) wrote:
I experienced the same problem with Ubuntu 14.04 (Apache 2.4).
Though the patch which consists in removing the "if" for anonymous access worked, I was not able to get Git Smart HTTP to work.
Updated by Martin Denizet (redmine.org team member) about 10 years ago
As far as I understand, the error occurs because there is no handler under certain settings. Removing the "if" removes the problem because then there is a handler every time.
I tried to make it work on my Ubuntu test VM hacking the Redmine.pm. I could not get Git Smart HTTP to work with Redmine.pm.
I would get a 404 error when trying to clone.
I will try again later if I have time.
Updated by Jorge S. over 9 years ago
I have this also happening in 3.0.2
2 Projects, no one of them public. I get "abort: HTTP Error 500: Internal Server Error" when trying to clone.
If under Settings -> Authentication I set "Authentication required", then I would be prompted for credentials in the clone command.
Updated by Cyber Gen over 9 years ago
I have discovered that when authentication fails, no matter if it's a public or private project, I always get a 500 error.
I do see a difference in the apache log. When authentication is correct I see no lines in the log. When authentication fails I see this
[Sat Aug 08 13:23:38.727989 2015] [authn_file:error] [pid 8989:tid 139932576245504] [client 192.168.192.100:52376] AH01619: AuthUserFile not specified in the configuration
I beleive this to be a bug in the Redmine.pm file that doesn't return authentication when authentication fails.
Updated by Cyber Gen over 9 years ago
I beleive I have found a bug in the Redmine.pm file.
In sub access_handler if authentication fails then OK is always return even though no access is allowed to the project. It is somewhere in that region that the bug is located.
Updated by Jonathan Tee over 9 years ago
same error with Redmine 3.1 :-(
Gen Va: AH01619: AuthUserFile not specified in the configuration
add
AuthUserFile /dev/null
Updated by Holger Just about 9 years ago
- File 0001-Set-user-to-empty-string-in-Redmine.pm-for-anonymous.patch 0001-Set-user-to-empty-string-in-Redmine.pm-for-anonymous.patch added
Using a StackOverflow answer, we at Planio have developed and tested a patch for this issue against current trunk, which I attached here.
The basic idea is that we forcefully set the username to an empty string if we directly return with an OK. This results in Apache understanding that we have verified the empty username.
Updated by Jean-Philippe Lang about 9 years ago
- Subject changed from broken anonymous repository access for public projects (redmine.pm) to Broken anonymous repository access for public projects (redmine.pm)
- Status changed from New to Resolved
- Assignee set to Jean-Philippe Lang
- Target version set to 3.1.3
- Resolution set to Fixed
Thanks, I'm committing the patch but I don't see any changes to Redmine.pm between 2.3 and 2.5.1 that could cause this error.
Tests for the perl module include a git clone on a public project without authentication (source:trunk/test/extra/redmine_pm/repository_git_test_pm.rb), and it passes. Maybe it's related to the Apache version, the tests run on Apache 2.2.
Updated by Holger Just about 9 years ago
On Apache 2.2, this change is not necessary. It only becomes an issue on Apache 2.4 where they rather deeply changed how authentication works.
Updated by Jean-Philippe Lang about 9 years ago
- Subject changed from Broken anonymous repository access for public projects (redmine.pm) to Broken anonymous repository access for public projects with Apache 2.4 (redmine.pm)
Thanks for the clarification.
Updated by Jean-Philippe Lang about 9 years ago
- Target version changed from 3.1.3 to 2.6.9
Updated by Jean-Philippe Lang almost 9 years ago
- Status changed from Resolved to Closed