Is there a way to bypass mod_auth_openidc module used in an Apache Web Server for some users/IP ranges/service-calls?

Question

For a web app, we have used an Apache Web Server with mod_auth_openidc module as an authentication layer; it sits in front of our web app.

There's a requirement to let requests from some services (eg. a web crawler, to crawl the web app) to bypass this OIDC layer. Is there a way to add this override or bypass mod_auth_openidc for request from some users, services, or maybe even an IP range?

I've tried to look around in the list of configuration options, but couldn't find any config that does that, yet.

score 1 · Answer 1 · answered Oct 08 '20 at 18:36

You should be able to use the standard <If> directive - see https://httpd.apache.org/docs/current/mod/core.html#if - with expression matching of some header/ip as described in https://httpd.apache.org/docs/current/expr.html so, e.g:

<If "-R '192.168.1.0/24'">
    Require ip 192.168.1.1
</If>
<Else>
    AuthType openid-connect
    Require valid-user
</Else>

Be aware that header spoofing is easy though, local IP matching is probably the safest choice.

Is there a way to bypass mod_auth_openidc module used in an Apache Web Server for some users/IP ranges/service-calls?

1 Answers1