Topic: HTTP GET for pdf/zip files under protected <Directory>

[alexqian]

Newly upgraded from Apache 2.2 to 2.4...we have a login protected Directory (<Directory /var/www/html/main>) using mod_auth_form 2.4/mod_session_dbd. After users logging in successfully to the protected directory, a session cookie was set and a main web page was shown where they can access various resources under the protected directory. We found http GET method for some resources in the directory work (return code 200), some do not (return code 307).

For example, after logging in successfully the first time, I can then go to some files under the /var/www/html/main with no issues (no login required), but I got code 307 for other files under the same directory /var/www/html/main/ and subsequently redirected to the login page again . Not sure why the file types seem to matter…

Any one knows what the issue might be with GET for these pdf/zip files after the user already logged in the protected Directory <Directory /var/www/html/main>?

[James Blond]

The error code 307 is a Temporary Redirect. I wonder why apache tries to redirect you.

it would be nice if you would offer a sample config so that we can try it.

[alexqian]

I think it is because I have the "ErrorDocument" directive in the <Directory /var/www/html/main>

Here is the segment of my httpd.conf (we use mod_auth_form and mod_authnz_external, mod_authnz_external just allows us to provide our own authUser script instead of using the standard mod_authz_dbd. I checked in all instances the authUser script passed authentication check):

[alexqian]

Another experiment I did was to create files of other types under the protected /var/www/html/main/, like test.txt, test.htm. It appears only php files got retrieved OK (http code 200), retrieving other file types (txt, htm, pdf, zip) are all rejected by server (oode 405). Any clues what's going on here?

[alexqian]

I do see an error in ssl_error_log: