401 for unauthenticated requests for URIs that don't exist?

[intrapid]

Hi!

I wonder if it's possible to somehow send a 401 for unauthenticated requests for bogus URIs that don't exists? It requires less resources than getting a state cookie and 302 redirect.

I looked at OIDCUnAuthAction but that doesn't seem to be the right tool for this job.

I wonder if perhaps it's possible do it with mod_rewrite - if it can process the REQUEST_URI before mod_auth_openidc.
If I understand the apache docs correctly, modules hook into the different phases of processing and can put themselves first, middle or last in the chain.

So in summary:

• authenticated browser request (uri exist) => 200
• unauthenticated browser request (uri exist) => 302
• authenticated browser request (uri doesn't exist) => 404
• unauthenticated browser request (uri doesn't exist) => 401

[zandbelt]

the point is that by Apache processing rules a module doesn't "know" that a URL is going to produce 404 or 200 when arriving at the authentication hook which runs before the content handler hook; this is even more obvious in the typical reverse proxying scenario where the content lives on a different server; if you (as an adminstrator) have that knowledge in advance then you should setup a Location or LocationMatch filter to catch those requests with a AuthType None rather than leading them through AuthType openidc-connect

[intrapid]

Thanks, I understand what you are saying. It all makes sense to me now.

Besides the <Location> type directives I should also be able to use RewriteCond / RewriteRule - if I put those in the virtual host section.

In apache docs it says mod_rewrite "uses the URL-to-filename translation hook, which occurs after the HTTP request has been read, but before any authorization starts. Secondly, it uses the Fixup hook, which is after the authorization phases, and after per-directory configuration files (.htaccess files) have been read, but before the content handler is called."