Bug 2420632 - mod_auth_token does not work properly with ProxyPass and RewriteRule directives
Summary: mod_auth_token does not work properly with ProxyPass and RewriteRule directives
Keywords:
Status: NEW
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: mod_auth_token
Version: epel9
Hardware: All
OS: All
unspecified
medium
Target Milestone: ---
Assignee: Björn Esser (besser82)
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-12-09 15:38 UTC by Leo
Modified: 2026-03-03 11:16 UTC (History)
1 user (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Type: Bug
Embargoed:

Attachments (Terms of Use)
patch to correct the module order (432 bytes, patch)
2025-12-09 15:38 UTC, Leo 		no flags Details | Diff
View All


Links
System ID Private Priority Status Summary Last Updated
Github rolero mod-auth-token issues 16 0 None open mod_auth_token fails to work properly with ProxyPass and RewriteRule directives 2025-12-09 15:38:09 UTC

Description Leo 2025-12-09 15:38:10 UTC 
Created attachment 2118155 [details]
patch to correct the module order

Description of problem:
mod_auth_token fails to work properly with ProxyPass and RewriteRule directives. The issue is, that mod_auth_token currently asks to be slotted before mod_alias, 
but not before other modules. If you for example use a RewriteRule on the same path, it will be applied before mod_auth_token comes into play.

Version-Release number of selected component (if applicable):
1.0.5-27.el9

How reproducible:
always

Steps to Reproduce:
1. Here are 2 configuration snippets that currently fail to work with 
mod_auth_token:

<Location /protected/>
    AuthTokenSecret        "secret"
    AuthTokenPrefix        /protected/
    AuthTokenTimeout       3600
    ProxyPass              http://127.0.0.1:8000/
</Location>

<Location /protected/>
    AuthTokenSecret        "secret"
    AuthTokenPrefix        /protected/
    AuthTokenTimeout       3600
    RewriteRule            ^(.*)$ http://127.0.0.1:8000/$1 [P,F]
</Location>

Actual results:
The whole path (including the token and the timestamp hash part) is being forwarded

Expected results:
Only the "real" path is being forwarded (i.e. mod_auth_token does its job beforehand)

Additional info:
This is a known problem and an open issue at GitHub for more than 10 years: 
https://github.com/rolero/mod-auth-token/issues/16
There is also a fix provided by the original reporter. I will add the patch file for the module itself as an attachment.

The SPEC file can be patched as follows:

--- mod_auth_token.spec_orig    2025-12-09 16:26:02.220800790 +0100
+++ mod_auth_token.spec 2025-12-09 16:26:44.778609575 +0100
@@ -1,6 +1,6 @@
 Name:           mod_auth_token
 Version:        1.0.5
-Release:        27%{?dist}
+Release:        28%{?dist}
 Summary:        Token based URI access module for Apache
 
 License:        ASL 2.0
@@ -11,6 +11,7 @@
 Patch1:         mod_auth_token-1.0.5-fix-Wformat.patch
 Patch2:         mod_auth_token-1.0.5-apache24.patch
 Patch3:         mod_auth_token-1.0.5-add_ip_limitation_config.patch
+Patch4:         mod_auth_token-1.0.5-correct-module-order.patch
 
 BuildRequires:  autoconf
 BuildRequires:  automake


Would be great if you could apply the patch and build a new release.
Thanks!
Comment 1 Leo 2026-03-03 11:16:30 UTC 
Hi,

is there any chance to get the patch applied? Would be good to have a working release of mod_auth_token again.
I think all necessary information is already provided in the initial request, but if something is missing, please let me know.
Thanks!

Kind regards,
Leo
Note You need to log in before you can comment on or make changes to this bug.