Situations where maliciuos IPs get HTTP 401 reponses?

[intrapid]

Hi!

I was wondering if there any situations where malicious IPs can get 401 responses ("GET / HTTP/1.1" 401) from Apache, when the entire site requires authentication with mod_auth_openidc?

Wouldn't all unauthenticated clients get 302 redirects to the openid provider? And that would show up in the apache log?

Site config:

<Location />
    SSLRequireSSL
    SSLOptions +StdEnvVars

    AuthType openid-connect
    Require claim XXX:YYYY

    Options Includes FollowSymLinks
    AllowOverride AuthConfig Limit
    Order allow,deny
    Allow from all
</Location>	

[zandbelt]

when a non-browser request is detected, a 401 would be returned, otherwise a 302 would happen indeed, regardless of the IP address used; if you want to block certain IP ranges you can do it through Apache configurations or through a dedicated component such as a web application firewall or ingress proxy

[monolied]

Reasonable; but the error message then still seems to be quite off.

[zandbelt]

I cannot reproduce that log warning when using the request you provided. What version of mod_auth_openidc are you on?

[monolied]

Should be the latest Debian bullseye package; but I'll verify when I'm on site.

[monolied]

Version: 2.4.9.4-0+deb11u3. But, it seems now, while the error numbers for the request are given correctly, the error message was probably related to the logout following the failing request. And the ones related to the shortened curl request must have been rather unlucky coincidences with other requests on that live system so I thought they were a direct connection and reproducing the error. Insofar I have to apologize for the irritation about the apache log excerpt.

[Norr]

when a non-browser request is detected, a 401 would be returned, otherwise a 302 would happen indeed, regardless of the IP address used; if you want to block certain IP ranges you can do it through Apache configurations or through a dedicated component such as a web application firewall or ingress proxy

So that is mean non-browser connection is not supported? For example if I want to connect to webdav via Microsoft built-in client it will not work, right?