From owner-freebsd-questions@FreeBSD.ORG Tue Oct 28 10:20:43 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 60CD416A4CE for ; Tue, 28 Oct 2003 10:20:43 -0800 (PST) Received: from mxsf17.cluster1.charter.net (mxsf17.cluster1.charter.net [209.225.28.217]) by mx1.FreeBSD.org (Postfix) with ESMTP id 434DE43F75 for ; Tue, 28 Oct 2003 10:20:41 -0800 (PST) (envelope-from chowse@charter.net) Received: from moe (jackson-66-168-145-25.midtn.chartertn.net [66.168.145.25]) h9SIJi3E010167 for ; Tue, 28 Oct 2003 13:19:47 -0500 (EST) (envelope-from chowse@charter.net) From: "Charles Howse" To: Date: Tue, 28 Oct 2003 12:19:41 -0600 Message-ID: <000d01c39d80$0e4714e0$04fea8c0@moe> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2616 In-Reply-To: <000901c39d53$23e5e060$04fea8c0@moe> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: Normal Subject: RE: User authentication not working in Apache2 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Oct 2003 18:20:43 -0000 > Hi, > I'd like to restrict access to 1 of several cgi scripts on my=20 > website to > authorized users only. > Problem is, after configuring httpd.conf, .htaccess, .passwd,=20 > anyone can > still run the script. > I created the .passwd file with htpasswd -c myfilename myusername. > Of course, I restarted apache after all changes to httpd.conf with > apachectl restart. No errors. > I've poured over the Apache documentation on their website,=20 > and Googled > all day yesterday, no joy. > The error log shows *nothing* related to execution of this=20 > script. The > access log shows nothing other than the GET line for this script. > Any help would be appreciated. >=20 > Here are some relevant sections from httpd.conf (I'll post the entire > 38k file if allowed.) >=20 > # Dynamic Shared Object (DSO) Support > # > # To be able to use the functionality of a module which was built as a > DSO you > # have to place corresponding `LoadModule' lines at this=20 > location so the > # directives contained in it are actually available _before_ they are > used. > # Statically compiled modules (those listed by `httpd -l') do not need > # to be loaded here. > # > # Example: > # LoadModule foo_module modules/mod_foo.so > # > LoadModule access_module libexec/apache2/mod_access.so > LoadModule auth_module libexec/apache2/mod_auth.so >=20 > [snip] >=20 > # DocumentRoot: The directory out of which you will serve your > # documents. By default, all requests are taken from this=20 > directory, but > # symbolic links and aliases may be used to point to other locations. > # > DocumentRoot "/usr/local/www/data" >=20 > # > # Each directory to which Apache has access can be configured with > respect > # to which services and features are allowed and/or disabled in that > # directory (and its subdirectories).=20 > # > # First, we configure the "default" to be a very restrictive set of=20 > # features. =20 > # > > Options FollowSymLinks > AllowOverride None > > > AllowOverride AuthConfig > >=20 > Here is the .htaccess file which resides in /usr/local/www/cgi-bin: >=20 > > Options ExecCGI > AuthType Basic > AuthName "Password Required" > AuthUserFile /usr/local/www/.passwd # Not the best location for this > file, I know. > Require valid-user > Well, I got it working. :-) I'm not perfectly satisfied yet, but I'm much better off than I was.=20 I deleted the .htaccess file and put the directives in httpd.conf. # Each directory to which Apache has access can be configured with respect # to which services and features are allowed and/or disabled in that # directory (and its subdirectories).=20 # # First, we configure the "default" to be a very restrictive set of=20 # features. =20 # Options FollowSymLinks AllowOverride None AllowOverride AuthConfig AuthType Basic AuthName "Restricted File" AuthUserFile /home/charles/.htpasswd Require user charles I still would like to protect an additional script. I tried: That's unsupported. I just tried Trying to match 2 specific filenames...no joy. The Apache documentation for the Files directive says, "The directives given within this section will be applied to any object with a basename (last component of filename) matching the specified filename." I wonder if that means that I can only match files based on the extension?