Date: Tue, 28 Oct 2003 12:19:41 -0600 From: "Charles Howse" <chowse@charter.net> To: <questions@freebsd.org> Subject: RE: User authentication not working in Apache2 Message-ID: <000d01c39d80$0e4714e0$04fea8c0@moe> In-Reply-To: <000901c39d53$23e5e060$04fea8c0@moe>
next in thread | previous in thread | raw e-mail | index | archive | help
> Hi,
> I'd like to restrict access to 1 of several cgi scripts on my=20
> website to
> authorized users only.
> Problem is, after configuring httpd.conf, .htaccess, .passwd,=20
> anyone can
> still run the script.
> I created the .passwd file with htpasswd -c myfilename myusername.
> Of course, I restarted apache after all changes to httpd.conf with
> apachectl restart. No errors.
> I've poured over the Apache documentation on their website,=20
> and Googled
> all day yesterday, no joy.
> The error log shows *nothing* related to execution of this=20
> script. The
> access log shows nothing other than the GET line for this script.
> Any help would be appreciated.
>=20
> Here are some relevant sections from httpd.conf (I'll post the entire
> 38k file if allowed.)
>=20
> # Dynamic Shared Object (DSO) Support
> #
> # To be able to use the functionality of a module which was built as a
> DSO you
> # have to place corresponding `LoadModule' lines at this=20
> location so the
> # directives contained in it are actually available _before_ they are
> used.
> # Statically compiled modules (those listed by `httpd -l') do not need
> # to be loaded here.
> #
> # Example:
> # LoadModule foo_module modules/mod_foo.so
> #
> LoadModule access_module libexec/apache2/mod_access.so
> LoadModule auth_module libexec/apache2/mod_auth.so
>=20
> [snip]
>=20
> # DocumentRoot: The directory out of which you will serve your
> # documents. By default, all requests are taken from this=20
> directory, but
> # symbolic links and aliases may be used to point to other locations.
> #
> DocumentRoot "/usr/local/www/data"
>=20
> #
> # Each directory to which Apache has access can be configured with
> respect
> # to which services and features are allowed and/or disabled in that
> # directory (and its subdirectories).=20
> #
> # First, we configure the "default" to be a very restrictive set of=20
> # features. =20
> #
> <Directory />
> Options FollowSymLinks
> AllowOverride None
> </Directory>
> <Directory /usr/local/www/cgi-bin>
> AllowOverride AuthConfig
> </Directory>
>=20
> Here is the .htaccess file which resides in /usr/local/www/cgi-bin:
>=20
> <Files "myscript.cgi">
> Options ExecCGI
> AuthType Basic
> AuthName "Password Required"
> AuthUserFile /usr/local/www/.passwd # Not the best location for this
> file, I know.
> Require valid-user
> </Files>
Well, I got it working. :-)
I'm not perfectly satisfied yet, but I'm much better off than I was.=20
I deleted the .htaccess file and put the directives in httpd.conf.
# Each directory to which Apache has access can be configured with
respect
# to which services and features are allowed and/or disabled in that
# directory (and its subdirectories).=20
#
# First, we configure the "default" to be a very restrictive set of=20
# features. =20
#
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /usr/local/www/cgi-bin>
AllowOverride AuthConfig
<Files status.cgi>
AuthType Basic
AuthName "Restricted File"
AuthUserFile /home/charles/.htpasswd
Require user charles
</Files>
</Directory>
I still would like to protect an additional script.
I tried: <Files status.cgi another.file.pl>
That's unsupported.
I just tried <Files ~ "\(file1.cgi|file2.pl)$">
Trying to match 2 specific filenames...no joy.
The Apache documentation for the Files directive says, "The directives
given within this section will be applied to any object with a basename
(last component of filename) matching the specified filename."
I wonder if that means that I can only match files based on the
extension?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000d01c39d80$0e4714e0$04fea8c0>