On Wed, 15 Jun 2011 21:22:28 +0200 Jeroen Geilman <jeroen@xxxxxxxxx> wrote: Ian> > UserDir public_html Ian> > UserDir disabled root Ian> > Ian> > <Directory /home/*/public_html> Ian> > AllowOverride FileInfo AuthConfig Limit Indexes Ian> > Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec Ian> > <Limit GET POST OPTIONS> Ian> > Order allow,deny Ian> > Allow from all Ian> > </Limit> Ian> > <LimitExcept GET POST OPTIONS> Ian> > Order deny,allow Ian> > Deny from all Ian> > </LimitExcept> Ian> > </Directory> Ian> > </IfModule> Ian> > Jeroen> urgh Well, as I wrote, this is the unchanged configuration from Debian. If I have to change it I might as well configure all the authentication there and not bother with .htaccess files. (I know that works, BTW.) The idea was to avoid editing the original configuration as much as possible. Ian> > Document root is configured as follows: Ian> > Ian> > <Location /> Jeroen> No. Nonononononononono. A Documentroot MUST point to a physical Jeroen> filesystem <Directory>. I misspoke. There is a normal DocumentRoot definition elsewhere in the file which does point to a physical directory, namely /var/www. I just meant to say this is how I configured the authentication for /. See below why I thought this was preferable. Ian> > Options Indexes FollowSymLinks MultiViews Ian> > AuthType Basic Ian> > AuthName "Root Realm" Ian> > AuthBasicProvider file Ian> > AuthUserFile /etc/apache2/passwd Ian> > Require valid-user Ian> > Order allow,deny Ian> > allow from all Ian> > </Location> Ian> > Ian> > Now, I try to override the auth settings in a subtree of my Ian> > ~/public_html by putting a .htaccess file there, which reads as follows: Jeroen> Authentication SHOULD always be done on physical files if possible. Jeroen> This prevents people bypassing it by using an alternate URL. I get this point to a degree. Still, before diving in I'd like to understand _why_ it fails as it is. Is it that all the Location info is applied after all the physical (and htaccess) info and overrides the latter? And if I do as you say, it looks like I'd need 2 htaccess files, an extra one for the top of my public_html, since it won't be covered by whatever is set for /var/www. Correct? And I'll also need to separately define authentication for all aliases like /usr/share/doc if I want them covered. Right? This is what I was trying to avoid by putting the Auth stuff in the <Location /> block. -- Ian Zimmerman gpg public key: 1024D/C6FF61AD fingerprint: 66DC D68F 5C1B 4D71 2EE5 BD03 8A00 786C C6FF 61AD Rule 420: All persons more than eight miles high to leave the court. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|