Fwd: Configuration issue allowing unauthenticated access from 127.0.0.1 to a single directory within a password-protected directory structure

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Apologies, I sent the wrong config. Here is the WORKING config (except for the location restriction of 127.0.0.1 for the REST directory).

Any help with this would be appreciated! :-)

<VirtualHost *:80>
       ServerName sub.domain.tld

       RewriteEngine On
       #RewriteLog /var/log/httpd/modrewrite_log
       #RewriteLogLevel 9

       RewriteCond %{HTTP_HOST}    sub.domain.tld [NC]
       RewriteCond %{SERVER_PORT}  80
       RewriteRule ^/(.*)          https://sub.domain.tld:4431/$1
</VirtualHost>

Listen 4431
<VirtualHost *:4431>
       ServerName sub.domain.tld

       SSLEngine On
       SSLCertificateFile /etc/httpd/conf.d/sub.domain.tld-cert.pem
       SSLCertificateKeyFile /etc/httpd/conf.d/sub.domain.tld-key.pem
       SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

       AddDefaultCharset UTF-8

       FastCgiServer /opt/rt4/sbin/rt-server.fcgi -processes 5
-idle-timeout 300

       Alias /NoAuth/images/ /opt/rt4/share/html/NoAuth/images/
       ScriptAlias / /opt/rt4/sbin/rt-server.fcgi/

       DocumentRoot /opt/rt4/share/html
       <Directory /opt/rt4>
               AuthType Basic
               AuthName "Request Tracker Login"

               AuthLDAPEnabled on
               AuthLDAPAuthoritative on

               AuthLDAPUrl
"ldap://host.domain.local/OU=OrgUnit1,OU=OrgUnit2,DC=domain,DC=local?sAMAccountName?sub?(|(objectCategory=Person)(objectClass=*))"
               AuthLDAPBindDN
"CN=commonName,OU=People,OU=OrgUnit1,OU=OrgUnit2,DC=domain,DC=local"
               AuthLDAPBindPassword **********

               Require valid-user
       </Directory>
       <Location />
               Order deny,allow
               Deny from all
               SetEnvIf Request_URI "^/(NoAuth|REST/1.0/NoAuth)(.*)$" allow
               Allow from env=allow
               Satisfy Any
               Options +ExecCGI
               AddHandler fastcgi-script fcgi
       </Location>
</VirtualHost>

Sent from my iPad

Begin forwarded message:

From: Thomas Smith <theitsmith@xxxxxxxxx>
Date: October 5, 2011 2:44:42 PM PDT
To: users@xxxxxxxxxxxxxxxx
Subject: Configuration issue allowing unauthenticated access from 127.0.0.1 to a single directory within a password-protected directory structure

Hi,

I'm configuring the Request Tracker to use Apache authentication. I've
had RT running for quite a few years, but (up to this point) only
using its internal database for authentication.

Software:
* CentOS 4.8
* Apache 2.0.63
* RT 4.0.2
* mod_fastcgi 2.4.6

I created a Directory directive for /opt/rt4 that enables the LDAP
authentication. This works really well but breaks their mail-gateway
functionality (because this script is unable to perform
authenticatation). I used a SetEnvIf parameter to exclude the two
directories from authentication and it worked well (only the REST
directory is required for the mail-gateway to work, though). However,
the RT developers recommend restricting access to mail-gateway to
127.0.0.1 as it's used to inject tickets, via email, into RT's
database--I haven't been able to get this to work. I've tried a number
of combinations of Directory, Files, and Location directives without
any success. Here's a sanitized version of my Apache config for this
virtual host (a working configuration without the above mentioned
127.0.0.1 restriction):


<VirtualHost *:80>
       ServerName sub.domain.tld

       RewriteEngine On
       #RewriteLog /var/log/httpd/modrewrite_log
       #RewriteLogLevel 9

       RewriteCond %{HTTP_HOST}    sub.domain.tld [NC]
       RewriteCond %{SERVER_PORT}  80
       RewriteRule ^/(.*)          https://sub.domain.tld:4431/$1
</VirtualHost>

Listen 4431
<VirtualHost *:4431>
       ServerName sub.domain.tld

       SSLEngine On
       SSLCertificateFile /etc/httpd/conf.d/sub.domain.tld-cert.pem
       SSLCertificateKeyFile /etc/httpd/conf.d/sub.domain.tld-key.pem
       SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

       AddDefaultCharset UTF-8

       FastCgiServer /opt/rt4/sbin/rt-server.fcgi -processes 5
-idle-timeout 300

       Alias /NoAuth/images/ /opt/rt4/share/html/NoAuth/images/
       ScriptAlias / /opt/rt4/sbin/rt-server.fcgi/

       DocumentRoot /opt/rt4/share/html
       <Directory /opt/rt4>
               AuthType Basic
               AuthName "Request Tracker Login"

               AuthLDAPEnabled on
               AuthLDAPAuthoritative on

               AuthLDAPUrl
"ldap://host.domain.local/OU=OrgUnit1,OU=OrgUnit2,DC=domain,DC=local?sAMAccountName?sub?(|(objectCategory=Person)(objectClass=*))"
               AuthLDAPBindDN
"CN=commonName,OU=People,OU=OrgUnit1,OU=OrgUnit2,DC=domain,DC=local"
               AuthLDAPBindPassword **********

               Require valid-user

               # Allow anyone access to the "/NoAuth" location.
               SetEnvIf Request_URI "^/(NoAuth|REST/1.0/NoAuth)(.*)$" allow
               Order deny,allow
               Allow from env=allow
               Satisfy Any
       </Directory>
       <Directory /opt/rt4/share/html>
               Order deny,allow
               Deny from all

               Options +ExecCGI
               AddHandler fastcgi-script fcgi
       </Directory>
</VirtualHost>

Can someone help me get my desired configuration to work? I've been
playing around with it for hours and haven't had any success.
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux