Re: [users@httpd] basic auth config

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Boyle Owen wrote:

-----Original Message-----
From: Mike Dewhirst [mailto:miked@xxxxxxxxxxxxxxx]
I'm convinced Apache 2.0.53 doesn't work as advertised in the docs when you try to get Basic Auth working without a .htaccess file. 


Some people are convinced the Earth is flat but that don't make it so :-) By far the most likely reason for your problem still is that apache is misconfigured.


Owen and Joshua
You were right - it was misconfigured somehow. I started again with copies of the original confs and carefully re-did what had been done previously. I don't know what was different but it suddenly started giving me 403 errors.
I cranked up Apache 2.0.54 on my Windows laptop and proved that basic auth worked there (except for the passwords).
Back with SuSE I moved that basic auth stuff into the main file as Owen suggested and tried using an Alias and Location instead of Directory. I got nowhere until I accidentally commented out the Alias and the Location suddenly worked (see below)
I moved all the bits and pieces back out to the include files the way SuSE seems to like it and proved that it still fired up OK. I changed the Authname each time and watched it appear correctly in the browser dialog. 

Here are my actual working results ...

# With Alias uncommented <Location> gives Error 403
# With Alias commented out <Location> basic auth works
#
# Alias /auth/mcfs/ "/svr/www/htdocs/auth/mcfs/"

<Location /auth/mcfs/>
    AuthType Basic
    AuthName "Academix"
    AuthUserFile /svr/www/data/pwl/academics/memb
    Require valid-user
</Location>

# With both Alias and <Location> commented and
# <Directory> uncommented Basic auth just doesn't
# happen - although it does in Windows Apache2
#
#<Directory /svr/www/htdocs/auth/mcfs>
#    AuthType Basic
#    AuthName "Academix"
#    AuthUserFile /svr/www/data/pwl/academics/memb
#    Require valid-user
#</Directory>
#

I have a problem with passwords but I'll start another thread for that.

Thanks again

Mike





I have a couple of points you might like to consider:
1) Your config structure is complicated (/etc/Apache2/httpd.conf includes /etc/Apache2/default_server.conf and /etc/Apache2/conf.d/basic_auth.conf... I think?). There's nothing wrong in principle with using Include but it does lead to complicated configs where the order and positioning of the Include statements becomes vitally important. Your "directive having no effect" problem is typical of a misconfiguration in such a set up. As an exercise, open up a copy of the main config file in an editor and then, using cut'n'paste, replace the Includes with the actual contents of the subsidiary config files. This will produce a single, flat config which is what apache sees. Read that - does it seem to make sense? 
Having said that, I believe you have moved the Auth directives into the main config and they are still apparently ignored.

2) You are still a bit ambiguous about how apache is started... I get the impression that you routinely start it using "apache2ctl start". But when you test it to see if the syntax error is reported, you use "./httpd". Look inside apache2ctl (it is just a shell script) - does it have a "-f" argument to "httpd"? If so, this is the config file apache uses. When you start with "./httpd" on the command line, apache uses a compiled-in path to the config file. To see this, do "./httpd -V" and check the lines "HTTPD_ROOT" and "SERVER_CONFIG_FILE". Is this the same as in "apache2ctl"?

3) Could it be that there are two virtual hosts leading to the same content? Eg, if you set up VH1 and VH2 with the same (or overlapping) docroots and then put all your Auth directives under VH2, they would be ignored if the URL actually led to the content via VH1. This could happen if you screwed up the ServerName in VH2 (because then, apache serves any unidentified request from VH1 by default)...

4) Do you have a "Satisfy Any" directive anywhere in any config file? You stated earlier that you didn't understand this directive so it shouldn't be in use anywhere. If it is, you realise that it switches off password challenges from "Allowed" users...
I can get it to request a userid and password with AllowOverride AuthConfig and using a .htaccess file. 


This is a definate indication that apache is either not reading the file containing these directives or the directory block containing them is not being read when parsing the request (ie, the request is going through a different VH).

As a final thought, just to convince yourself that apache does work as advertised, make a little hello_world website. Just one file (index.html) containing "hello world" in one dir (eg /tmp/hello_world). Config file:

/tmp/hw.conf contains:

DocumentRoot /tmp/hello_world
<Directory /tmp/hello_world>
  Allow from all
</Directory>

(leave everything else as default)

and start it with:

./httpd -f /tmp/hw.conf

Test it (http://localhost/)

Now add the Auth directives to the Directory block above. Does it work now?

Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored. 




Which brings me to a followup question ...
It doesn't like the passwords in the password file. They work fine under Apache 1.3 on my ISP's Linux server. I used htpasswd to create the passwords.
Is there way to force Apache2 to use DES or whatever Apache 1.3 is comfortable with? 

Thanks for being there

Mike


Mike Dewhirst wrote:


Joshua Slive wrote:



On 11/12/05, Mike Dewhirst <miked@xxxxxxxxxxxxxxx> wrote:
Does apache2ctl confirm that httpd actually reads that 

file on startup?




Depends on how httpd normally gets started.  If it is started using
apache2ctl, then that is a good indication.
OK - on investigation it ain't apachectl. It is httpd. I
ran httpd -t 
and it complained about FooBar Nonsense too.

So - we are definitely reading the conf files. That means ...

1. I'm not reaching the right directory - Yes I am. 100% sure.
2. Some sort of caching? 100% no way. I've tried four
different browsers 
on three different machines.
3. Apache is reading the conf but ignoring the directive 

for some reason


What else do I need for Basic Auth to work?
As it happens, I have subversion running via apache on that
machine and
when I access it from a foreign machine it asks me to
authenticate. I 
have copied subversion.conf below. Maybe I should copy that?
Modules? I deleted all files in /etc/apache2/sysconfig.d
and restarted 
the computer whereupon we got a brand-new loadmodule.conf ...

#
# Files in this directory are created at apache start time by /usr/sbin/rcapache2. 
# Do not edit them!
#

# as listed in APACHE_MODULES (/etc/sysconfig/apache2)

LoadModule access_module /usr/lib/apache2-prefork/mod_access.so
LoadModule actions_module /usr/lib/apache2-prefork/mod_actions.so
LoadModule alias_module /usr/lib/apache2-prefork/mod_alias.so
LoadModule asis_module /usr/lib/apache2-prefork/mod_asis.so
LoadModule auth_module /usr/lib/apache2-prefork/mod_auth.so
LoadModule autoindex_module 

/usr/lib/apache2-prefork/mod_autoindex.so


LoadModule cgi_module /usr/lib/apache2-prefork/mod_cgi.so
LoadModule dav_module /usr/lib/apache2-prefork/mod_dav.so
LoadModule dav_svn_module 

/usr/lib/apache2/mod_dav_svn.so
LoadModule authz_svn_module 

/usr/lib/apache2/mod_authz_svn.so


LoadModule dir_module /usr/lib/apache2-prefork/mod_dir.so
LoadModule env_module /usr/lib/apache2-prefork/mod_env.so
LoadModule imap_module /usr/lib/apache2-prefork/mod_imap.so
LoadModule include_module /usr/lib/apache2-prefork/mod_include.so
LoadModule log_config_module 

/usr/lib/apache2-prefork/mod_log_config.so


LoadModule mime_module /usr/lib/apache2-prefork/mod_mime.so
LoadModule negotiation_module 

/usr/lib/apache2-prefork/mod_negotiation.so


LoadModule setenvif_module /usr/lib/apache2-prefork/mod_setenvif.so
#


Here is /etc/apache2/conf.d/subversion.conf

# see /usr/share/doc/packages/subversion for the full documentation
#

<IfModule mod_dav_svn.c>

##
## project related HTML files
##
<IfModule mod_alias.c>
 Alias /repos    /srv/svn/html
</IfModule>
<Directory /srv/svn/html>
       Options         Indexes +Multiviews -FollowSymLinks
       IndexOptions    FancyIndexing \
                       ScanHTMLTitles \
                       NameWidth=* \
                       DescriptionWidth=* \
                       SuppressLastModified \
                       SuppressSize

       order allow,deny
       allow from all
</Directory>
<Location /repos>
  DAV svn
  SVNParentPath /srv/svn/repos
  AuthzSVNAccessFile /srv/svn/user_access/access-policy
  #<moved from LimitExcept>
  # how to authenticate users
  AuthType Basic
  AuthName "repositories"
  AuthUserFile /srv/svn/user_access/auth-file
  Require valid-user
  #</moved from LimitExcept>

  # move 'Require valid-user' to here
  # to provide public read only access
  # and require a valid user for GET etc below
  <LimitExcept GET PROPFIND OPTIONS REPORT>
     #
  </LimitExcept>
</Location>
</IfModule>








Joshua.




---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project. 
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx








---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP 

Server Project.


See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
 "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx






---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project. 
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx




Diese E-mail ist eine private und persönliche Kommunikation. Sie hat keinen Bezug zur Börsen- bzw. Geschäftstätigkeit der SWX Gruppe. This e-mail is of a private and personal nature. It is not related to the exchange or business activities of the SWX Group. Le présent e-mail est un message privé et personnel, sans rapport avec l'activité boursière du Groupe SWX.
This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. 

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx






---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux