Re: [users@httpd] [SOLVED] basic auth config

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Mike Dewhirst wrote:
Mike Dewhirst wrote:

Boyle Owen wrote:

-----Original Message-----
From: Mike Dewhirst [mailto:miked@xxxxxxxxxxxxxxx]

<snip>

Some people are convinced the Earth is flat but that don't make it so :-) By far the most likely reason for your problem still is that apache is misconfigured.

My deepest most dyslexic apologies for wasting your bandwidth. The error log gave me the answer /svr/... is not /srv/...

Sorry one and all

Mike



You are still right and I am up a gum tree.

I can edit my Basic Auth entry realm and see it change in the userid dialog in the browser so I at least know SuSE Linux 9.1, Apache 2.0.53 is reading what I write. However none of my password attempts work. I even started a spurious thread (sorry!) before checking the error_log.

httpd -t returns Syntax OK

Here are some relevant error_log entries ...

[Thu Nov 17 11:02:37 2005] [error] [client 192.168.0.29] Could not fetch resource information. [301, #0] [Thu Nov 17 11:02:37 2005] [error] [client 192.168.0.29] (84)Invalid or incomplete multibyte or wide character: Requests for a collection must have a trailing slash on the URI. [301, #0]

This was another machine which I used to access one of the subversion repositories successfully. I didn't know it produced these errors until I checked for the basic auth errors below!

<error_log>

[Thu Nov 17 11:14:27 2005] [error] [client 192.168.0.38] (2)No such file or directory: Could not open password file: /svr/www/data/pwl/academics/memb [Thu Nov 17 11:14:27 2005] [error] [client 192.168.0.38] user miked not found: /auth/mcfs/

</error_log>

That /svr/www/data/pwl/academics/memb password file definitely exists and all the permissions are OK (775) and owner of every directory in that path and the memb file itself is wwwrun.www

The Basic Auth config is as follows ...

#
<IfModule mod_alias.c>
    Alias /auth/mcfs    /srv/www/htdocs/auth/mcfs
</IfModule>
#
<Directory /srv/www/htdocs/auth/mcfs>
    Order allow,deny
    Allow from all
</Directory>
#
<Location /auth/mcfs>
    AuthType Basic
    AuthName "Academics"
    AuthUserFile /svr/www/data/pwl/academics/memb
    Require valid-user
</Location>
#

Here are the modules apache loads from /etc/apache2/sysconfig.d/loadmodule.conf ...

#
# Files in this directory are created at apache start time by /usr/sbin/rcapache2.
# Do not edit them!
#

# as listed in APACHE_MODULES (/etc/sysconfig/apache2)

LoadModule access_module /usr/lib/apache2-prefork/mod_access.so
LoadModule actions_module /usr/lib/apache2-prefork/mod_actions.so
LoadModule alias_module /usr/lib/apache2-prefork/mod_alias.so
LoadModule asis_module /usr/lib/apache2-prefork/mod_asis.so
LoadModule auth_module /usr/lib/apache2-prefork/mod_auth.so
LoadModule autoindex_module /usr/lib/apache2-prefork/mod_autoindex.so
LoadModule cgi_module /usr/lib/apache2-prefork/mod_cgi.so
LoadModule dav_module /usr/lib/apache2-prefork/mod_dav.so
LoadModule dav_svn_module                 /usr/lib/apache2/mod_dav_svn.so
LoadModule authz_svn_module               /usr/lib/apache2/mod_authz_svn.so
LoadModule dir_module /usr/lib/apache2-prefork/mod_dir.so
LoadModule env_module /usr/lib/apache2-prefork/mod_env.so
LoadModule imap_module /usr/lib/apache2-prefork/mod_imap.so
LoadModule include_module /usr/lib/apache2-prefork/mod_include.so
LoadModule log_config_module /usr/lib/apache2-prefork/mod_log_config.so
LoadModule mime_module /usr/lib/apache2-prefork/mod_mime.so
LoadModule negotiation_module /usr/lib/apache2-prefork/mod_negotiation.so
LoadModule setenvif_module /usr/lib/apache2-prefork/mod_setenvif.so
LoadModule status_module /usr/lib/apache2-prefork/mod_status.so
#

As previously indicated, subversion is working perfectly with this configuration. It calls for a Basic Auth userid and password which work fine and generously let me see the contents of the repositories despite the errors shown in the log. However, as you can see, passwords are stored elsewhere. Here is the working subversion.conf ...

# subversion
# see /usr/share/doc/packages/subversion for the full documentation
#
<IfModule mod_dav_svn.c>
    <IfModule mod_alias.c>
        Alias /repos    /srv/svn/html
    </IfModule>
#
    <Directory /srv/svn/html>
        Options         Indexes +Multiviews -FollowSymLinks
        IndexOptions    FancyIndexing \
                        ScanHTMLTitles \
                        NameWidth=* \
                        DescriptionWidth=* \
                        SuppressLastModified \
                        SuppressSize
        Order allow,deny
        Allow from all
    </Directory>
#
    <Location /repos>
        DAV svn
        SVNParentPath /srv/svn/repos
        # Require SSL connection for password protection.
        # SSLRequireSSL
        AuthType Basic
        AuthName "repositories"
        AuthUserFile /srv/svn/user_access/auth-file
        AuthzSVNAccessFile /srv/svn/user_access/access-policy
        Require valid-user
    </Location>
</IfModule>
#

I really appreciate your help.

Thanks

Mike






I have a couple of points you might like to consider:

1) Your config structure is complicated (/etc/Apache2/httpd.conf includes /etc/Apache2/default_server.conf and /etc/Apache2/conf.d/basic_auth.conf... I think?). There's nothing wrong in principle with using Include but it does lead to complicated configs where the order and positioning of the Include statements becomes vitally important. Your "directive having no effect" problem is typical of a misconfiguration in such a set up. As an exercise, open up a copy of the main config file in an editor and then, using cut'n'paste, replace the Includes with the actual contents of the subsidiary config files. This will produce a single, flat config which is what apache sees. Read that - does it seem to make sense? Having said that, I believe you have moved the Auth directives into the main config and they are still apparently ignored.

2) You are still a bit ambiguous about how apache is started... I get the impression that you routinely start it using "apache2ctl start". But when you test it to see if the syntax error is reported, you use "./httpd". Look inside apache2ctl (it is just a shell script) - does it have a "-f" argument to "httpd"? If so, this is the config file apache uses. When you start with "./httpd" on the command line, apache uses a compiled-in path to the config file. To see this, do "./httpd -V" and check the lines "HTTPD_ROOT" and "SERVER_CONFIG_FILE". Is this the same as in "apache2ctl"?

3) Could it be that there are two virtual hosts leading to the same content? Eg, if you set up VH1 and VH2 with the same (or overlapping) docroots and then put all your Auth directives under VH2, they would be ignored if the URL actually led to the content via VH1. This could happen if you screwed up the ServerName in VH2 (because then, apache serves any unidentified request from VH1 by default)...

4) Do you have a "Satisfy Any" directive anywhere in any config file? You stated earlier that you didn't understand this directive so it shouldn't be in use anywhere. If it is, you realise that it switches off password challenges from "Allowed" users...


I can get it to request a userid and password with AllowOverride AuthConfig and using a .htaccess file.




This is a definate indication that apache is either not reading the file containing these directives or the directory block containing them is not being read when parsing the request (ie, the request is going through a different VH).

As a final thought, just to convince yourself that apache does work as advertised, make a little hello_world website. Just one file (index.html) containing "hello world" in one dir (eg /tmp/hello_world). Config file:

/tmp/hw.conf contains:

DocumentRoot /tmp/hello_world
<Directory /tmp/hello_world>
  Allow from all
</Directory>

(leave everything else as default)

and start it with:

./httpd -f /tmp/hw.conf

Test it (http://localhost/)

Now add the Auth directives to the Directory block above. Does it work now?

Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored.



Which brings me to a followup question ...

It doesn't like the passwords in the password file. They work fine under Apache 1.3 on my ISP's Linux server. I used htpasswd to create the passwords.

Is there way to force Apache2 to use DES or whatever Apache 1.3 is comfortable with?

Thanks for being there

Mike


Mike Dewhirst wrote:

Joshua Slive wrote:


On 11/12/05, Mike Dewhirst <miked@xxxxxxxxxxxxxxx> wrote:



Does apache2ctl confirm that httpd actually reads that



file on startup?



Depends on how httpd normally gets started.  If it is started using
apache2ctl, then that is a good indication.




OK - on investigation it ain't apachectl. It is httpd. I



ran httpd -t

and it complained about FooBar Nonsense too.

So - we are definitely reading the conf files. That means ...

1. I'm not reaching the right directory - Yes I am. 100% sure.

2. Some sort of caching? 100% no way. I've tried four



different browsers

on three different machines.

3. Apache is reading the conf but ignoring the directive



for some reason

What else do I need for Basic Auth to work?

As it happens, I have subversion running via apache on that



machine and

when I access it from a foreign machine it asks me to



authenticate. I

have copied subversion.conf below. Maybe I should copy that?

Modules? I deleted all files in /etc/apache2/sysconfig.d



and restarted

the computer whereupon we got a brand-new loadmodule.conf ...

#
# Files in this directory are created at apache start time by /usr/sbin/rcapache2.
# Do not edit them!
#

# as listed in APACHE_MODULES (/etc/sysconfig/apache2)

LoadModule access_module /usr/lib/apache2-prefork/mod_access.so
LoadModule actions_module /usr/lib/apache2-prefork/mod_actions.so
LoadModule alias_module /usr/lib/apache2-prefork/mod_alias.so
LoadModule asis_module /usr/lib/apache2-prefork/mod_asis.so
LoadModule auth_module /usr/lib/apache2-prefork/mod_auth.so
LoadModule autoindex_module



/usr/lib/apache2-prefork/mod_autoindex.so

LoadModule cgi_module /usr/lib/apache2-prefork/mod_cgi.so
LoadModule dav_module /usr/lib/apache2-prefork/mod_dav.so
LoadModule dav_svn_module



/usr/lib/apache2/mod_dav_svn.so

LoadModule authz_svn_module



/usr/lib/apache2/mod_authz_svn.so

LoadModule dir_module /usr/lib/apache2-prefork/mod_dir.so
LoadModule env_module /usr/lib/apache2-prefork/mod_env.so
LoadModule imap_module /usr/lib/apache2-prefork/mod_imap.so
LoadModule include_module /usr/lib/apache2-prefork/mod_include.so
LoadModule log_config_module



/usr/lib/apache2-prefork/mod_log_config.so

LoadModule mime_module /usr/lib/apache2-prefork/mod_mime.so
LoadModule negotiation_module



/usr/lib/apache2-prefork/mod_negotiation.so

LoadModule setenvif_module /usr/lib/apache2-prefork/mod_setenvif.so
#


Here is /etc/apache2/conf.d/subversion.conf

# see /usr/share/doc/packages/subversion for the full documentation
#

<IfModule mod_dav_svn.c>

##
## project related HTML files
##
<IfModule mod_alias.c>
 Alias /repos    /srv/svn/html
</IfModule>
<Directory /srv/svn/html>
       Options         Indexes +Multiviews -FollowSymLinks
       IndexOptions    FancyIndexing \
                       ScanHTMLTitles \
                       NameWidth=* \
                       DescriptionWidth=* \
                       SuppressLastModified \
                       SuppressSize

       order allow,deny
       allow from all
</Directory>
<Location /repos>
  DAV svn
  SVNParentPath /srv/svn/repos
  AuthzSVNAccessFile /srv/svn/user_access/access-policy
  #<moved from LimitExcept>
  # how to authenticate users
  AuthType Basic
  AuthName "repositories"
  AuthUserFile /srv/svn/user_access/auth-file
  Require valid-user
  #</moved from LimitExcept>

  # move 'Require valid-user' to here
  # to provide public read only access
  # and require a valid user for GET etc below
  <LimitExcept GET PROPFIND OPTIONS REPORT>
     #
  </LimitExcept>
</Location>
</IfModule>







Joshua.



---------------------------------------------------------------------

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx






---------------------------------------------------------------------

The official User-To-User support forum of the Apache HTTP



Server Project.

See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
 "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx





---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



Diese E-mail ist eine private und persönliche Kommunikation. Sie hat keinen Bezug zur Börsen- bzw. Geschäftstätigkeit der SWX Gruppe. This e-mail is of a private and personal nature. It is not related to the exchange or business activities of the SWX Group. Le présent e-mail est un message privé et personnel, sans rapport avec l'activité boursière du Groupe SWX. This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx





---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx





---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx





---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux