On 1/24/06, Jason Keltz <jas@xxxxxxxxxxx> wrote: > > I would like to do that, but the problem is, I still need to leave the > .htaccess functionality on the non-ssl side untouched. There are users > using basic authentication on the non-ssl side, and doing many other > things in their personal .htaccess files and I can't break any of that. > It's just that I am requird to provide the new PAM functionality, and > don't want to implement it in a way that risks the security of my > passwords. If there are people doing non-ssl basic auth (I'm assuming this is also non-PAM) how is this working if you are getting 500 errors. It sounds like you have another config problem with your basic auth that is creating the 500 errors. > > I had really figured the solution would be relatively trivial. I > figured that Apache would have a standard mechanism that would simply > allow me to specify which modules are available to which virtual hosts. > I figured that maybe I could do a "ClearModuleList" and then > "AddModule" for each module, but these functions don't work inside the > VirtualHost definitions, and as you said, this feature isn't in Apache > right now. It is left up to the module developer... This feature can't be added to apache. Modules can get involved in every phase of the request, including determining what request goes to what vhost. So there can be no general way to tell a module only to be active in one vhost. It is up to the module. (Well, if you *really* need this, then you can run invoke httpd twice with two different config files, one listening on 443 with the appropriate modules, and the other listening on 80 with the appropriate modules.) > The problem is, I > think that even if I modified the mod_auth_pam module to only allow an > enable if the calling URL was https, this wouldn't solve the problem > since the Username and Password box would still come up, and the > password would still be sent in the clear before the web server would > return an error message. The only way to make things stop hard in their > tracks is by not having the module loaded... It really seems like a > solution that needs to come from within the web server. I don't understand how not having the module loaded makes any difference. If someone asks for auth, it's still going to pop up the auth dialog and they can still type in whatever they want (sensitive or not) in the password box. > > I could hard-code the digest authentication into the "location /" call, > as you said, but then I would mess up basic authentication using the ssl > virtual host as well. No it woudn't. The <Location> section should be scoped inside the non-ssl <VirtualHost>. Joshua. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx