LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (http://www.linuxquestions.org/questions/linux-server-73/)
-   -   http auth woes (http://www.linuxquestions.org/questions/linux-server-73/http-auth-woes-853978/)

frieza 01-03-2011 03:31 PM

http auth woes
 
i've been trying to configure authentication for a particular tool on a website i've been building

i've tried php http authorization and .htaccess/.htpasswd files, neither seem to work

Code:

<?php
if (!isset($_SERVER['PHP_AUTH_TYPE'])) {
    header('WWW-Authenticate: Basic realm="My Realma"');
    header('HTTP/1.0 401 Unauthorized');
    echo 'Text to send if user hits Cancel button';
    exit;
} else {
    echo "<p>Hello {$_SERVER['PHP_AUTH_USER']}.</p>";
    echo "<p>You entered {$_SERVER['PHP_AUTH_PW']} as your password.</p>";
}
print_r($_SERVER);
?>

should just echo out the user/password i entered

[code]
then i created a .htaccess file for the directory

AuthUserFile /home/user874-****/.htpasswd
AuthUserFile /dev/null
AuthName "Protected Area"
AuthType Basic

require valid-user
[code]

.htpasswd
Code:

worker:gSs4***JFQH5Q
both tests cause the browser to prompt for a username/password but both will just keep tossing the dialog in your face every time you type in a user/password, the first shouldnt require any valid information just echo what was typed in, it is as if the server isn't recieving the information

vhost file
Code:

VirtualHost *:80>
DocumentRoot "/home/user874-****/www/devel"
ServerName editortool.gotdns.org
<Directory "/home/user874-****/www/devel">
AllowOverride All
allow from all
Options +Indexes
</Directory>
</VirtualHost>

phpinfo
http://img255.imageshack.us/img255/3420/phpinfo.jpg

if you require anything else please let me know

bathory 01-03-2011 04:51 PM

I cannot tell about the php code, but in .htaccess you should remove "AuthUserFile /dev/null". You have already defined AuthUserfile in the line above this one and besides, this directive cancels the usage of the .htpasswd.
Also when you use "/home/user874-****", I guess you don't have asterisks in the directory name. Make sure also that the apache user can read /home/user874-****/.htpasswd

Regards

frieza 01-03-2011 05:00 PM

Quote:

Originally Posted by bathory (Post 4211901)
I cannot tell about the php code, but in .htaccess you should remove "AuthUserFile /dev/null". You have already defined AuthUserfile in the line above this one and besides, this directive cancels the usage of the .htpasswd.
Regards

noticed that already, removed that line and it still does not work

tried chown www-data:www-data .htpasswd as well, still nothing

Code:

-rw-r--r-- 1 www-data www-data 21 2011-01-03 14:52 .htpasswd

bathory 01-03-2011 05:14 PM

Did you close your browser and reopen it, so it starts a new session?
Also check if there is something logged in apache error_log.

frieza 01-03-2011 05:39 PM

not consistantly but i occasionally got
Code:

[Mon Jan 03 14:54:05 2011] [error] [client 192.168.0.19] access to /vehicle_fixer/ failed, reason: verification of user id '<null>' not configured

bathory 01-04-2011 12:36 AM

Hi,

This error comes from the php authorization page.
What happens when trying to authenticate with the .htaccess way? Did you try to start a new browser session and see what you get?

frieza 01-04-2011 10:04 AM

yes and it does nothing but reject everything even the supposedly correct user/password but puts nothing in the error log, even while watching the log with tail -f error.log

EdHeron 01-04-2011 02:45 PM

If you are using SELinux, you might need to tell SELinux that it is OK for Apache to access that file with:

chcon --type=http_sys_content_t /home/user874-****/.htpasswd

EdHeron 01-04-2011 02:53 PM

In the PHP manual http://www.php.net/manual/en/reserve...les.server.php, it says the variable is $_SERVER['AUTH_TYPE'] not $_SERVER['PHP_AUTH_TYPE'].

frieza 01-04-2011 03:01 PM

stll nothing

EdHeron 01-04-2011 03:32 PM

Looking at http://php.net/manual/en/features.http-auth.php, it seems to give conflicting information. It appears to say that PHP_AUTH_USER might not be set in all cases, but that REMOTE_USER might...

Also, the example in the manual doesn't use AUTH_TYPE. I could guess that it isn't reliable.

Rhetorical question: Why use HTTP authentication? Why not, if they aren't logged in, display a login page instead of the requested page. Or, save the requested URL and redirect them to a login page? Then, once they are logged in, give them the page they originally requested.

frieza 01-04-2011 04:13 PM

it's a php script i wrote and i'm not that good at writing user login programs for php, that and i want to be able to put other non php content in that folder as well such as .inc files which are not parsed by php but have the password to the database

interestingly enough, this works
Code:

Order Deny,Allow
Deny from all
Allow from 192.168.0.xx

(192.168.0.xx is the external interface of our internal firewall, the IP addr that all traffic from our internal network appears to come from, thus allowing only the internal lan to access the site for the moment)

but a .htpasswd file does not

EdHeron 01-04-2011 05:17 PM

So, you really want to use basic http authentication and get the username passed to your scripts?

Do you have AllowOverride AuthConfig in your apache config file? Without that, it will completely ignore the Auth options in your .htaccess file. If you have access to the server config file, you could just put the Auth options there.

--
Ha. too many things going on. I forgot that you posted the relevant section... and you do...

frieza 01-04-2011 05:39 PM

you mean like this?
Code:

VirtualHost *:80>
DocumentRoot "/home/user874-****/www/devel"
ServerName editortool.gotdns.org
<Directory "/home/user874-****/www/devel">
AllowOverride All
allow from all
Options +Indexes
</Directory>
</VirtualHost>


bathory 01-05-2011 12:58 AM

Hi,

Your apache config is ok. The fact that you're presented the popup dialog to enter username/password means that .htaccess works, so the problem is somewhere else. The strange thing is that there are no logs about entering invalid credentials.

So, I've just look over the whole thread and noticed the attached phpinfo() image, where I saw that you're using squid proxy to access apache.
Can you bypass squid and see if auth works. Or try to access the protected dir from the server itself (using localhost).

Regards


All times are GMT -5. The time now is 01:41 PM.