Selective Apache2.0 access control

Gibsonist · 01-26-2006, 03:08 AM

Hi,

I need to configure a dir on apache s.t. if I access it from a certain host a.b.c.d it asks a pass word, yet if I access it from the rest of the network a.b.c.0/24 it simply goes through.

Does anybody know if there is such a way and if yes, how. I would use different path but they have to be the same.

thanks

bathory · 01-26-2006, 04:45 AM

You must edit your httpd.conf and change the AlloOveride for that dir to All:
<Directory "/path/to/special/dir">
...
AllowOveride All
...
</Directory>
Then in that special dir create a .htaccess file with the following:

Code:

AuthName        "Restricted"
AuthType        Basic
AuthUserFile    /path/to/htpasswd-users
Order           allow,deny
Allow           from all
Deny            from xx.xx.xx.xx
require         user    username
Satisfy         any

Where xx.xx.xx.xx is the IP you want to ask for password authentication and username is the username for the person of that IP.
Of course you must use htpasswd to create or edit the pasword file in /path/to/htpasswd-users for the said user.

Gibsonist · 01-26-2006, 04:58 AM

Efraisto

OK so far
my problem goes a step deeper the path I need to secure is not a directory but a ScriptAlias to a cgi - running the wikis.

In that case I need to use it in a <Location ...> if I'm not mistaken
ie

Code:

<Location>
AuthName        "Restricted"
AuthType        Basic
AuthUserFile    /path/to/htpasswd-users
Order           allow,deny
Allow           from all
Deny            from xx.xx.xx.xx
require         user    username
Satisfy         any
</Location>

bathory · 01-26-2006, 05:34 AM

Well I don't know what exactly does the <Location> directive because I've never used it, but since AllowOveride does not work inside <Location></Location>, if you want to control the access to some cgi script, I guess that you can use:

Code:

AuthName        "Restricted"
AuthType        Basic
AuthUserFile    /path/to/htpasswd-users
<Limit POST PUT>
Order           allow,deny
Allow           from all
Deny            from xx.xx.xx.xx
require         user    username
Satisfy         any
</Limit>

Gibsonist · 01-26-2006, 06:11 AM

OK - I'm a bit lost now.

I got a Wikifarm, running on our intranet (a.b.c.0\24) accessible via apache and a cgi on
wikiserver.od/wikifarm/"wikiname"

the lines in apache for this are

Code:

Alias /wiki/ /srv/wiki/htdocs/

ScriptAlias /wikifarm/wiki1/ /srv/wiki/cgi-bin/wiki.cgi/
ScriptAlias /wikifarm/wiki2/ /srv/wiki/cgi-bin/wiki.cgi/

Now the wikis - or at least one - should be accessible from the web. on machine
a.b.c.d we have apache running, proxying some requests to our intranetserver where a auth is required - using PAM.

The idea is also to protect the wikis via PAM.
I know how it works for Locations and Directories, but fail to implement it for the ScriptAliases.

Maybe I also should note that we use Rewrite rather heavily both on the gatewaymachine and on the intranet server.

bathory · 01-26-2006, 06:51 AM

I'm lost too now.
Made a search and it came out this which refers to a wiki setup!!! The guy there uses ScriptAlias/Location and .htaccess normally, so I don't see what is you worry about.

Gibsonist · 01-26-2006, 08:18 AM

Thanks it works now - the rewriting also messed it up a bit.