Linux - Server This forum is for the discussion of Linux Software used in a server related context. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
03-18-2011, 10:45 AM
|
#1
|
Member
Registered: Mar 2004
Distribution: Mandriva 2010.0
Posts: 251
Rep:
|
Apache FilesMatch Question
I have a virtual host directory that requires authentication (AuthMySQL) but there are 2 pages that should not require authentication. Here are the directives:
Quote:
<Directory "/var/www/html/cufs">
AuthName "CUFS Alumni"
AuthType Basic
AuthMySQLUser uuuuuuuuuu
AuthMySQLPassword ppppppppp
AuthMySQLEnable on
AuthMySQLPwEncryption scrambled
AuthMySQLDB cufsalumni
AuthMySQLUserTable alumni
AuthMySQLNameField username
AuthMySQLPasswordField pwdp
<FilesMatch "^(?=index.html)(?=cufsregister.php)">
require valid-user
</FilesMatch>
</Directory>
|
Since I am not much with regex I suspect that may be my problem rather then the structure, although I'm not sure. In any case can someone give me the correct statements? TIA.
|
|
|
03-18-2011, 06:27 PM
|
#2
|
LQ Guru
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 13,218
|
Hi,
I guess you mean that access to index.html and cufsregister.php should not require authentication, while the rest should.
If that's the case you can try this:
Code:
<Directory "/var/www/html/cufs">
AuthName "CUFS Alumni"
AuthType Basic
AuthMySQLUser uuuuuuuuuu
AuthMySQLPassword ppppppppp
AuthMySQLEnable on
AuthMySQLPwEncryption scrambled
AuthMySQLDB cufsalumni
AuthMySQLUserTable alumni
AuthMySQLNameField username
AuthMySQLPasswordField pwdp
require valid-user
<FilesMatch "(index.html|cufsregister.php)">
Allow from all
Satisfy any
</FilesMatch>
</Directory>
Regards
|
|
|
03-18-2011, 06:48 PM
|
#3
|
Member
Registered: Mar 2004
Distribution: Mandriva 2010.0
Posts: 251
Original Poster
Rep:
|
Thanks for the reply. That creates some odd behavior. If I do not put index.html in the URL (let it default) the authentication prompt is displayed (it shouldn't). If I put index.html into the URL that page is displayed (it should) but when I click the login link, no prompt is displayed and all pages are available without authentication. However, if I put some other page in the URL, the prompt does appear before allowing access.
|
|
|
03-18-2011, 08:56 PM
|
#4
|
LQ Guru
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 13,218
|
Huh, the only thing I can think of, is to use in addition to the above mod_rewrite to rewrite the request. You must rename /var/www/html/cufs to /var/www/html/cufs2 and let /cufs URI for the rewrite (assuming that /var/www/html is the docroot):
Code:
<Directory /var/www/html>
--snip--
RewriteEngine On
RewriteRule ^cufs(.*) /cuf2/$1
</Directory>
<Directory "/var/www/html/cufs2">
AuthName "CUFS Alumni"
AuthType Basic
AuthMySQLUser uuuuuuuuuu
AuthMySQLPassword ppppppppp
AuthMySQLEnable on
AuthMySQLPwEncryption scrambled
AuthMySQLDB cufsalumni
AuthMySQLUserTable alumni
AuthMySQLNameField username
AuthMySQLPasswordField pwdp
require valid-user
<FilesMatch "(^$|index.html|cufsregister.php)">
Allow from all
Satisfy any
</FilesMatch>
</Directory>
Note the addition in red needed to match a request without filename
|
|
|
03-18-2011, 09:10 PM
|
#5
|
Member
Registered: Mar 2004
Distribution: Mandriva 2010.0
Posts: 251
Original Poster
Rep:
|
Thanks again. I'm not sure this is closer but it is different. Now it behaves the same way with or without index.html in the URL. Once that page is displayed, full access is available without authentication. Any other page in the URL results in the prompt. It is behaving as if once it gets through the FilesMatch directive it thinks the user has authenticated.
|
|
|
03-19-2011, 05:41 AM
|
#6
|
LQ Guru
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 13,218
|
Are you sure it's not your browser? Once authenticated, it keeps auth credentials as long as a session lasts.
You need to close it and open it again to start a new session.
|
|
|
03-19-2011, 09:35 AM
|
#7
|
Member
Registered: Mar 2004
Distribution: Mandriva 2010.0
Posts: 251
Original Poster
Rep:
|
Quote:
Originally Posted by bathory
Are you sure it's not your browser?
|
Yes, I'm sure.
Quote:
Originally Posted by bathory
Once authenticated, it keeps auth credentials as long as a session lasts.
You need to close it and open it again to start a new session.
|
Or clear active logins in the browser. Note that previously when I hit cancel on the prompt, I am clearly not logged in. However, if I then manually entered index.html it allowed full access with no prompt. Since your change I get the log in page no matter what (which is correct) and have full access (which is a security violation). Even more interestingly, now if I then (still not logged in) manually enter one of the "restricted" pages in the URL, even though I have already displayed it, I get the prompt. Another thought, all my links are relative. Do I have to change, at least the one on the log in page to absolute (that will be a pain since the referrer could be a different domain)?
Last edited by gw1500se; 03-19-2011 at 09:39 AM.
|
|
|
03-19-2011, 11:20 AM
|
#8
|
LQ Guru
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 13,218
|
Hi,
I'm doing my tests from CLI with lynx and it works as expected. But I have the same behavior when testing from firefox.
I cannot tell what's wrong with your way of testing.
Another thing you can do, is to reorganize your pages. Put the 2 pages under /var/www/html/cufs and create a subdir /var/www/html/cufs/cufs-auth for the rest stuff that you want your users to authenticate (and put the auth directives in a <Directory /var/www/html/cufs/cufs-auth> stanza).
|
|
|
03-19-2011, 04:37 PM
|
#9
|
Member
Registered: Mar 2004
Distribution: Mandriva 2010.0
Posts: 251
Original Poster
Rep:
|
Thanks. It sounds like that might be the easiest thing to do at this point. However, I would think it should work the other way too but probably not worth pursuing.
|
|
|
03-19-2011, 07:31 PM
|
#10
|
LQ Guru
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 13,218
|
Hi,
Just realized that I have a typo in the RewriteRule. I guess you should have noticed it because it should give a 404 error. I missed an "s" in the rewritten URI (instead of "RewriteRule ^cufs(.*) /cuf s2/$1, I used RewriteRule ^cufs(.*) /cuf2/$1).
Anyway here is another approach: I've added and an extra RewriteCond to check before rewritting and changed slightly the rule.
Code:
<Directory /var/www/html>
--snip--
RewriteEngine on
RewriteCond %{REQUEST_URI} !^/cufs2
RewriteRule cufs([^/]*)(.*) /cufs2/$2
</Directory>
<Directory /var/www/htm/cufs2>
AuthName "CUFS Alumni"
AuthType Basic
AuthMySQLUser uuuuuuuuuu
AuthMySQLPassword ppppppppp
AuthMySQLEnable on
AuthMySQLPwEncryption scrambled
AuthMySQLDB cufsalumni
AuthMySQLUserTable alumni
AuthMySQLNameField username
AuthMySQLPasswordField pwdp
require valid-user
<FilesMatch "(^$|index.html|cufsregister.php)">
Allow from all
Satisfy any
</FilesMatch>
</Directory>
|
|
|
03-19-2011, 07:55 PM
|
#11
|
Member
Registered: Mar 2004
Distribution: Mandriva 2010.0
Posts: 251
Original Poster
Rep:
|
Thanks. I already had it working. However, I discovered something in the process that might be related. After moving all but two of the files into a sub-directory and making the appropriate changes in the Apache config files, I was surprised to find it didn't help and actually made it worse. No matter what I put in the URL, full access to the pages was available without authentication. While I was scratching my head over that I noticed that the pages also were not secure (https). Then I remembered that I created a rewrite rule in .htaccess to force SSL on those pages. I forgot to move that file into the sub-directory. As soon as I did that, everything started working correctly. I don't understand how that file effected authentication but it obviously was a problem and perhaps was somehow THE problem.
|
|
|
All times are GMT -5. The time now is 10:17 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|