You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Bart Jansen <ba...@esac.climbing.nl> on 2011/09/06 13:32:41 UTC
[users@httpd] How to check for REMOTE_USER using mod_auth_mysql
Hi,
I am having some problems with my apache VirtualHost configuration and
hopefully somebody can help me out.
System:
- Apache/2.2.9 (Debian)
- We use mod_auth_mysql for user authentication.
- most requests are passed to Zope application framework
- requests to /docs/ are mapped to the file system /var/www/sub (as an
example)
We serve multiple subdomains using a name based virtual hosting
configuration. For file uploads I would like to use the PUT request
method (using javascript XMLHttpRequest) using mod_dav to write directly
to the file system (no high memory usage when uploading gigabytes). This
is working OK, no problems there.
However I would like to prevent (as a server administrator) anonymous
users to be able to upload files this way. Because webmasters of
subdomains have access to .htaccess files, and they must be allowed to
override any require valid-user rules, just adding
> <Limit PUT>require valid-user</Limit>
is not enough. I want to prevent local webmasters from accidentally
creating a security issue.
My approach to limit the access to the PUT request to authenticated
users was to add the following rewrite rules to the <VirtualHost>:
> # set response header for debugging purposes
> RewriteRule . - [E=RU:%{REMOTE_USER}]
> Header add X_my_userss %{RU}e
> # check if user is not authenticated and method == PUT, then forbid
request
> RewriteCond %{LA-U:REMOTE_USER} ^$
> RewriteCond %{REQUEST_METHOD} =PUT
> RewriteRule ^/(.*) - [F]
But the REMOTE_USER variable seems to be "(null)" at every request (have
checked this by adding a custom header with this value to the response),
although HTTP Basic Authentication headers are provided by the browser,
and the user is granted access to restricted resources. Also for
anonymous access this variable is "(null)".
I have tried this code inside the VirtualHost directive directly, but
also inside the <Directory> context inside this VirtualHost. Both to no
avail. Also have tried using %{REMOTE_USER} instead of %{LA-U:REMOTE_USER}.
I think that maybe this problem is caused by the usage of
mod_auth_mysql? Does that not allow for look-ahead REMOTE_USER checks?
A somewhat simplified version of the VirtualHost can be found below.
===============================================
<VirtualHost *:443>
ServerName sub.example.com
ServerAlias www.sub.example.com
DocumentRoot /var/www/sub
<Directory /var/www/sub/>
Options -Indexes +FollowSymLinks +MultiViews
DirectorySlash On
AllowOverride All
Order allow,deny
Allow from all
AuthName "Zope"
AuthType Basic
AuthUserFile /dev/null
AuthBasicAuthoritative Off
Require valid-user
AuthMYSQL on
AuthMySQL_Authoritative on
AuthMySQL_Empty_Passwords off
AuthMySQL_DB **
AuthMySQL_Password_Table **
AuthMySQL_Username_Field **
AuthMySQL_Password_Field **
AuthMySQL_Group_Table **
AuthMySQL_Group_Field **
AuthMySQL_Encryption_Types **
</Directory>
SSLEngine on
RewriteEngine on
# download files from apache in the 'docs' directory
RewriteRule ^/docs/(.*) /var/www/sub/$1 [L]
# pass requests to Zope
RewriteRule ^/(.*)
http://localhost:%{ZOPE_PORT}/VirtualHostBase/https/sub.example.com:443/sub/VirtualHostRoot/$1
[L,P]
</VirtualHost>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] How to check for REMOTE_USER using mod_auth_mysql
Posted by Bart Jansen <ba...@esac.climbing.nl>.
Frank, thanks for your help. I will look into mod_authn_dbd.
Regards,
Bart
PS. my first mail was a bit blunt (my name wasn't even there), but the
mail got accidentally send before it was finished but I did not want to
spam the list again.
On 06-09-11 16:12, Frank Gingras wrote:
>
>
> On 09/06/2011 07:32 AM, Bart Jansen wrote:
>> Hi,
>>
>> I am having some problems with my apache VirtualHost configuration and
>> hopefully somebody can help me out.
>>
>> System:
>> - Apache/2.2.9 (Debian)
>> - We use mod_auth_mysql for user authentication.
>> - most requests are passed to Zope application framework
>> - requests to /docs/ are mapped to the file system /var/www/sub (as an
>> example)
>>
>> We serve multiple subdomains using a name based virtual hosting
>> configuration. For file uploads I would like to use the PUT request
>> method (using javascript XMLHttpRequest) using mod_dav to write directly
>> to the file system (no high memory usage when uploading gigabytes). This
>> is working OK, no problems there.
>>
>> However I would like to prevent (as a server administrator) anonymous
>> users to be able to upload files this way. Because webmasters of
>> subdomains have access to .htaccess files, and they must be allowed to
>> override any require valid-user rules, just adding
>> > <Limit PUT>require valid-user</Limit>
>> is not enough. I want to prevent local webmasters from accidentally
>> creating a security issue.
>>
>> My approach to limit the access to the PUT request to authenticated
>> users was to add the following rewrite rules to the <VirtualHost>:
>> > # set response header for debugging purposes
>> > RewriteRule . - [E=RU:%{REMOTE_USER}]
>> > Header add X_my_userss %{RU}e
>> > # check if user is not authenticated and method == PUT, then forbid
>> request
>> > RewriteCond %{LA-U:REMOTE_USER} ^$
>> > RewriteCond %{REQUEST_METHOD} =PUT
>> > RewriteRule ^/(.*) - [F]
>>
>> But the REMOTE_USER variable seems to be "(null)" at every request (have
>> checked this by adding a custom header with this value to the response),
>> although HTTP Basic Authentication headers are provided by the browser,
>> and the user is granted access to restricted resources. Also for
>> anonymous access this variable is "(null)".
>>
>> I have tried this code inside the VirtualHost directive directly, but
>> also inside the <Directory> context inside this VirtualHost. Both to no
>> avail. Also have tried using %{REMOTE_USER} instead of
>> %{LA-U:REMOTE_USER}.
>>
>> I think that maybe this problem is caused by the usage of
>> mod_auth_mysql? Does that not allow for look-ahead REMOTE_USER checks?
>>
>> A somewhat simplified version of the VirtualHost can be found below.
>>
>> ===============================================
>> <VirtualHost *:443>
>> ServerName sub.example.com
>> ServerAlias www.sub.example.com
>>
>> DocumentRoot /var/www/sub
>> <Directory /var/www/sub/>
>> Options -Indexes +FollowSymLinks +MultiViews
>> DirectorySlash On
>> AllowOverride All
>> Order allow,deny
>> Allow from all
>> AuthName "Zope"
>> AuthType Basic
>> AuthUserFile /dev/null
>> AuthBasicAuthoritative Off
>> Require valid-user
>>
>> AuthMYSQL on
>> AuthMySQL_Authoritative on
>> AuthMySQL_Empty_Passwords off
>> AuthMySQL_DB **
>> AuthMySQL_Password_Table **
>> AuthMySQL_Username_Field **
>> AuthMySQL_Password_Field **
>> AuthMySQL_Group_Table **
>> AuthMySQL_Group_Field **
>> AuthMySQL_Encryption_Types **
>> </Directory>
>>
>> SSLEngine on
>>
>> RewriteEngine on
>>
>> # download files from apache in the 'docs' directory
>> RewriteRule ^/docs/(.*) /var/www/sub/$1 [L]
>>
>> # pass requests to Zope
>> RewriteRule ^/(.*)
>> http://localhost:%{ZOPE_PORT}/VirtualHostBase/https/sub.example.com:443/sub/VirtualHostRoot/$1
>>
>> [L,P]
>> </VirtualHost>
>>
>> ---------------------------------------------------------------------
>> The official User-To-User support forum of the Apache HTTP Server
>> Project.
>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>
> You should use mod_authn_dbd instead:
>
> http://httpd.apache.org/docs/current/mod/mod_authn_dbd.html
>
> mod_auth_mysql has been dead for quite some time.
>
> Frank
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] How to check for REMOTE_USER using mod_auth_mysql
Posted by Frank Gingras <fr...@gmail.com>.
On 09/06/2011 07:32 AM, Bart Jansen wrote:
> Hi,
>
> I am having some problems with my apache VirtualHost configuration and
> hopefully somebody can help me out.
>
> System:
> - Apache/2.2.9 (Debian)
> - We use mod_auth_mysql for user authentication.
> - most requests are passed to Zope application framework
> - requests to /docs/ are mapped to the file system /var/www/sub (as an
> example)
>
> We serve multiple subdomains using a name based virtual hosting
> configuration. For file uploads I would like to use the PUT request
> method (using javascript XMLHttpRequest) using mod_dav to write directly
> to the file system (no high memory usage when uploading gigabytes). This
> is working OK, no problems there.
>
> However I would like to prevent (as a server administrator) anonymous
> users to be able to upload files this way. Because webmasters of
> subdomains have access to .htaccess files, and they must be allowed to
> override any require valid-user rules, just adding
> > <Limit PUT>require valid-user</Limit>
> is not enough. I want to prevent local webmasters from accidentally
> creating a security issue.
>
> My approach to limit the access to the PUT request to authenticated
> users was to add the following rewrite rules to the <VirtualHost>:
> > # set response header for debugging purposes
> > RewriteRule . - [E=RU:%{REMOTE_USER}]
> > Header add X_my_userss %{RU}e
> > # check if user is not authenticated and method == PUT, then forbid
> request
> > RewriteCond %{LA-U:REMOTE_USER} ^$
> > RewriteCond %{REQUEST_METHOD} =PUT
> > RewriteRule ^/(.*) - [F]
>
> But the REMOTE_USER variable seems to be "(null)" at every request (have
> checked this by adding a custom header with this value to the response),
> although HTTP Basic Authentication headers are provided by the browser,
> and the user is granted access to restricted resources. Also for
> anonymous access this variable is "(null)".
>
> I have tried this code inside the VirtualHost directive directly, but
> also inside the <Directory> context inside this VirtualHost. Both to no
> avail. Also have tried using %{REMOTE_USER} instead of %{LA-U:REMOTE_USER}.
>
> I think that maybe this problem is caused by the usage of
> mod_auth_mysql? Does that not allow for look-ahead REMOTE_USER checks?
>
> A somewhat simplified version of the VirtualHost can be found below.
>
> ===============================================
> <VirtualHost *:443>
> ServerName sub.example.com
> ServerAlias www.sub.example.com
>
> DocumentRoot /var/www/sub
> <Directory /var/www/sub/>
> Options -Indexes +FollowSymLinks +MultiViews
> DirectorySlash On
> AllowOverride All
> Order allow,deny
> Allow from all
> AuthName "Zope"
> AuthType Basic
> AuthUserFile /dev/null
> AuthBasicAuthoritative Off
> Require valid-user
>
> AuthMYSQL on
> AuthMySQL_Authoritative on
> AuthMySQL_Empty_Passwords off
> AuthMySQL_DB **
> AuthMySQL_Password_Table **
> AuthMySQL_Username_Field **
> AuthMySQL_Password_Field **
> AuthMySQL_Group_Table **
> AuthMySQL_Group_Field **
> AuthMySQL_Encryption_Types **
> </Directory>
>
> SSLEngine on
>
> RewriteEngine on
>
> # download files from apache in the 'docs' directory
> RewriteRule ^/docs/(.*) /var/www/sub/$1 [L]
>
> # pass requests to Zope
> RewriteRule ^/(.*)
> http://localhost:%{ZOPE_PORT}/VirtualHostBase/https/sub.example.com:443/sub/VirtualHostRoot/$1
> [L,P]
> </VirtualHost>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
You should use mod_authn_dbd instead:
http://httpd.apache.org/docs/current/mod/mod_authn_dbd.html
mod_auth_mysql has been dead for quite some time.
Frank
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org