You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Roman Medina-Heigl Hernandez <ro...@rs-labs.com> on 2009/02/24 12:58:02 UTC
[users@httpd] Mixing rewrite with authn_dbd: Rewriting based on path value stored
in mysql table
Hello,
I'm working on an ISP/Hosting environment and I'm having trouble to figure
out how to solve a problem which (I think) involves mixing several
modules/concepts:
- pages should be protected with basic-auth where user database should
reside on MySQL (mod_authn_dbd). The mysql table basically contains 3
fields: user, password and path
- pages should be rewritten (mod_rewrite) based on authenticated user *and*
the path associated to that user.
So for instance, accesing to http://isp/stats/ should:
1.- Ask for user/pass
2.- If the user exists in MySQL table (and password is ok), the path
(associated to that user) should be retrieved from the same table. Let's
say we have user "Tom" with path "/home/Tom".
3.- Finally Apache should serve /home/Tom/stats/.
Is this achievable?
Lastly, I'm interested on docs/tutorials about how to setup a more or less
complex apache setup useful for a hosting solution, being the goals:
1) Trying to minimize (ideally avoid) the number of restarts to Apache when
a change is made (a new domain is set up, etc).
2) Storing all the info in mysql tables.
3) Flexibility: be able to set up protected dirs for different domains,
having groups of users, etc.
I've seen some ideas like:
http://httpd.apache.org/docs/2.2/vhosts/mass.html
or
http://httpd.apache.org/docs/2.2/mod/mod_vhost_alias.html
but they are quite simple and not sufficiently flexible.
Any more advanced tutorials/documents would be appreciated.
Thank you.
Cheers,
-Roman
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Mixing rewrite with authn_dbd: Rewriting based
on path value stored in mysql table
Posted by Roman Medina-Heigl Hernandez <ro...@rs-labs.com>.
Eric Covener escribió:
> On Tue, Feb 24, 2009 at 7:44 AM, Krist van Besien
> <kr...@gmail.com> wrote:
>> On Tue, Feb 24, 2009 at 12:58 PM, Roman Medina-Heigl Hernandez
>> <ro...@rs-labs.com> wrote:
>>> So for instance, accesing to http://isp/stats/ should:
>>> 1.- Ask for user/pass
>>> 2.- If the user exists in MySQL table (and password is ok), the path
>>> (associated to that user) should be retrieved from the same table. Let's
>>> say we have user "Tom" with path "/home/Tom".
>>> 3.- Finally Apache should serve /home/Tom/stats/.
>>>
>>> Is this achievable?
>> Achievable, but not in a trivial way. How you solve this also depends
>> on how fast this has to be. What you could do for example is
>> periodically export the user-path pairs to a DBM file, and us that as
>> a RewriteMap. That will be pretty fast, but changes to the MySQL table
>> will not reflect on your website immediately.
>
> This is a good idea, alternatively RewriteMap program would be lower
> performance but could look at the live data
Hello,
I haven't tested it yet but I think I found the optimum solution.
>From authn_dbd page [http://httpd.apache.org/docs/2.2/mod/mod_authn_dbd.html]:
"If httpd was built against APR version 1.3.0 or higher, any additional
column values in the first row returned by the query statement will be
stored as environment variables with names of the form AUTHENTICATE_COLUMN."
So it seems I could have an "AUTHENTICATE_PATH" envvar as result of SQL
query, and then I could use it in a rewrite rule...
I'm wondering whether the results to SQL queries are / aren't cached, both
REMOTE_USER and AUTHENTICATE_* envvars. Could somebody confirm it, please?
Cheers,
-r
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Mixing rewrite with authn_dbd: Rewriting based on
path value stored in mysql table
Posted by Eric Covener <co...@gmail.com>.
On Tue, Feb 24, 2009 at 7:44 AM, Krist van Besien
<kr...@gmail.com> wrote:
> On Tue, Feb 24, 2009 at 12:58 PM, Roman Medina-Heigl Hernandez
> <ro...@rs-labs.com> wrote:
>>
>> So for instance, accesing to http://isp/stats/ should:
>> 1.- Ask for user/pass
>> 2.- If the user exists in MySQL table (and password is ok), the path
>> (associated to that user) should be retrieved from the same table. Let's
>> say we have user "Tom" with path "/home/Tom".
>> 3.- Finally Apache should serve /home/Tom/stats/.
>>
>> Is this achievable?
>
> Achievable, but not in a trivial way. How you solve this also depends
> on how fast this has to be. What you could do for example is
> periodically export the user-path pairs to a DBM file, and us that as
> a RewriteMap. That will be pretty fast, but changes to the MySQL table
> will not reflect on your website immediately.
This is a good idea, alternatively RewriteMap program would be lower
performance but could look at the live data
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Mixing rewrite with authn_dbd: Rewriting based on
path value stored in mysql table
Posted by Krist van Besien <kr...@gmail.com>.
On Tue, Feb 24, 2009 at 12:58 PM, Roman Medina-Heigl Hernandez
<ro...@rs-labs.com> wrote:
>
> So for instance, accesing to http://isp/stats/ should:
> 1.- Ask for user/pass
> 2.- If the user exists in MySQL table (and password is ok), the path
> (associated to that user) should be retrieved from the same table. Let's
> say we have user "Tom" with path "/home/Tom".
> 3.- Finally Apache should serve /home/Tom/stats/.
>
> Is this achievable?
Achievable, but not in a trivial way. How you solve this also depends
on how fast this has to be. What you could do for example is
periodically export the user-path pairs to a DBM file, and us that as
a RewriteMap. That will be pretty fast, but changes to the MySQL table
will not reflect on your website immediately.
Krist
--
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Mixing rewrite with authn_dbd: Rewriting based on
path value stored in mysql table
Posted by Eric Covener <co...@gmail.com>.
On Wed, Feb 25, 2009 at 9:56 AM, Krist van Besien
<kr...@gmail.com> wrote:
> On Wed, Feb 25, 2009 at 2:19 PM, Tom Donovan <do...@bellatlantic.net> wrote:
>>
>> It may not be possible to do what you want. Apache locates the file to
>> serve before deciding whether to prompt for authentication.
>
> That is not entirely true. When a request comes in apache does an
> "early location walk" verifying <location> blocks before the URI to
> Filename phase (where rewriting takes place)
>
> So it should be possible if you use a <location> block.
>
> <Location /isp/stats>
>
> # Put DBM authentication arguments here
> ....
> </Location>
>
> RewriteRule /isp/stats /%{ENV:AUTHENTICATE_URL}
The authentication happens between the two phases where Rewrite can be
run (translate name for per-vhost, fixups during per-dir/htaccess)
You might be able to run Rewrite early but use the lookahead feature,
or wrap them in directory containers.
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Mixing rewrite with authn_dbd: Rewriting based
on path value stored in mysql table
Posted by Roman Medina-Heigl Hernandez <ro...@rs-labs.com>.
Bob Ionescu escribió:
> 2009/5/12 Roman Medina-Heigl Hernandez <ro...@rs-labs.com>:
>> My final solution is:
>>
>> RewriteBase /stats
>> RewriteCond %{REMOTE_USER}/<>$1 !^([^<]+)<>\1
>> RewriteRule ^/clientes/(.*) /stats/%{REMOTE_USER}/stats/http/$1
>>
>> RewriteCond $1 !^[^/]+/stats/http/
>> RewriteRule ^/clientes/(.*) hacking_attempt [F]
>>
>>
>> The alternative (adding L) is:
>>
>> RewriteBase /stats
>> RewriteCond %{REMOTE_USER}/<>$1 !^([^<]+)<>\1
>> RewriteRule ^/clientes/(.*)
>> /stats/%{REMOTE_USER}/stats/http/$1 [L]
>>
>> RewriteCond $1 !^[^/]+/stats/http/
>> RewriteRule ^/clientes/(.*) hacking_attempt [F,L]
>>
>> But I see no real difference between both solutions. Am I right?
>
> L makes only sense to abort something below, i.e. if there's nothing,
> there's nothing to abort (F implies L btw., the substitution will be
> dropped as well). Your second rule (forbidden) comes never true, if
> the first rule matched. So you could stop further (useless) processing
> with the L flag at your first rule.
Agreed.
For the record, final solution:
RewriteBase /stats
RewriteCond %{REMOTE_USER}/<>$1 !^([^<]+)<>\1
RewriteRule ^/clientes/(.*)
/stats/%{REMOTE_USER}/stats/http/$1 [L]
RewriteCond $1 !^[^/]+/stats/http/
RewriteRule ^/clientes/(.*) hacking_attempt [F]
Thanks a lot to all who contributed the thread and specially to Bob!!!!
Cheers,
-Roman
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Mixing rewrite with authn_dbd: Rewriting based on
path value stored in mysql table
Posted by Bob Ionescu <bo...@googlemail.com>.
2009/5/12 Roman Medina-Heigl Hernandez <ro...@rs-labs.com>:
> My final solution is:
>
> RewriteBase /stats
> RewriteCond %{REMOTE_USER}/<>$1 !^([^<]+)<>\1
> RewriteRule ^/clientes/(.*) /stats/%{REMOTE_USER}/stats/http/$1
>
> RewriteCond $1 !^[^/]+/stats/http/
> RewriteRule ^/clientes/(.*) hacking_attempt [F]
>
>
> The alternative (adding L) is:
>
> RewriteBase /stats
> RewriteCond %{REMOTE_USER}/<>$1 !^([^<]+)<>\1
> RewriteRule ^/clientes/(.*)
> /stats/%{REMOTE_USER}/stats/http/$1 [L]
>
> RewriteCond $1 !^[^/]+/stats/http/
> RewriteRule ^/clientes/(.*) hacking_attempt [F,L]
>
> But I see no real difference between both solutions. Am I right?
L makes only sense to abort something below, i.e. if there's nothing,
there's nothing to abort (F implies L btw., the substitution will be
dropped as well). Your second rule (forbidden) comes never true, if
the first rule matched. So you could stop further (useless) processing
with the L flag at your first rule.
Bob
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Mixing rewrite with authn_dbd: Rewriting based
on path value stored in mysql table
Posted by Roman Medina-Heigl Hernandez <ro...@rs-labs.com>.
Bob Ionescu escribió:
> 2009/5/11 Roman Medina-Heigl Hernandez <ro...@rs-labs.com>:
>> Bob Ionescu escribió:
>>> 2009/3/2 Roman Medina-Heigl Hernandez <ro...@rs-labs.com>:
>>>> The problem is that you cannot have %{REMOTE_USER} as 2nd parameters in
>>>> RewriteCond, so I have no way for comparing it with $1
>>> -didn't read all-; but you can compare it with a regEx internal backreference.
>>>
>>> RewriteBase /stats
>>> RewriteCond %{REMOTE_USER}<>$1 !^([^<]+)<>\1
>> Could you explain that, please? I didn't know that syntax...
>
> You're capturing a value with ^([^<]+), that is according to our test
> string the value of %{REMOTE_USER} followed by the two characters <>
> as a unique separator followed by the (previous) match of ([^<]+)
> which matches against the value of $1.
>
> E.g. if the remote_user is foo, the regEx will match against a test string of
> foo<>foo
>
> Just take a look at the manpage of PCRE, http://www.pcre.org/pcre.txt section
> BACK REFERENCES
> Outside a character class, a backslash followed by a digit greater than
I knew (and have extensively used) about back references in PCRE but
thought the "<>" in RewriteCond's first arg could have a special meaning. I
didn't happen to figure out that you were simply "translating" REMOTE_USER
var to the second arg, using <> as separator. Nice trick!!!!!!
Anyway, I've fixed a bit by adding a slash character after REMOTE USER like
this:
RewriteCond %{REMOTE_USER}/<>$1 !^([^<]+)<>\1
(in order to avoid the bypass of the rewrite when you have authenticated as
"user" and the intruder is hacking/building URLs as "userrrrrrr").
>>> RewriteRule ^/clientes/(.*) /stats/%{REMOTE_USER}/stats/http/$1 [L]
>> Why did you removed PT and used L?
>
> PT has no special effect in per-directory context (rewrite rules used
> inside <directory>/<location> containers, .htaccess files etc.). In
> fact mod_rewrite will add passthrough: to the result of your
> substitution, stop the processing of following rules in that set and
> remove passthrough: later w/o doing sthg. special. L will only stop
> the rewrite of the current set. I.e. the result is the same.
I removed [L] (is it a good practice to keep it? if not, I don't see the
need to keep it) and added additional protection so the user could only
visit the desired (stats/http) directory (in order to avoid the user
including its own username in the url and reaching other directories in its
home).
My final solution is:
RewriteBase /stats
RewriteCond %{REMOTE_USER}/<>$1 !^([^<]+)<>\1
RewriteRule ^/clientes/(.*) /stats/%{REMOTE_USER}/stats/http/$1
RewriteCond $1 !^[^/]+/stats/http/
RewriteRule ^/clientes/(.*) hacking_attempt [F]
The alternative (adding L) is:
RewriteBase /stats
RewriteCond %{REMOTE_USER}/<>$1 !^([^<]+)<>\1
RewriteRule ^/clientes/(.*)
/stats/%{REMOTE_USER}/stats/http/$1 [L]
RewriteCond $1 !^[^/]+/stats/http/
RewriteRule ^/clientes/(.*) hacking_attempt [F,L]
But I see no real difference between both solutions. Am I right?
Cheers,
-Roman
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Mixing rewrite with authn_dbd: Rewriting based on
path value stored in mysql table
Posted by Bob Ionescu <bo...@googlemail.com>.
2009/5/11 Roman Medina-Heigl Hernandez <ro...@rs-labs.com>:
> Bob Ionescu escribió:
>> 2009/3/2 Roman Medina-Heigl Hernandez <ro...@rs-labs.com>:
>>> The problem is that you cannot have %{REMOTE_USER} as 2nd parameters in
>>> RewriteCond, so I have no way for comparing it with $1
>>
>> -didn't read all-; but you can compare it with a regEx internal backreference.
>>
>> RewriteBase /stats
>> RewriteCond %{REMOTE_USER}<>$1 !^([^<]+)<>\1
>
> Could you explain that, please? I didn't know that syntax...
You're capturing a value with ^([^<]+), that is according to our test
string the value of %{REMOTE_USER} followed by the two characters <>
as a unique separator followed by the (previous) match of ([^<]+)
which matches against the value of $1.
E.g. if the remote_user is foo, the regEx will match against a test string of
foo<>foo
Just take a look at the manpage of PCRE, http://www.pcre.org/pcre.txt section
BACK REFERENCES
Outside a character class, a backslash followed by a digit greater than
>> RewriteRule ^/clientes/(.*) /stats/%{REMOTE_USER}/stats/http/$1 [L]
>
> Why did you removed PT and used L?
PT has no special effect in per-directory context (rewrite rules used
inside <directory>/<location> containers, .htaccess files etc.). In
fact mod_rewrite will add passthrough: to the result of your
substitution, stop the processing of following rules in that set and
remove passthrough: later w/o doing sthg. special. L will only stop
the rewrite of the current set. I.e. the result is the same.
Bob
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Mixing rewrite with authn_dbd: Rewriting based
on path value stored in mysql table
Posted by Roman Medina-Heigl Hernandez <ro...@rs-labs.com>.
Bob Ionescu escribió:
> 2009/3/2 Roman Medina-Heigl Hernandez <ro...@rs-labs.com>:
>> More comments:
>> - at the beginning I tried something like:
>> RewriteBase /stats
>> RewriteCond $1 !^%{REMOTE_USER}/
>> RewriteRule ^/clientes/(.*)
>> /stats/%{REMOTE_USER}/stats/http/$1 [PT]
>>
>> The problem is that you cannot have %{REMOTE_USER} as 2nd parameters in
>> RewriteCond, so I have no way for comparing it with $1
>
> -didn't read all-; but you can compare it with a regEx internal backreference.
>
> RewriteBase /stats
> RewriteCond %{REMOTE_USER}<>$1 !^([^<]+)<>\1
Could you explain that, please? I didn't know that syntax...
> RewriteRule ^/clientes/(.*) /stats/%{REMOTE_USER}/stats/http/$1 [L]
Why did you removed PT and used L?
Wow!!!! I must say I'm frankly amazed, it seems it's working!! :-O But I'd
like to understand it in depth. Please, Bob, could you explain the trick to
me? :)))))
Thank you!!!
--
Saludos,
-Roman
PGP Fingerprint:
09BB EFCD 21ED 4E79 25FB 29E1 E47F 8A7D EAD5 6742
[Key ID: 0xEAD56742. Available at KeyServ]
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Mixing rewrite with authn_dbd: Rewriting based on
path value stored in mysql table
Posted by Bob Ionescu <bo...@googlemail.com>.
2009/3/2 Roman Medina-Heigl Hernandez <ro...@rs-labs.com>:
> More comments:
> - at the beginning I tried something like:
> RewriteBase /stats
> RewriteCond $1 !^%{REMOTE_USER}/
> RewriteRule ^/clientes/(.*)
> /stats/%{REMOTE_USER}/stats/http/$1 [PT]
>
> The problem is that you cannot have %{REMOTE_USER} as 2nd parameters in
> RewriteCond, so I have no way for comparing it with $1
-didn't read all-; but you can compare it with a regEx internal backreference.
RewriteBase /stats
RewriteCond %{REMOTE_USER}<>$1 !^([^<]+)<>\1
RewriteRule ^/clientes/(.*) /stats/%{REMOTE_USER}/stats/http/$1 [L]
Bob
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Mixing rewrite with authn_dbd: Rewriting based
on path value stored in mysql table
Posted by Roman Medina-Heigl Hernandez <ro...@rs-labs.com>.
Sorry for re-taking this thread... but I don't get to reach the right
solution... What I'd like to solve is the security problem stated below,
which could be exploited with something like:
https://XXX/stats/USER2/stats/http/YYYY
Since I'm comparing against:
!^/clientes/[^/]+/stats/http/
This would result in request not being rewritten at all, so authentication
would be easily bypassed with any existing user [user1, user2, user3, ...]
(when the desired behaviour should be only letting pass the one where "auth
user" == "user in url"). How could I enforce that?
Perhaps there's another (secure) way to mark the request as "rewritten", so
I could check later without the need to compare against
"!^/clientes/[^/]+/stats/http/".
Please, help! :-(
Cheers,
-r
Roman Medina-Heigl Hernandez escribió:
> Hello,
>
> I have a *partial*-working solution which I'd like to share with you. It's
> tricky (based on my own home structure) and limited, though. Feedback is
> appreciated, please!
>
> Some comments:
> - Debian 5.0 includes ajp 1.2.12, so I cannot get the url/dir from another
> column in users' table (this functionality is for ajp 1.3+). In my case, I
> can live without it, having the following convention: username will be a
> domainname (which has sense, since I want to offer stats pages for
> different domains). For instance, stats for domain "test.com" will use the
> username "test.com".
> - I've only experimented with per-dir rewrite (the non-recommended way...),
> which has the limitation of request reinjection (so you must include
> negative rewrite rules which protect you against loops). Perhaps it may be
> improved with server rewrite.
> - The current method is not secure: an attacker knowing the internal
> homedir structure could easily craft a request bypassing the rewrite
> ruleset, being able to access other domain/user's stats. It could also be
> used to access other directories/files of other users (in my case those
> dirs are protected using OS permissions).
> - Performance is not very efficient, since I'm reinjecting requests (it
> seems unavoidable if using per-dir rewrite).
> - Stats home for domain "test.com" will be:
> /clientes/test.com/stats/http/
> which should be accessed through:
> http://isp/stats/
>
>
> Current config is:
> ====
>
> Alias /stats /clientes
>
> <Location /stats/>
> # Basic Auth
> AuthType Basic
> AuthName "Stats"
> AuthBasicProvider dbd
>
> Require valid-user
> AuthDBDUserPWQuery "SELECT pass FROM stats WHERE user = %s
> and enabled = 1"
>
> # Rewrite para que cada user entre a su directorio de stats
> particular
> RewriteEngine on
> RewriteBase /stats
> RewriteRule !^/clientes/[^/]+/stats/http/ - [C]
> RewriteRule ^/clientes/(.*)
> /stats/%{REMOTE_USER}/stats/http/$1 [PT]
>
> ====
>
> More comments:
> - at the beginning I tried something like:
> RewriteBase /stats
> RewriteCond $1 !^%{REMOTE_USER}/
> RewriteRule ^/clientes/(.*)
> /stats/%{REMOTE_USER}/stats/http/$1 [PT]
>
> The problem is that you cannot have %{REMOTE_USER} as 2nd parameters in
> RewriteCond, so I have no way for comparing it with $1 (which coudn't be in
> 2nd parameter, either). Any idea to implement it? (i.e. test if REMOTE_USER
> string is included in URI path).
>
> Cheers,
> -Roman
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Mixing rewrite with authn_dbd: Rewriting based
on path value stored in mysql table
Posted by Roman Medina-Heigl Hernandez <ro...@rs-labs.com>.
Hello,
I have a *partial*-working solution which I'd like to share with you. It's
tricky (based on my own home structure) and limited, though. Feedback is
appreciated, please!
Some comments:
- Debian 5.0 includes ajp 1.2.12, so I cannot get the url/dir from another
column in users' table (this functionality is for ajp 1.3+). In my case, I
can live without it, having the following convention: username will be a
domainname (which has sense, since I want to offer stats pages for
different domains). For instance, stats for domain "test.com" will use the
username "test.com".
- I've only experimented with per-dir rewrite (the non-recommended way...),
which has the limitation of request reinjection (so you must include
negative rewrite rules which protect you against loops). Perhaps it may be
improved with server rewrite.
- The current method is not secure: an attacker knowing the internal
homedir structure could easily craft a request bypassing the rewrite
ruleset, being able to access other domain/user's stats. It could also be
used to access other directories/files of other users (in my case those
dirs are protected using OS permissions).
- Performance is not very efficient, since I'm reinjecting requests (it
seems unavoidable if using per-dir rewrite).
- Stats home for domain "test.com" will be:
/clientes/test.com/stats/http/
which should be accessed through:
http://isp/stats/
Current config is:
====
Alias /stats /clientes
<Location /stats/>
# Basic Auth
AuthType Basic
AuthName "Stats"
AuthBasicProvider dbd
Require valid-user
AuthDBDUserPWQuery "SELECT pass FROM stats WHERE user = %s
and enabled = 1"
# Rewrite para que cada user entre a su directorio de stats
particular
RewriteEngine on
RewriteBase /stats
RewriteRule !^/clientes/[^/]+/stats/http/ - [C]
RewriteRule ^/clientes/(.*)
/stats/%{REMOTE_USER}/stats/http/$1 [PT]
====
More comments:
- at the beginning I tried something like:
RewriteBase /stats
RewriteCond $1 !^%{REMOTE_USER}/
RewriteRule ^/clientes/(.*)
/stats/%{REMOTE_USER}/stats/http/$1 [PT]
The problem is that you cannot have %{REMOTE_USER} as 2nd parameters in
RewriteCond, so I have no way for comparing it with $1 (which coudn't be in
2nd parameter, either). Any idea to implement it? (i.e. test if REMOTE_USER
string is included in URI path).
Cheers,
-Roman
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Mixing rewrite with authn_dbd: Rewriting based
on path value stored in mysql table
Posted by Roman Medina-Heigl Hernandez <ro...@rs-labs.com>.
Krist van Besien escribió:
> That is just a guess however, can't try this out myself. Note to the
> original poster: If you get this working could you post your solution
> here?
Of course, Krist. But before I could test it, I have to upgrade my Debian
vm (etch->lenny), since mod-dbd seems to be hardly broken in etch :-(. I'll
provide feedback, don't worry.
Cheers,
-r
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Mixing rewrite with authn_dbd: Rewriting based on
path value stored in mysql table
Posted by Krist van Besien <kr...@gmail.com>.
On Wed, Feb 25, 2009 at 2:19 PM, Tom Donovan <do...@bellatlantic.net> wrote:
>
> It may not be possible to do what you want. Apache locates the file to
> serve before deciding whether to prompt for authentication.
That is not entirely true. When a request comes in apache does an
"early location walk" verifying <location> blocks before the URI to
Filename phase (where rewriting takes place)
So it should be possible if you use a <location> block.
<Location /isp/stats>
# Put DBM authentication arguments here
....
</Location>
RewriteRule /isp/stats /%{ENV:AUTHENTICATE_URL}
That is just a guess however, can't try this out myself. Note to the
original poster: If you get this working could you post your solution
here?
Krist
--
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Mixing rewrite with authn_dbd: Rewriting based on
path value stored in mysql table
Posted by Tom Donovan <do...@bellatlantic.net>.
Roman Medina-Heigl Hernandez wrote:
> Hello,
>
> I'm working on an ISP/Hosting environment and I'm having trouble to figure
> out how to solve a problem which (I think) involves mixing several
> modules/concepts:
> - pages should be protected with basic-auth where user database should
> reside on MySQL (mod_authn_dbd). The mysql table basically contains 3
> fields: user, password and path
> - pages should be rewritten (mod_rewrite) based on authenticated user *and*
> the path associated to that user.
>
> So for instance, accesing to http://isp/stats/ should:
> 1.- Ask for user/pass
> 2.- If the user exists in MySQL table (and password is ok), the path
> (associated to that user) should be retrieved from the same table. Let's
> say we have user "Tom" with path "/home/Tom".
> 3.- Finally Apache should serve /home/Tom/stats/.
>
> Is this achievable?
>
It may not be possible to do what you want. Apache locates the file to serve before deciding
whether to prompt for authentication.
For example: even if authentication is required for /home - there may be "Satisfy Any" and "Allow
from all" directives for /home/Mary. If the "AllowOverride AuthConfig" directive is specified -
there might be a .htaccess file in /home/Mary which prevents authentication from being needed.
In either case, access to /home/Mary doesn't require authentication, and shouldn't prompt for it.
This is why the steps are:
1.) determine the file Apache should serve
2.) decide if authentication is needed for this file, based on its directory or parent directories,
or directives contained in <Location>, <Files>, .htaccess, etc.
3.) prompt for authentication only if it is needed
It's a catch-22 to require the results of authentication to determine which file to serve.
You might say "I don't do any of those things which prevent authentication" - but it is not easy for
Apache to consider in advance all the possibilities that "http://isp/stats/ " might get re-written
to, and then check that there are none of "those things" for any of them before prompting a user for
authentication.
-tom-
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org