You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Robert Andersson <ro...@profundis.nu> on 2004/08/24 11:23:30 UTC

[users@httpd] Custom authorization of static content

This is a problem that has bothered me for a good while, let me see if I can
explain it.

A site uses eg. PHP to do authentication. It is then easy to authorize users
when generating PHP-pages. However, normal static files are not as easy to
protect under the same system. Yet, I need to figure out a generic way to do
this.

I don't want to pass all requests through a PHP-script that delivers the
static files; it would be hell to make it support as much as Apache supports
natively. All that should be needed is that Apache runs a little script to
decide whether or not to allow access.

I have tried a few mod_rewrite solutions. I thought I could do it by using a
condition that made a sub-request to a PHP-script that performed
authorization and returned HTTP codes to indicate success or not, but it
didn't work out well; I think the condition didn't care about the HTTP code
returned.

I don't have the code I used, and my mod_rewrite skills have declined during
summer, but I tried something like this:

    RewriteCond %{REQUEST_URI} ^/protected/
    RewriteCond /authorize.php !-F
    RewriteRule .* /access_forbidden.php [L]

According to docs and code, the -F (or -U) switch should only be successful
if the subrequest results in a 200 code, but it didn't seem to matter what
code I had the "authorize.php"-script return in the status line.

I would really appriciate any ideas how this can be achieved. Thanks.

Regards,
Robert Andersson


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Custom authorization of static content

Posted by Robert Andersson <ro...@profundis.nu>.

Jeroen van Meeuwen wrote:
> <Directory "/data/">
>     Order Allow,Deny
>     Allow from All
>      <IfModule mod_php5.c>
>          php_value auto_prepend_file "/home/kanarip/public_html/auth.php"
>      </IfModule>
> </Directory>
>
> ...snip...
>
> This works excellent on httpd-2.0.50 with PHP 5.0.0
>
> Let me know if it works for you :)

No, it does not work as required. If I request a PHP-file in that directory,
it works (as expected). If I request a plain .html it does not invoke the
"auth.php"-script, so it does not work (also as I expected).

As far as I know Apache internals, this makes perfect sense, as PHP won't
handle the static file (unless I totally mess up MIME-types and handlers).

Regards,
Robert Andersson

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: [users@httpd] Custom authorization of static content

Posted by Jeroen van Meeuwen <ka...@pczone-clan.nl>.

Here's an example:

My httpd.conf sais:

<VirtualHost *:80>
    ServerAdmin webmaster@pczone-clan.nl
    DocumentRoot /home/kanarip/public_html/
    Alias /data /data/
    ServerName www.apache.lan
</VirtualHost>

<Directory "/data/">
    Order Allow,Deny
    Allow from All
     <IfModule mod_php5.c>
         php_value auto_prepend_file "/home/kanarip/public_html/auth.php"
     </IfModule>
</Directory>

The contents of auth.php:

<?php
	if ( $_SERVER["REMOTE_ADDR"] == '131.211.232.203' ) continue;
	else
	{
		header("Status: 403 Unauthorized");
		die;
	}
?>

This works excellent on httpd-2.0.50 with PHP 5.0.0

Let me know if it works for you :)

Kind regards,

kanarip

> -----Original Message-----
> From: Robert Andersson [mailto:robert@profundis.nu] 
> Sent: dinsdag 24 augustus 2004 14:23
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] Custom authorization of static content
> 
> Jeroen van Meeuwen wrote:
> > Anyway, I think I have a solution:
> >
> > From within you VirtualHost or Directory directive, you might
> > specify:
> >
> > <IfModule mod_php5.c>
> > php_value auto_prepend_file
> > "/some/directory/to/your/I-really-need-this-authentication.php"
> > </IfModule>
> >
> > This file is parsed and executed, and so might check 
> weither a user is 
> > authenticated.
> 
> Hmm... from what I gather from the docs, it is only parsed 
> and executed when a document affected by the directive is 
> parsed by PHP. I could be wrong, though.
> 
> As stated, the problem is mainly static contents (images, 
> PDF-files etc) that I wish to keep static, yet have custom 
> code executed in the authorization stage of the request. In 
> such way, that if the custom code "returned" 403, my standard 
> 403 error document would be served.
> 
> Regards,
> Robert Andersson
> 
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP 
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Custom authorization of static content

Posted by Robert Andersson <ro...@profundis.nu>.

Jeroen van Meeuwen wrote:
> Anyway, I think I have a solution:
>
> From within you VirtualHost or Directory directive, you might
> specify:
>
> <IfModule mod_php5.c>
> php_value auto_prepend_file
> "/some/directory/to/your/I-really-need-this-authentication.php"
> </IfModule>
>
> This file is parsed and executed, and so might check weither a user
> is authenticated.

Hmm... from what I gather from the docs, it is only parsed and executed when
a document affected by the directive is parsed by PHP. I could be wrong,
though.

As stated, the problem is mainly static contents (images, PDF-files etc)
that I wish to keep static, yet have custom code executed in the
authorization stage of the request. In such way, that if the custom code
"returned" 403, my standard 403 error document would be served.

Regards,
Robert Andersson

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: [users@httpd] Custom authorization of static content

Posted by Jeroen van Meeuwen <ka...@pczone-clan.nl>.

Well, your version is important to me, since my knowledge doesn't apply to
all versions :)

Anyway, I think I have a solution:

>From within you VirtualHost or Directory directive, you might specify:

<IfModule mod_php5.c>
	php_value auto_prepend_file
"/some/directory/to/your/I-really-need-this-authentication.php"
</IfModule>

This file is parsed and executed, and so might check weither a user is
authenticated.

Kind regards,

kanarip

> -----Original Message-----
> From: Robert Andersson [mailto:robert@profundis.nu] 
> Sent: dinsdag 24 augustus 2004 13:31
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] Custom authorization of static content
> 
> Jeroen van Meeuwen wrote:
> > Have you tried to use .htaccess or SSL?
> 
> Well, yes, many times. SSL is not applicable when 
> authorizing. If you by ".htaccess" mean Basic Authentication, 
> the problem is that I need session management and other 
> features not possible with BA.
> 
> I currently have a few sites that use a mix of Basic 
> Authentication and "dynamic" session management. However, due 
> to recent Internet Explorer security fixes it doesn't work 
> very well anymore, and it was never a good solution anyway.
> 
> I have (or can make) a auth system that work as I need on 
> dynamic content, but I need a method to protecting static 
> content through the same custom auth mechanism.
> 
> > What version of Apache/httpd are you running?
> 
> Apach 2.0.50, but I'm not looking for a solution for a 
> specific version, hence I didn't mention it.
> 
> Regards,
> Robert Andersson
> 
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP 
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Custom authorization of static content

Posted by Robert Andersson <ro...@profundis.nu>.

Jeroen van Meeuwen wrote:
> Have you tried to use .htaccess or SSL?

Well, yes, many times. SSL is not applicable when authorizing. If you by
".htaccess" mean Basic Authentication, the problem is that I need session
management and other features not possible with BA.

I currently have a few sites that use a mix of Basic Authentication and
"dynamic" session management. However, due to recent Internet Explorer
security fixes it doesn't work very well anymore, and it was never a good
solution anyway.

I have (or can make) a auth system that work as I need on dynamic content,
but I need a method to protecting static content through the same custom
auth mechanism.

> What version of Apache/httpd are you running?

Apach 2.0.50, but I'm not looking for a solution for a specific version,
hence I didn't mention it.

Regards,
Robert Andersson

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: [users@httpd] Custom authorization of static content

Posted by Jeroen van Meeuwen <ka...@pczone-clan.nl>.

Have you tried to use .htaccess or SSL?

What version of Apache/httpd are you running? 

> -----Original Message-----
> From: Robert Andersson [mailto:robert@profundis.nu] 
> Sent: dinsdag 24 augustus 2004 11:24
> To: Apache User-List
> Subject: [users@httpd] Custom authorization of static content
> 
> This is a problem that has bothered me for a good while, let 
> me see if I can explain it.
> 
> A site uses eg. PHP to do authentication. It is then easy to 
> authorize users when generating PHP-pages. However, normal 
> static files are not as easy to protect under the same 
> system. Yet, I need to figure out a generic way to do this.
> 
> I don't want to pass all requests through a PHP-script that 
> delivers the static files; it would be hell to make it 
> support as much as Apache supports natively. All that should 
> be needed is that Apache runs a little script to decide 
> whether or not to allow access.
> 
> I have tried a few mod_rewrite solutions. I thought I could 
> do it by using a condition that made a sub-request to a 
> PHP-script that performed authorization and returned HTTP 
> codes to indicate success or not, but it didn't work out 
> well; I think the condition didn't care about the HTTP code returned.
> 
> I don't have the code I used, and my mod_rewrite skills have 
> declined during summer, but I tried something like this:
> 
>     RewriteCond %{REQUEST_URI} ^/protected/
>     RewriteCond /authorize.php !-F
>     RewriteRule .* /access_forbidden.php [L]
> 
> According to docs and code, the -F (or -U) switch should only 
> be successful if the subrequest results in a 200 code, but it 
> didn't seem to matter what code I had the 
> "authorize.php"-script return in the status line.
> 
> I would really appriciate any ideas how this can be achieved. Thanks.
> 
> Regards,
> Robert Andersson
> 
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP 
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org