You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Steve Swift <st...@gmail.com> on 2006/08/05 11:25:43 UTC
[users@httpd] Protecting certain cgi-bin subdirectories
I'm using Apache 2.0.46 and I want to password protect all of the
subdirectories below cgi-bin. This is easy, with:
<DirectoryMatch /var/www/cgi-bin/.*/>
Require valid-user
</DirectoryMatch>
This works fine, you need a userid, any userid, to get into the
subdirectories.
Now, I'd like to be more selective about who gets into the /admin
subdirectory, so I add:
<Directory /var/www/cgi-bin/admin>
Require user Swifty
</Directory>
This second step had no effect. I could still fetch pages from
/var/www/cgi-bin/admin with any valid user.
The only way that I found to get this working was to change the original
DirectoryMatch to somehow exclude the /admin directory:
<DirectoryMatch /var/www/cgi-bin/[^a].*/>
This works, and "Swifty" is the only user who can get into /cgi-bin/admin/
but now all of the other subdirectories starting with "a" are not protected
at all.
I can work around this by getting cleverer with the pattern in the
<DirectoryMatch> but I'd rather not.
Can someone explain to me why my original <Directory> statement had no
effect, please?
Better still, can anyone propose an elegant solution to this?
I'm reasonably sure that I had this setup working at one point, with just
the first two statements above as they stand, but it may be that I never
verified the restriction on the /cgi-bin/admin directory.
Steve Swift
http://www.swiftys.org.uk
RE: [users@httpd] Protecting certain cgi-bin subdirectories
Posted by Steve Swift <st...@gmail.com>.
> Try converting BOTH sections to <Directorymatch> (even thought the
> second one will be a trivial regex). Then the order of processing
> will be controlled by the order of listing in the config file.
I tried that, in both orders, but without success. I checked that the
DirectoryMatch for the cgi-bin/admin subdirectory was working by having it
alone. Then I added a DirectoryMatch for "/var/www/cgi-bin/.*/" - this
turned ON password prompting for the subdirectories of cgi-bin but it also
overrode the "require user" statement for "/var/www/cgi-bin/admin".
I tried both orders as well.
Then I tinkered around a bit more, and stumbled on the solution:
# Password protect subdirectories of cgi-*
<Directory /var/www/cgi-*/*/*>
Require valid-user
</Directory>
# Allow only Swifty into cgi-bin/admin
<Directorymatch /var/www/cgi-(bin|test)/admin>
Require user Swifty
</Directorymatch>
I'm wildcarding the cgi-bin directory, because I have two virtual hosts, one
uses cgi-bin and the other uses cgi-test.
The above configuration achieves my objectives, but I have no idea at all
how <Directory /var/www/cgi-*/*/*> manages to turn on password prompting for
subdirectories of cgi-bin. It is almost as though the "Directory" directive
is matching the fully-qualified filename rather than the directory.
It matches /var/www/cgi-bin/users/test - but the directory name is
/var/www/cgi-bin/users - the "test" part is the filename of my test script.
Oh, well. It's working. I can leave worrying about why for another day.
Thank you for giving me the will to persist until I found an answer!
Steve Swift
http://www.swiftys.org.uk
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Protecting certain cgi-bin subdirectories
Posted by Joshua Slive <jo...@slive.ca>.
On 8/5/06, Steve Swift <st...@gmail.com> wrote:
> > You need to read:
> > http://httpd.apache.org/docs/2.2/sections.html
> I've read that section and also the section on the order in which the
> directives are applied, but what I'm seeing doesn't seem to match the
> documentation, in my opinion.
>
> > You'll find that <Directory> automatically protects subdirectories, so you
> > don't need that <DirectoryMatch> complication. You'll also find that the
> > order of processing is important.
> I perhaps hadn't made clear what it was that I'm after:
> /cgi-bin - open without password protection
> /cgi-bin/admin - password protected; only user "Swifty"
> /cgi-bin/anyotherdir - password protected; any user
> This seems to require at least one wildcard so that the subdirectories are
> protected without the cgi-bin directory being protected. I couldn't find a
> way to achieve this with the <Directory> statement. I tried:
Right, I didn't understand that.
Try converting BOTH sections to <Directorymatch> (even thought the
second one will be a trivial regex). Then the order of processing
will be controlled by the order of listing in the cofnig file.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Protecting certain cgi-bin subdirectories
Posted by Steve Swift <st...@gmail.com>.
> You need to read:
> http://httpd.apache.org/docs/2.2/sections.html
I've read that section and also the section on the order in which the
directives are applied, but what I'm seeing doesn't seem to match the
documentation, in my opinion.
> You'll find that <Directory> automatically protects subdirectories, so you
> don't need that <DirectoryMatch> complication. You'll also find that the
> order of processing is important.
I perhaps hadn't made clear what it was that I'm after:
/cgi-bin - open without password protection
/cgi-bin/admin - password protected; only user "Swifty"
/cgi-bin/anyotherdir - password protected; any user
This seems to require at least one wildcard so that the subdirectories are
protected without the cgi-bin directory being protected. I couldn't find a
way to achieve this with the <Directory> statement. I tried:
<Directory /var/www/cgi-bin/*> # Protects cgi-bin as well
<Directory /var/www/cgi-bin/?> # Doesn't protect cgi-bin/users
<Directory /var/www/cgi-bin/?*> # Protects cgi-bin as well! (how?)
<Directory /var/www/cgi-bin/?*/> # Protects cgi-bin as well! (how?)
<Directory /var/www/cgi-bin/*/*> # Protects cgi-bin as well! (how?)
<Directory /var/www/cgi-bin/?*/*> # Protects just subdirectories,
# But overrides admin directory
I just cannot see how the statements above marked "how?" can match
/var/www/cgi-bin but somehow they do. They all seem to require matching at
least one character beyond the end of /var/www/cgi-bin
> Replacing the <DirectoryMatch> with <Directory> will probably fix your
> main problem as well, since it will cause the second Require directive to
> be processed last, overriding the first one, rather than vis-versa.
I wish this were so, but I simply cannot find a combination that works.
Steve Swift
http://www.swiftys.org.uk
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Protecting certain cgi-bin subdirectories
Posted by Joshua Slive <jo...@slive.ca>.
On 8/5/06, Steve Swift <st...@gmail.com> wrote:
> I'm using Apache 2.0.46 and I want to password protect all of the
> subdirectories below cgi-bin. This is easy, with:
Very old version. You should upgrade.
>
> <DirectoryMatch /var/www/cgi-bin/.*/>
>
> Require valid-user
>
> </DirectoryMatch>
>
> This works fine, you need a userid, any userid, to get into the
> subdirectories.
>
>
>
> Now, I'd like to be more selective about who gets into the /admin
> subdirectory, so I add:
>
> <Directory /var/www/cgi-bin/admin>
>
> Require user Swifty
>
> </Directory>
>
>
>
> This second step had no effect. I could still fetch pages from
> /var/www/cgi-bin/admin with any valid user.
You need to read:
http://httpd.apache.org/docs/2.2/sections.html
You'll find that <Directory> automatically protects subdirectories, so
you don't need that <DirectoryMatch> complication. You'll also find
that the order of processing is important. Replacing the
<DirectoryMatch> with <Directory> will probably fix your main problem
as well, since it will cause the second Require directive to be
processed last, overriding the first one, rather than vis-versa.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org