You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Keith Mitchell <ke...@paisd.com> on 2011/01/28 03:51:43 UTC

[users@httpd] Apache 2.x authentication and mod_rewrite

I have an apache server that was initially set up for intranet access, 
so I didn't have to worry much about locking it down.

Later on, I needed to open it up to the internet, so I put an ldap 
authentication directive in the <Directory "/var/www/html"> section of 
the httpd.conf like so:

     Order allow,deny

     AuthBasicProvider ldap
     AuthType Basic
     AuthzLDAPAuthoritative on
     AuthName "MyCompany Intranet"
     AuthLDAPURL 
"ldap://myldapserver.mydomain.com:389/CN=Users,DC=mydomain,DC=com?sAMAccountName?sub?(memberOf=CN=Everyoneat 
MyCompany,OU=MyCompany Groups,DC=mydomain,DC=com)" NONE
     AuthLDAPBindDN "CN=Administrator,CN=Users,DC=mydomain,DC=com"
     AuthLDAPBindPassword "MyPassword"

     Require valid-user

#    Allow from all
     Allow from 192.168.1
     Allow from 10.254.0

     Satisfy any

This basically made it so that local users could get in with no 
password, and external users had to authenticate against our ADS domain 
to get in.

Now things get more complicated.

I have an app that I run that distinguishes between users by appending a 
cgi variable to the end of a URL, so I setup a .htaccess file in the 
root of my web directories (/var/www/html) as follows:

RewriteEngine on
RewriteBase /
RewriteRule ^foo/(.*)$ some/really/long/url/$1?tenant_filter=2 [L]
RewriteRule ^bar/(.*)$ some/really/long/url/$1?tenant_filter=1 [L]

This works really great.  Clients type 
inhttp://myserver.mydomain.com/foo/file.html 
<http://myserver.mydomain.com/foo/file.html>and the URL magically points 
them 
athttp://myserver.mydomain.com/some/really/long/url/file.html?tenant_filter=2 
<http://myserver.mydomain.com/some/really/long/url/file.html?tenant_filter=2>while 
all they see is thehttp://myserver.mydomain.com/foo/file.html 
<http://myserver.mydomain.com/foo/file.html>.

Here's where the problem comes in.

I'd like to define *separate* authentication parameters for the /foo and 
/bar virtual directories.  No matter what I try, the authentication is 
always overridden by the ldap setup in my http.conf above.  What am I 
doing wrong and what can I do to achieve my goal?  Is it even possible?

Re: [users@httpd] Apache 2.x authentication and mod_rewrite

Posted by Rich Bowen <rb...@rcbowen.com>.

> I have an app that I run that distinguishes between users by appending a cgi variable to the end of a URL, so I setup a .htaccess file in the root of my web directories (/var/www/html) as follows:
> 
> RewriteEngine on
> RewriteBase /
> RewriteRule ^foo/(.*)$ some/really/long/url/$1?tenant_filter=2 [L]
> RewriteRule ^bar/(.*)$ some/really/long/url/$1?tenant_filter=1 [L]
> 
> This works really great.  Clients type in http://myserver.mydomain.com/foo/file.html and the URL magically points them at http://myserver.mydomain.com/some/really/long/url/file.html?tenant_filter=2 while all they see is the http://myserver.mydomain.com/foo/file.html.
> 
> Here's where the problem comes in.
> 
> I'd like to define *separate* authentication parameters for the /foo and /bar virtual directories.  No matter what I try, the authentication is always overridden by the ldap setup in my http.conf above.  What am I doing wrong and what can I do to achieve my goal?  Is it even possible?

Two things you need to look into.

First, doing this in a .htaccess file rather than in the main server configuration file increases the complexity. You should move these rules into the server config.

Second, authentication happens too late to try to do Rewrite based on it. You have to use the %{LA-U:variable} syntax to do a peek-ahead. See http://httpd.apache.org/docs/2.2/mod/mod_rewrite.html for more details on how to do that.

--
Rich Bowen
rbowen@rcbowen.com


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org