You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Keith Mitchell <ke...@paisd.com> on 2011/01/28 03:51:43 UTC
[users@httpd] Apache 2.x authentication and mod_rewrite
I have an apache server that was initially set up for intranet access,
so I didn't have to worry much about locking it down.
Later on, I needed to open it up to the internet, so I put an ldap
authentication directive in the <Directory "/var/www/html"> section of
the httpd.conf like so:
Order allow,deny
AuthBasicProvider ldap
AuthType Basic
AuthzLDAPAuthoritative on
AuthName "MyCompany Intranet"
AuthLDAPURL
"ldap://myldapserver.mydomain.com:389/CN=Users,DC=mydomain,DC=com?sAMAccountName?sub?(memberOf=CN=Everyoneat
MyCompany,OU=MyCompany Groups,DC=mydomain,DC=com)" NONE
AuthLDAPBindDN "CN=Administrator,CN=Users,DC=mydomain,DC=com"
AuthLDAPBindPassword "MyPassword"
Require valid-user
# Allow from all
Allow from 192.168.1
Allow from 10.254.0
Satisfy any
This basically made it so that local users could get in with no
password, and external users had to authenticate against our ADS domain
to get in.
Now things get more complicated.
I have an app that I run that distinguishes between users by appending a
cgi variable to the end of a URL, so I setup a .htaccess file in the
root of my web directories (/var/www/html) as follows:
RewriteEngine on
RewriteBase /
RewriteRule ^foo/(.*)$ some/really/long/url/$1?tenant_filter=2 [L]
RewriteRule ^bar/(.*)$ some/really/long/url/$1?tenant_filter=1 [L]
This works really great. Clients type
inhttp://myserver.mydomain.com/foo/file.html
<http://myserver.mydomain.com/foo/file.html>and the URL magically points
them
athttp://myserver.mydomain.com/some/really/long/url/file.html?tenant_filter=2
<http://myserver.mydomain.com/some/really/long/url/file.html?tenant_filter=2>while
all they see is thehttp://myserver.mydomain.com/foo/file.html
<http://myserver.mydomain.com/foo/file.html>.
Here's where the problem comes in.
I'd like to define *separate* authentication parameters for the /foo and
/bar virtual directories. No matter what I try, the authentication is
always overridden by the ldap setup in my http.conf above. What am I
doing wrong and what can I do to achieve my goal? Is it even possible?
Re: [users@httpd] Apache 2.x authentication and mod_rewrite
Posted by Rich Bowen <rb...@rcbowen.com>.
> I have an app that I run that distinguishes between users by appending a cgi variable to the end of a URL, so I setup a .htaccess file in the root of my web directories (/var/www/html) as follows:
>
> RewriteEngine on
> RewriteBase /
> RewriteRule ^foo/(.*)$ some/really/long/url/$1?tenant_filter=2 [L]
> RewriteRule ^bar/(.*)$ some/really/long/url/$1?tenant_filter=1 [L]
>
> This works really great. Clients type in http://myserver.mydomain.com/foo/file.html and the URL magically points them at http://myserver.mydomain.com/some/really/long/url/file.html?tenant_filter=2 while all they see is the http://myserver.mydomain.com/foo/file.html.
>
> Here's where the problem comes in.
>
> I'd like to define *separate* authentication parameters for the /foo and /bar virtual directories. No matter what I try, the authentication is always overridden by the ldap setup in my http.conf above. What am I doing wrong and what can I do to achieve my goal? Is it even possible?
Two things you need to look into.
First, doing this in a .htaccess file rather than in the main server configuration file increases the complexity. You should move these rules into the server config.
Second, authentication happens too late to try to do Rewrite based on it. You have to use the %{LA-U:variable} syntax to do a peek-ahead. See http://httpd.apache.org/docs/2.2/mod/mod_rewrite.html for more details on how to do that.
--
Rich Bowen
rbowen@rcbowen.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org