You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Jason Keltz <ja...@cs.yorku.ca> on 2006/01/24 21:11:38 UTC
[users@httpd] how to enable a module in one virtualhost
Hi.
I'm running Apache 1.3.34, and have a question that I was hoping someone
might be able to help me with.
I have two virtual hosts - one for standard HTTP, and the other for
HTTPS. All I want to be able to do is to enable one module
(mod_auth_pam actually) in the https virtualhost, and NOT have the
module defined in the HTTP virtualhost so that authentication with PAM
is not done in the clear. mod_auth_pam isn't really all that important
to this problem though. There must be a way to enable a module in one
virtualhost, and not have it enabled in the other one, all on the same
server. If there is, I can't find it..
Thanks for help anyone can provide..
Jason.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] how to enable a module in one virtualhost
Posted by Joshua Slive <jo...@slive.ca>.
On 1/24/06, Jason Keltz <ja...@cs.yorku.ca> wrote:
>
> I would like to do that, but the problem is, I still need to leave the
> .htaccess functionality on the non-ssl side untouched. There are users
> using basic authentication on the non-ssl side, and doing many other
> things in their personal .htaccess files and I can't break any of that.
> It's just that I am requird to provide the new PAM functionality, and
> don't want to implement it in a way that risks the security of my
> passwords.
If there are people doing non-ssl basic auth (I'm assuming this is
also non-PAM) how is this working if you are getting 500 errors. It
sounds like you have another config problem with your basic auth that
is creating the 500 errors.
>
> I had really figured the solution would be relatively trivial. I
> figured that Apache would have a standard mechanism that would simply
> allow me to specify which modules are available to which virtual hosts.
> I figured that maybe I could do a "ClearModuleList" and then
> "AddModule" for each module, but these functions don't work inside the
> VirtualHost definitions, and as you said, this feature isn't in Apache
> right now. It is left up to the module developer...
This feature can't be added to apache. Modules can get involved in
every phase of the request, including determining what request goes to
what vhost. So there can be no general way to tell a module only to
be active in one vhost. It is up to the module.
(Well, if you *really* need this, then you can run invoke httpd twice
with two different config files, one listening on 443 with the
appropriate modules, and the other listening on 80 with the
appropriate modules.)
> The problem is, I
> think that even if I modified the mod_auth_pam module to only allow an
> enable if the calling URL was https, this wouldn't solve the problem
> since the Username and Password box would still come up, and the
> password would still be sent in the clear before the web server would
> return an error message. The only way to make things stop hard in their
> tracks is by not having the module loaded... It really seems like a
> solution that needs to come from within the web server.
I don't understand how not having the module loaded makes any
difference. If someone asks for auth, it's still going to pop up the
auth dialog and they can still type in whatever they want (sensitive
or not) in the password box.
>
> I could hard-code the digest authentication into the "location /" call,
> as you said, but then I would mess up basic authentication using the ssl
> virtual host as well.
No it woudn't. The <Location> section should be scoped inside the
non-ssl <VirtualHost>.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] how to enable a module in one virtualhost
Posted by Jason Keltz <ja...@cs.yorku.ca>.
Joshua Slive wrote:
> On 1/24/06, Jason Keltz <ja...@cs.yorku.ca> wrote:
>
>>On Tue, 24 Jan 2006, Joshua Slive wrote:
>>
>>
>>>On 1/24/06, Jason Keltz <ja...@cs.yorku.ca> wrote:
>>>
>>>
>>>>>You can use
>>>>>
>>>>><Location />
>>>>>AuthPAM_Enabled off
>>>>></Location>
>>>>>
>>>>>in the appropriate <VirtualHost> to override .htaccess.
>>>>
>>>>Excellent. That does work. However, the authentication page still
>>>>comes up requesting a username/password when I attempt to visit the http
>>>>version of the page. It's just that any username and password will
>>>>display the "Internal Server Error". Is there any way to make that
>>>>failure error come up without even displaying the authentication page?
>>>
>>>Not that I know of.
>>
>>Joshua,
>>
>>I just realized -- if the user types their name and password, hits enter
>>and gets the "Internal Server Error" page, hasn't their password already
>>been sent in the clear from browser to server? This would defeat the
>>purpose of my intention to only allow PAM authentication via https.
>>Sure, PAM authentication would be off, but the name and password (I
>>think) would still be sent in the clear. Do you or anyone else have any
>>suggestions of how to get around this?
>
>
> Well, you can add "AuthType digest" to the <Location /> section.
>
> But it sounds to me like you are trying to indirectly tackle a problem
> that could be addressed more directly. The problem is that .htaccess
> files apply to both the ssl and non-ssl host. You can prevent this by
> using AllowOverride to turn .htaccess off in the non-ssl host, or use
> AccessFileName to change the name of the .htaccess file there to
> something different. Then nobody should be stupid enough to do
> "require" on the non-ssl side when they know the only result will be a
> 500 error.
Hi Joshua,
I would like to do that, but the problem is, I still need to leave the
.htaccess functionality on the non-ssl side untouched. There are users
using basic authentication on the non-ssl side, and doing many other
things in their personal .htaccess files and I can't break any of that.
It's just that I am requird to provide the new PAM functionality, and
don't want to implement it in a way that risks the security of my
passwords.
I had really figured the solution would be relatively trivial. I
figured that Apache would have a standard mechanism that would simply
allow me to specify which modules are available to which virtual hosts.
I figured that maybe I could do a "ClearModuleList" and then
"AddModule" for each module, but these functions don't work inside the
VirtualHost definitions, and as you said, this feature isn't in Apache
right now. It is left up to the module developer... The problem is, I
think that even if I modified the mod_auth_pam module to only allow an
enable if the calling URL was https, this wouldn't solve the problem
since the Username and Password box would still come up, and the
password would still be sent in the clear before the web server would
return an error message. The only way to make things stop hard in their
tracks is by not having the module loaded... It really seems like a
solution that needs to come from within the web server.
I could hard-code the digest authentication into the "location /" call,
as you said, but then I would mess up basic authentication using the ssl
virtual host as well.
Jason.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] how to enable a module in one virtualhost
Posted by Joshua Slive <jo...@slive.ca>.
On 1/24/06, Jason Keltz <ja...@cs.yorku.ca> wrote:
> On Tue, 24 Jan 2006, Joshua Slive wrote:
>
> > On 1/24/06, Jason Keltz <ja...@cs.yorku.ca> wrote:
> >
> >>> You can use
> >>>
> >>> <Location />
> >>> AuthPAM_Enabled off
> >>> </Location>
> >>>
> >>> in the appropriate <VirtualHost> to override .htaccess.
> >>
> >> Excellent. That does work. However, the authentication page still
> >> comes up requesting a username/password when I attempt to visit the http
> >> version of the page. It's just that any username and password will
> >> display the "Internal Server Error". Is there any way to make that
> >> failure error come up without even displaying the authentication page?
> >
> > Not that I know of.
>
> Joshua,
>
> I just realized -- if the user types their name and password, hits enter
> and gets the "Internal Server Error" page, hasn't their password already
> been sent in the clear from browser to server? This would defeat the
> purpose of my intention to only allow PAM authentication via https.
> Sure, PAM authentication would be off, but the name and password (I
> think) would still be sent in the clear. Do you or anyone else have any
> suggestions of how to get around this?
Well, you can add "AuthType digest" to the <Location /> section.
But it sounds to me like you are trying to indirectly tackle a problem
that could be addressed more directly. The problem is that .htaccess
files apply to both the ssl and non-ssl host. You can prevent this by
using AllowOverride to turn .htaccess off in the non-ssl host, or use
AccessFileName to change the name of the .htaccess file there to
something different. Then nobody should be stupid enough to do
"require" on the non-ssl side when they know the only result will be a
500 error.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] how to enable a module in one virtualhost
Posted by Jason Keltz <ja...@cs.yorku.ca>.
On Tue, 24 Jan 2006, Joshua Slive wrote:
> On 1/24/06, Jason Keltz <ja...@cs.yorku.ca> wrote:
>
>>> You can use
>>>
>>> <Location />
>>> AuthPAM_Enabled off
>>> </Location>
>>>
>>> in the appropriate <VirtualHost> to override .htaccess.
>>
>> Excellent. That does work. However, the authentication page still
>> comes up requesting a username/password when I attempt to visit the http
>> version of the page. It's just that any username and password will
>> display the "Internal Server Error". Is there any way to make that
>> failure error come up without even displaying the authentication page?
>
> Not that I know of.
Joshua,
I just realized -- if the user types their name and password, hits enter
and gets the "Internal Server Error" page, hasn't their password already
been sent in the clear from browser to server? This would defeat the
purpose of my intention to only allow PAM authentication via https.
Sure, PAM authentication would be off, but the name and password (I
think) would still be sent in the clear. Do you or anyone else have any
suggestions of how to get around this?
Jason.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] CGi warnings and error go into wrong error log
Posted by Artem Kuchin <ma...@itlegion.ru>.
Hi!
I am running
Apache/2.0.55 (FreeBSD) PHP/5.1.1
on FreeBSD 6.0-STABLE
Apache compiles with threads (worker MPM).
There i have a main config file (httpd.conf) with main error and main access log
like this:
User www
Group www
ServerAdmin info@itlegion.ru
ServerName 84.21.226.213:80
ErrorLog /hosts/SYSTEM/httpd-error.log
CustomLog /hosts/SYSTEM/httpd-access.log combined
LogLevel debug
Then virtual hosts are loaded:
NameVirtualHost 84.21.226.213:80
Include etc/apache2/Includes/*
Currently there is only one virtual host wich has its own access
and error log:
ErrorLog /hosts/meliora.ru/logs/errors
CustomLog /hosts/meliora.ru/logs/access combined
But the problem is that if error occures (or anything output into stderr)
in CGI script it does not appear in virtual host error log, but it goes into
main server error log.
For example a simple script with error:
#!/usr/bin/perl
warn "It aint' workin'\n";
Outputs into virtual host error log only this:
[Wed Jan 25 00:25:56 2006] [error] [client 85.140.105.134] Premature end of script headers: a.pl
And the messages gotes into main server log in hosts/SYSTEM/httpd-error.log:
It aint' workin'
All the docs for Apache say that this should be this way. Any idea why this happens and how to
avoid this? On apache 1.3 the warn message goes into virtual host error log and on another
Apache/2.0.52 which is on FreebSD 5.3-STABLE and is NOT compiles with thread error logs
go to the right virtual host log.
Regards,
Artem
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] how to enable a module in one virtualhost
Posted by Joshua Slive <jo...@slive.ca>.
On 1/24/06, Jason Keltz <ja...@cs.yorku.ca> wrote:
> >
> > You can use
> >
> > <Location />
> > AuthPAM_Enabled off
> > </Location>
> >
> > in the appropriate <VirtualHost> to override .htaccess.
>
> Excellent. That does work. However, the authentication page still
> comes up requesting a username/password when I attempt to visit the http
> version of the page. It's just that any username and password will
> display the "Internal Server Error". Is there any way to make that
> failure error come up without even displaying the authentication page?
Not that I know of.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] how to enable a module in one virtualhost
Posted by Jason Keltz <ja...@cs.yorku.ca>.
Joshua Slive wrote:
> On 1/24/06, Jason Keltz <ja...@cs.yorku.ca> wrote:
>
>>Joshua Slive wrote:
>>
>>>On 1/24/06, Jason Keltz <ja...@cs.yorku.ca> wrote:
>>>
>>>
>>>>Hi.
>>>>
>>>>I'm running Apache 1.3.34, and have a question that I was hoping someone
>>>>might be able to help me with.
>>>>
>>>>I have two virtual hosts - one for standard HTTP, and the other for
>>>>HTTPS. All I want to be able to do is to enable one module
>>>>(mod_auth_pam actually) in the https virtualhost, and NOT have the
>>>>module defined in the HTTP virtualhost so that authentication with PAM
>>>>is not done in the clear. mod_auth_pam isn't really all that important
>>>>to this problem though. There must be a way to enable a module in one
>>>>virtualhost, and not have it enabled in the other one, all on the same
>>>>server. If there is, I can't find it..
>>>
>>>
>>>It is the responsibility of the module to define where it is or is not
>>>in effect. Most modules provide directives to turn themselves on or
>>>off. In the case of mod_auth_pam, it seems like "AuthPam_Enabled off"
>>>will do the trick.
>>
>>Hi Joshua,
>>
>>Thanks for your response.
>>
>>The problem with this is that while I can disable the module with
>>AuthPam_enabled off, the user can then "enable" it in their .htaccess
>>file with the AuthPam_enabled on. I am looking for a higher level way
>>of making it so that the module is not even available to the http
>>server. I would have thought this is something that Apache would do.
>
>
> It is always up to the module to decide where it has effect and where
> it doesn't.
>
> You can use
>
> <Location />
> AuthPAM_Enabled off
> </Location>
>
> in the appropriate <VirtualHost> to override .htaccess.
Excellent. That does work. However, the authentication page still
comes up requesting a username/password when I attempt to visit the http
version of the page. It's just that any username and password will
display the "Internal Server Error". Is there any way to make that
failure error come up without even displaying the authentication page?
Thanks a lot..
Jason.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] how to enable a module in one virtualhost
Posted by Joshua Slive <jo...@slive.ca>.
On 1/24/06, Jason Keltz <ja...@cs.yorku.ca> wrote:
> Joshua Slive wrote:
> > On 1/24/06, Jason Keltz <ja...@cs.yorku.ca> wrote:
> >
> >>Hi.
> >>
> >>I'm running Apache 1.3.34, and have a question that I was hoping someone
> >>might be able to help me with.
> >>
> >>I have two virtual hosts - one for standard HTTP, and the other for
> >>HTTPS. All I want to be able to do is to enable one module
> >>(mod_auth_pam actually) in the https virtualhost, and NOT have the
> >>module defined in the HTTP virtualhost so that authentication with PAM
> >>is not done in the clear. mod_auth_pam isn't really all that important
> >>to this problem though. There must be a way to enable a module in one
> >>virtualhost, and not have it enabled in the other one, all on the same
> >>server. If there is, I can't find it..
> >
> >
> > It is the responsibility of the module to define where it is or is not
> > in effect. Most modules provide directives to turn themselves on or
> > off. In the case of mod_auth_pam, it seems like "AuthPam_Enabled off"
> > will do the trick.
>
> Hi Joshua,
>
> Thanks for your response.
>
> The problem with this is that while I can disable the module with
> AuthPam_enabled off, the user can then "enable" it in their .htaccess
> file with the AuthPam_enabled on. I am looking for a higher level way
> of making it so that the module is not even available to the http
> server. I would have thought this is something that Apache would do.
It is always up to the module to decide where it has effect and where
it doesn't.
You can use
<Location />
AuthPAM_Enabled off
</Location>
in the appropriate <VirtualHost> to override .htaccess.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] how to enable a module in one virtualhost
Posted by Jason Keltz <ja...@cs.yorku.ca>.
Joshua Slive wrote:
> On 1/24/06, Jason Keltz <ja...@cs.yorku.ca> wrote:
>
>>Hi.
>>
>>I'm running Apache 1.3.34, and have a question that I was hoping someone
>>might be able to help me with.
>>
>>I have two virtual hosts - one for standard HTTP, and the other for
>>HTTPS. All I want to be able to do is to enable one module
>>(mod_auth_pam actually) in the https virtualhost, and NOT have the
>>module defined in the HTTP virtualhost so that authentication with PAM
>>is not done in the clear. mod_auth_pam isn't really all that important
>>to this problem though. There must be a way to enable a module in one
>>virtualhost, and not have it enabled in the other one, all on the same
>>server. If there is, I can't find it..
>
>
> It is the responsibility of the module to define where it is or is not
> in effect. Most modules provide directives to turn themselves on or
> off. In the case of mod_auth_pam, it seems like "AuthPam_Enabled off"
> will do the trick.
Hi Joshua,
Thanks for your response.
The problem with this is that while I can disable the module with
AuthPam_enabled off, the user can then "enable" it in their .htaccess
file with the AuthPam_enabled on. I am looking for a higher level way
of making it so that the module is not even available to the http
server. I would have thought this is something that Apache would do.
Jason.
> Joshua.
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] how to enable a module in one virtualhost
Posted by Joshua Slive <jo...@slive.ca>.
On 1/24/06, Jason Keltz <ja...@cs.yorku.ca> wrote:
> Hi.
>
> I'm running Apache 1.3.34, and have a question that I was hoping someone
> might be able to help me with.
>
> I have two virtual hosts - one for standard HTTP, and the other for
> HTTPS. All I want to be able to do is to enable one module
> (mod_auth_pam actually) in the https virtualhost, and NOT have the
> module defined in the HTTP virtualhost so that authentication with PAM
> is not done in the clear. mod_auth_pam isn't really all that important
> to this problem though. There must be a way to enable a module in one
> virtualhost, and not have it enabled in the other one, all on the same
> server. If there is, I can't find it..
It is the responsibility of the module to define where it is or is not
in effect. Most modules provide directives to turn themselves on or
off. In the case of mod_auth_pam, it seems like "AuthPam_Enabled off"
will do the trick.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org