You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Barry Scott <ba...@onelan.co.uk> on 2009/09/29 14:18:26 UTC
mod_fcgid - cannot get authorizer process to be started
The mod_fcgid page says to ask on dev I assume that this is the right
place to ask.
I'm using mod_fcgid from svn with HTTPD 2.2.
I want to use a fast CGI authorizer to allow me to control access based
on my rules.
The authorizer needs to be a long running process - never exits.
I know that the fcgid code is noticing the directive because I can
change the filename
and see the error message from the sources.
But I'm at a lose as to the required to get this configuration to
actually call my code.
mod_fcgid is not starting up the authorizer process.
I have the following fcgid specific lines in my httpd.conf file:
---- httpd.conf ----
...
LoadModule fcgid_module modules/mod_fcgid.so
...
Listen *:9000
<VirtualHost *:9000>
<Location />
Order allow,deny
Allow from all
AuthType Digest
AuthName "Manager System"
Require valid-user
AuthGroupFile /home/bscott/Work/httpd-fcgid-test/auth/http.group
AuthUserFile /home/bscott/Work/httpd-fcgid-test/auth/http.passwd
FastCgiAuthorizer
/home/bscott/wc/svn/NTB-Next/onelan/DSM/Sources/WebUserInterface/bin/Authorizer
</Location>
<Location /player>
#+ HTTP auth file
Order allow,deny
Allow from all
AuthType Digest
AuthName "Manager System"
Require valid-user
AuthGroupFile /home/bscott/Work/httpd-fcgid-test/auth/http.group
AuthUserFile /home/bscott/Work/httpd-fcgid-test/auth/http.passwd
#- HTTP auth file
#FCGID
</Location>
</VirtualHost>
-------------------------------
Barry
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: mod_fcgid - cannot get authorizer process to be started
Posted by Jeff Trawick <tr...@gmail.com>.
On Wed, Sep 30, 2009 at 12:11 PM, Jeff Trawick <tr...@gmail.com> wrote:
> On Wed, Sep 30, 2009 at 11:37 AM, Barry Scott <ba...@onelan.co.uk>wrote:
>
>> At this point let me ask this:
>>
>> Is it possible with the current code to ever have the fcgid Authorizer
>> called?
>>
>
> yes
>
> This works for me, though it uses the unfortunate valid-group hack with
> httpd 2.2 so that no authorizers running before fcgid think they should
> evaluate:
>
> <Location /docs>
> <IfVersion >= 2.2>
> AuthBasicAuthoritative Off
> # AuthBasicProvider foo
> </IfVersion>
>
> # work around problem with AAA in mod_fcgid (it can't track more than
> # one AAA script per URL, and even then the URL can't be handled by a
> # FastCGI app)
> #
> # FastCgiAccessChecker %%MYHG%%/apache/fastcgi/apps/access_check.pl
> # FastCgiAuthenticator %%MYHG%%/apache/fastcgi/apps/authenticate.pl
> # FastCgiAuthorizer %%MYHG%%/apache/fastcgi/apps/authorize.pl
>
> FastCgiAccessChecker %%MYHG%%/apache/fcgid/apps/aaa.pl
> FastCgiAuthenticator %%MYHG%%/apache/fcgid/apps/aaa.pl
> FastCgiAuthorizer %%MYHG%%/apache/fcgid/apps/aaa.pl
>
> FastCgiAccessCheckerAuthoritative On
> FastCgiAuthenticatorAuthoritative On
> FastCgiAuthorizerAuthoritative On
>
> AuthType Basic
> AuthName "foo"
>
> <IfVersion < 2.3>
>
> <IfVersion < 2.2>
> Require group foo
> </IfVersion>
>
> <IfVersion >= 2.2>
> Require valid-group
> </IfVersion>
>
> Order allow,deny
> Allow from all
> </IfVersion>
>
> <IfVersion >= 2.3>
> Require group foo
> </IfVersion>
>
> </Location>
>
>
>
>>
>> If it is not possible I'm willing to try and code the missing pieces, with
>> a little
>> help being pointed in the right direction.
>>
>
> I hope some "require" experts could jump in ;)
>
> A good solution might be to associate a script with a particular
> require-ment so that mod_fcgid can check the Require for any require-ments
> implemented by a FastCGI script.
>
> [too] simple example:
>
> FCGIDRequire mydb-user /path/to/my/authorizer.sh
>
> <Location /foo>
> Require mydb-user
> SetEnv whatever-needed-by-authorizer.sh
> </Location>
>
>
BTW, authentication is another area where mod_fcgid could better fit in with
httpd (in this case, 2.2+). Bundled authn module implement a "provider,"
and the admin can specify which provider(s) handles authn. That's better
than just calling all the authn hooks in a somewhat mysterious order and
having them look at other config to decide if they should try to
authenticate. It would be nice to configure a FastCGI authenticator as a
provider, and then specify that the provider should be used within a
particular container.
Re: mod_fcgid - cannot get authorizer process to be started
Posted by Barry Scott <ba...@onelan.co.uk>.
Jeff Trawick wrote:
> On Wed, Sep 30, 2009 at 11:37 AM, Barry Scott
> <barry.scott@onelan.co.uk <ma...@onelan.co.uk>> wrote:
>
> At this point let me ask this:
>
> Is it possible with the current code to ever have the fcgid
> Authorizer called?
>
>
> yes
>
thanks for the confirmation and the example.
I now have my Authorizer code and have the authentication happening.
Listen *:9000
<VirtualHost *:9000>
<Location />
Order allow,deny
Allow from all
AuthType Digest
AuthName "Manager System"
AuthUserFile /home/bscott/Work/httpd-fcgid-test/auth/http.passwd
Require onelan magic
FastCgiAuthorizer
/home/bscott/wc/svn/NTB-Next/onelan/DSM/Sources/WebUserInterface/bin/Authorizer.sh
</Location>
</VirtualHost>
What I have learned about the code is this:
* If any Require directive is present a 401 is returned if no
credentials are sent
* If any Require directive is present and credentials are present they
are checked and the username is set in r.
* If any Require directive is present and its not processed by any other
authorizer the FastCgiAuthorizer is run
It would be nice to reserve a Require entity name for use by fast CGI.
The code as written today does not care if a Require entity name is
processed by any module.
Use of valid-group that sound officialbut is simply a Require entity
name that no module supports.
Barry
Re: mod_fcgid - cannot get authorizer process to be started
Posted by Jeff Trawick <tr...@gmail.com>.
On Wed, Sep 30, 2009 at 11:37 AM, Barry Scott <ba...@onelan.co.uk>wrote:
> At this point let me ask this:
>
> Is it possible with the current code to ever have the fcgid Authorizer
> called?
>
yes
This works for me, though it uses the unfortunate valid-group hack with
httpd 2.2 so that no authorizers running before fcgid think they should
evaluate:
<Location /docs>
<IfVersion >= 2.2>
AuthBasicAuthoritative Off
# AuthBasicProvider foo
</IfVersion>
# work around problem with AAA in mod_fcgid (it can't track more than
# one AAA script per URL, and even then the URL can't be handled by a
# FastCGI app)
#
# FastCgiAccessChecker %%MYHG%%/apache/fastcgi/apps/access_check.pl
# FastCgiAuthenticator %%MYHG%%/apache/fastcgi/apps/authenticate.pl
# FastCgiAuthorizer %%MYHG%%/apache/fastcgi/apps/authorize.pl
FastCgiAccessChecker %%MYHG%%/apache/fcgid/apps/aaa.pl
FastCgiAuthenticator %%MYHG%%/apache/fcgid/apps/aaa.pl
FastCgiAuthorizer %%MYHG%%/apache/fcgid/apps/aaa.pl
FastCgiAccessCheckerAuthoritative On
FastCgiAuthenticatorAuthoritative On
FastCgiAuthorizerAuthoritative On
AuthType Basic
AuthName "foo"
<IfVersion < 2.3>
<IfVersion < 2.2>
Require group foo
</IfVersion>
<IfVersion >= 2.2>
Require valid-group
</IfVersion>
Order allow,deny
Allow from all
</IfVersion>
<IfVersion >= 2.3>
Require group foo
</IfVersion>
</Location>
>
> If it is not possible I'm willing to try and code the missing pieces, with
> a little
> help being pointed in the right direction.
>
I hope some "require" experts could jump in ;)
A good solution might be to associate a script with a particular
require-ment so that mod_fcgid can check the Require for any require-ments
implemented by a FastCGI script.
[too] simple example:
FCGIDRequire mydb-user /path/to/my/authorizer.sh
<Location /foo>
Require mydb-user
SetEnv whatever-needed-by-authorizer.sh
</Location>
Re: mod_fcgid - cannot get authorizer process to be started
Posted by Barry Scott <ba...@onelan.co.uk>.
At this point let me ask this:
Is it possible with the current code to ever have the fcgid Authorizer
called?
If it is not possible I'm willing to try and code the missing pieces,
with a little
help being pointed in the right direction.
Barry
Re: mod_fcgid - cannot get authorizer process to be started
Posted by Jeff Trawick <tr...@gmail.com>.
On Tue, Sep 29, 2009 at 12:51 PM, Barry Scott <ba...@onelan.co.uk>wrote:
> Barry Scott wrote:
>
>> Jeff Trawick wrote:
>>
>>> On Tue, Sep 29, 2009 at 11:26 AM, Barry Scott <barry.scott@onelan.co.uk<mailto:
>>> barry.scott@onelan.co.uk>> wrote:
>>>
>>> Jeff Trawick wrote:
>>>
>>> On Tue, Sep 29, 2009 at 8:18 AM, Barry Scott
>>> <barry.scott@onelan.co.uk <ma...@onelan.co.uk>
>>> <mailto:barry.scott@onelan.co.uk
>>> <ma...@onelan.co.uk>>> wrote:
>>>
>>> The mod_fcgid page says to ask on dev I assume that this is the
>>> right place to ask.
>>>
>>> I'm using mod_fcgid from svn with HTTPD 2.2.
>>>
>>> I want to use a fast CGI authorizer to allow me to control
>>> access
>>> based on my rules.
>>> The authorizer needs to be a long running process - never
>>> exits.
>>>
>>> I know that the fcgid code is noticing the directive
>>> because I can
>>> change the filename
>>> and see the error message from the sources.
>>>
>>> But I'm at a lose as to the required to get this
>>> configuration to
>>> actually call my code.
>>> mod_fcgid is not starting up the authorizer process.
>>>
>>> I have the following fcgid specific lines in my httpd.conf
>>> file:
>>>
>>> ---- httpd.conf ----
>>> ...
>>> LoadModule fcgid_module modules/mod_fcgid.so
>>> ...
>>>
>>> Listen *:9000
>>> <VirtualHost *:9000>
>>> <Location />
>>> Order allow,deny
>>> Allow from all
>>> AuthType Digest
>>>
>>>
>>> Did you really mean Digest authentication instead of Basic
>>> authentication?
>>>
>>> mod_fcgid only supports Basic, AFAICT.
>>>
>>> /* Get the user password */
>>> if ((res = ap_get_basic_auth_pw(r, &password)) != OK)
>>> return res;
>>>
>>>
>>> I don't want to be an authenticator, I want to be a authorizer.
>>> Authorizer has no need of passwords right.
>>>
>>>
>>> whoops :(
>>>
>>> yes
>>>
>>> your "require valid-user" implies that you don't need authorization; try
>>> "require valid-group" instead
>>>
>>
>> I want the users password checked and to only proceed if it is valid.
>> I also want to run the fcgi Authorizer to check that the URL being
>> access is allowed according to the logic in my Authorizer code.
>>
>
"require valid-user" means that all it takes to access this resource is a
properly authenticated user.
If mod_authz_user sees "valid-user" during the authorization stage, it
returns OK and mod_fcgid' authorization hook is not called. You want to
take it further and also run the authorizer, since a properly authenticated
user is not good enough. So "require valid-user" or "require user xxx" or
other checks that can be made since the user is already known can't be used.
"require valid-group" is a hack to bypass checks that the AAA modules know
how to make (require user foo, require group bar, require ldap-group ...,
etc.). There's no provision to allow a FastCGI authorizer app to implement
a particular authorization require-ment. "require group foo" can also get
you to your authorizer (subject to what the group file module would do). I
haven't checked if that required group name is available to your authorize.
>
>> To that end I have the following:
>>
>> <Location />
>> Order allow,deny
>> Allow from all
>>
>> # Use digest auth to check the username/password pair
>> AuthType Digest
>> AuthName "Manager System"
>> # no one gets in without a valid username/password pair
>> Require valid-user
>>
>
mod_authz_user always returns OK from authorization hook with this require
>
>> # Use these files to find the passwd and group information
>> AuthGroupFile /home/bscott/Work/httpd-fcgid-test/auth/http.group
>>
>
not needed and maybe harmful depending on your require directive
> AuthUserFile /home/bscott/Work/httpd-fcgid-test/auth/http.passwd
>>
>> # Run the Authorizer.sh to veto URL based on the username
>> FastCgiAuthorizer
>> /home/bscott/wc/svn/NTB-Next/onelan/DSM/Sources/WebUserInterface/bin/Authorizer.sh
>>
>> </Location>
>>
>> What triggers HTTPD to call the Authorizer.sh code?
>> Surely not the commands that control authentication checks?
>>
>
yes, the require directive; furthermore, if authorization hooks called
before mod_fcgid's think they have answered the question authoritatively,
mod_fcgid won't be called
>
>> I cannot find Require valid-group defined in the 2.2 docs.
>>
>> Do you mean I need to add:
>>
>> Require group nosuchgroup
>>
>
> This does not work...
because mod_authz_groupfile sees your AuthGroupFile and tries to answer
based on its contents (as well as whether or not that check is authoritative
(see
http://httpd.apache.org/docs/2.2/mod/mod_authz_groupfile.html#authzgroupfileauthoritative))?
>
>
>> And that will cause the mod_authn_user (or what ever module) to try
>> and match nosuchgroup. When it fails my Authenicator will be run
>> to see if it can handle that directive?
>>
>> Isn't this module crying out for a directive like:
>>
>> Require fcgid-authenticater-user-is-valid
>>
>
I think so, but something appropriate for authorization, since the
mod_fcgid-driven authorization app shouldn't care how the user was
authenticated.
Re: mod_fcgid - cannot get authorizer process to be started
Posted by Barry Scott <ba...@onelan.co.uk>.
Barry Scott wrote:
> Jeff Trawick wrote:
>> On Tue, Sep 29, 2009 at 11:26 AM, Barry Scott
>> <barry.scott@onelan.co.uk <ma...@onelan.co.uk>> wrote:
>>
>> Jeff Trawick wrote:
>>
>> On Tue, Sep 29, 2009 at 8:18 AM, Barry Scott
>> <barry.scott@onelan.co.uk <ma...@onelan.co.uk>
>> <mailto:barry.scott@onelan.co.uk
>> <ma...@onelan.co.uk>>> wrote:
>>
>> The mod_fcgid page says to ask on dev I assume that this
>> is the
>> right place to ask.
>>
>> I'm using mod_fcgid from svn with HTTPD 2.2.
>>
>> I want to use a fast CGI authorizer to allow me to control
>> access
>> based on my rules.
>> The authorizer needs to be a long running process - never
>> exits.
>>
>> I know that the fcgid code is noticing the directive
>> because I can
>> change the filename
>> and see the error message from the sources.
>>
>> But I'm at a lose as to the required to get this
>> configuration to
>> actually call my code.
>> mod_fcgid is not starting up the authorizer process.
>>
>> I have the following fcgid specific lines in my httpd.conf
>> file:
>>
>> ---- httpd.conf ----
>> ...
>> LoadModule fcgid_module modules/mod_fcgid.so
>> ...
>>
>> Listen *:9000
>> <VirtualHost *:9000>
>> <Location />
>> Order allow,deny
>> Allow from all
>> AuthType Digest
>>
>>
>> Did you really mean Digest authentication instead of Basic
>> authentication?
>>
>> mod_fcgid only supports Basic, AFAICT.
>>
>> /* Get the user password */
>> if ((res = ap_get_basic_auth_pw(r, &password)) != OK)
>> return res;
>>
>>
>> I don't want to be an authenticator, I want to be a authorizer.
>> Authorizer has no need of passwords right.
>>
>>
>> whoops :(
>>
>> yes
>>
>> your "require valid-user" implies that you don't need authorization;
>> try "require valid-group" instead
>
> I want the users password checked and to only proceed if it is valid.
> I also want to run the fcgi Authorizer to check that the URL being
> access is allowed according to the logic in my Authorizer code.
>
> To that end I have the following:
>
> <Location />
> Order allow,deny
> Allow from all
>
> # Use digest auth to check the username/password pair
> AuthType Digest
> AuthName "Manager System"
> # no one gets in without a valid username/password pair
> Require valid-user
>
> # Use these files to find the passwd and group information
> AuthGroupFile /home/bscott/Work/httpd-fcgid-test/auth/http.group
> AuthUserFile /home/bscott/Work/httpd-fcgid-test/auth/http.passwd
>
> # Run the Authorizer.sh to veto URL based on the username
> FastCgiAuthorizer
> /home/bscott/wc/svn/NTB-Next/onelan/DSM/Sources/WebUserInterface/bin/Authorizer.sh
>
> </Location>
>
> What triggers HTTPD to call the Authorizer.sh code?
> Surely not the commands that control authentication checks?
>
> I cannot find Require valid-group defined in the 2.2 docs.
>
> Do you mean I need to add:
>
> Require group nosuchgroup
This does not work...
>
> And that will cause the mod_authn_user (or what ever module) to try
> and match nosuchgroup. When it fails my Authenicator will be run
> to see if it can handle that directive?
>
> Isn't this module crying out for a directive like:
>
> Require fcgid-authenticater-user-is-valid
>
> Barry
>
>
Barry
Re: mod_fcgid - cannot get authorizer process to be started
Posted by Barry Scott <ba...@onelan.co.uk>.
Jeff Trawick wrote:
> On Tue, Sep 29, 2009 at 11:26 AM, Barry Scott
> <barry.scott@onelan.co.uk <ma...@onelan.co.uk>> wrote:
>
> Jeff Trawick wrote:
>
> On Tue, Sep 29, 2009 at 8:18 AM, Barry Scott
> <barry.scott@onelan.co.uk <ma...@onelan.co.uk>
> <mailto:barry.scott@onelan.co.uk
> <ma...@onelan.co.uk>>> wrote:
>
> The mod_fcgid page says to ask on dev I assume that this is the
> right place to ask.
>
> I'm using mod_fcgid from svn with HTTPD 2.2.
>
> I want to use a fast CGI authorizer to allow me to control
> access
> based on my rules.
> The authorizer needs to be a long running process - never
> exits.
>
> I know that the fcgid code is noticing the directive
> because I can
> change the filename
> and see the error message from the sources.
>
> But I'm at a lose as to the required to get this
> configuration to
> actually call my code.
> mod_fcgid is not starting up the authorizer process.
>
> I have the following fcgid specific lines in my httpd.conf
> file:
>
> ---- httpd.conf ----
> ...
> LoadModule fcgid_module modules/mod_fcgid.so
> ...
>
> Listen *:9000
> <VirtualHost *:9000>
> <Location />
> Order allow,deny
> Allow from all
> AuthType Digest
>
>
> Did you really mean Digest authentication instead of Basic
> authentication?
>
> mod_fcgid only supports Basic, AFAICT.
>
> /* Get the user password */
> if ((res = ap_get_basic_auth_pw(r, &password)) != OK)
> return res;
>
>
> I don't want to be an authenticator, I want to be a authorizer.
> Authorizer has no need of passwords right.
>
>
> whoops :(
>
> yes
>
> your "require valid-user" implies that you don't need authorization;
> try "require valid-group" instead
I want the users password checked and to only proceed if it is valid.
I also want to run the fcgi Authorizer to check that the URL being
access is allowed according to the logic in my Authorizer code.
To that end I have the following:
<Location />
Order allow,deny
Allow from all
# Use digest auth to check the username/password pair
AuthType Digest
AuthName "Manager System"
# no one gets in without a valid username/password pair
Require valid-user
# Use these files to find the passwd and group information
AuthGroupFile /home/bscott/Work/httpd-fcgid-test/auth/http.group
AuthUserFile /home/bscott/Work/httpd-fcgid-test/auth/http.passwd
# Run the Authorizer.sh to veto URL based on the username
FastCgiAuthorizer
/home/bscott/wc/svn/NTB-Next/onelan/DSM/Sources/WebUserInterface/bin/Authorizer.sh
</Location>
What triggers HTTPD to call the Authorizer.sh code?
Surely not the commands that control authentication checks?
I cannot find Require valid-group defined in the 2.2 docs.
Do you mean I need to add:
Require group nosuchgroup
And that will cause the mod_authn_user (or what ever module) to try
and match nosuchgroup. When it fails my Authenicator will be run
to see if it can handle that directive?
Isn't this module crying out for a directive like:
Require fcgid-authenticater-user-is-valid
Barry
Re: mod_fcgid - cannot get authorizer process to be started
Posted by Jeff Trawick <tr...@gmail.com>.
On Tue, Sep 29, 2009 at 11:26 AM, Barry Scott <ba...@onelan.co.uk>wrote:
> Jeff Trawick wrote:
>
> On Tue, Sep 29, 2009 at 8:18 AM, Barry Scott <barry.scott@onelan.co.uk<mailto:
>> barry.scott@onelan.co.uk>> wrote:
>>
>> The mod_fcgid page says to ask on dev I assume that this is the
>> right place to ask.
>>
>> I'm using mod_fcgid from svn with HTTPD 2.2.
>>
>> I want to use a fast CGI authorizer to allow me to control access
>> based on my rules.
>> The authorizer needs to be a long running process - never exits.
>>
>> I know that the fcgid code is noticing the directive because I can
>> change the filename
>> and see the error message from the sources.
>>
>> But I'm at a lose as to the required to get this configuration to
>> actually call my code.
>> mod_fcgid is not starting up the authorizer process.
>>
>> I have the following fcgid specific lines in my httpd.conf file:
>>
>> ---- httpd.conf ----
>> ...
>> LoadModule fcgid_module modules/mod_fcgid.so
>> ...
>>
>> Listen *:9000
>> <VirtualHost *:9000>
>> <Location />
>> Order allow,deny
>> Allow from all
>> AuthType Digest
>>
>>
>> Did you really mean Digest authentication instead of Basic authentication?
>>
>> mod_fcgid only supports Basic, AFAICT.
>>
>> /* Get the user password */
>> if ((res = ap_get_basic_auth_pw(r, &password)) != OK)
>> return res;
>>
>>
> I don't want to be an authenticator, I want to be a authorizer.
> Authorizer has no need of passwords right.
>
whoops :(
yes
your "require valid-user" implies that you don't need authorization; try
"require valid-group" instead
Re: mod_fcgid - cannot get authorizer process to be started
Posted by Barry Scott <ba...@onelan.co.uk>.
Jeff Trawick wrote:
> On Tue, Sep 29, 2009 at 8:18 AM, Barry Scott <barry.scott@onelan.co.uk
> <ma...@onelan.co.uk>> wrote:
>
> The mod_fcgid page says to ask on dev I assume that this is the
> right place to ask.
>
> I'm using mod_fcgid from svn with HTTPD 2.2.
>
> I want to use a fast CGI authorizer to allow me to control access
> based on my rules.
> The authorizer needs to be a long running process - never exits.
>
> I know that the fcgid code is noticing the directive because I can
> change the filename
> and see the error message from the sources.
>
> But I'm at a lose as to the required to get this configuration to
> actually call my code.
> mod_fcgid is not starting up the authorizer process.
>
> I have the following fcgid specific lines in my httpd.conf file:
>
> ---- httpd.conf ----
> ...
> LoadModule fcgid_module modules/mod_fcgid.so
> ...
>
> Listen *:9000
> <VirtualHost *:9000>
> <Location />
> Order allow,deny
> Allow from all
> AuthType Digest
>
>
> Did you really mean Digest authentication instead of Basic authentication?
>
> mod_fcgid only supports Basic, AFAICT.
>
> /* Get the user password */
> if ((res = ap_get_basic_auth_pw(r, &password)) != OK)
> return res;
>
I don't want to be an authenticator, I want to be a authorizer.
Authorizer has no need of passwords right.
Barry
Re: mod_fcgid - cannot get authorizer process to be started
Posted by Jeff Trawick <tr...@gmail.com>.
On Tue, Sep 29, 2009 at 8:18 AM, Barry Scott <ba...@onelan.co.uk>wrote:
> The mod_fcgid page says to ask on dev I assume that this is the right place
> to ask.
>
> I'm using mod_fcgid from svn with HTTPD 2.2.
>
> I want to use a fast CGI authorizer to allow me to control access based on
> my rules.
> The authorizer needs to be a long running process - never exits.
>
> I know that the fcgid code is noticing the directive because I can change
> the filename
> and see the error message from the sources.
>
> But I'm at a lose as to the required to get this configuration to actually
> call my code.
> mod_fcgid is not starting up the authorizer process.
>
> I have the following fcgid specific lines in my httpd.conf file:
>
> ---- httpd.conf ----
> ...
> LoadModule fcgid_module modules/mod_fcgid.so
> ...
>
> Listen *:9000
> <VirtualHost *:9000>
> <Location />
> Order allow,deny
> Allow from all
> AuthType Digest
>
Did you really mean Digest authentication instead of Basic authentication?
mod_fcgid only supports Basic, AFAICT.
/* Get the user password */
if ((res = ap_get_basic_auth_pw(r, &password)) != OK)
return res;