You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Ian Zimmerman <it...@buug.org> on 2011/06/15 20:56:36 UTC
[users@httpd] htaccess hell
I (or rather my distro) enabled userdir as follows:
LoadModule userdir_module /usr/lib/apache2/modules/mod_userdir.so
<IfModule mod_userdir.c>
UserDir public_html
UserDir disabled root
<Directory /home/*/public_html>
AllowOverride FileInfo AuthConfig Limit Indexes
Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
<Limit GET POST OPTIONS>
Order allow,deny
Allow from all
</Limit>
<LimitExcept GET POST OPTIONS>
Order deny,allow
Deny from all
</LimitExcept>
</Directory>
</IfModule>
Document root is configured as follows:
<Location />
Options Indexes FollowSymLinks MultiViews
AuthType Basic
AuthName "Root Realm"
AuthBasicProvider file
AuthUserFile /etc/apache2/passwd
Require valid-user
Order allow,deny
allow from all
</Location>
Now, I try to override the auth settings in a subtree of my
~/public_html by putting a .htaccess file there, which reads as follows:
AuthType Basic
AuthName "My Personal Space"
AuthUserFile /etc/apache2/passwd
Require User itz
Yet, no matter how many hairs I pull, when I GET anything under that
subtree, I'm asked to authenticate for "Root Realm".
I know that the .htaccess file is getting read, because when I drop
garbage there I get a server error upon loading that page. So somehow
the AuthName directive in the .htaccess is getting ignored. Why??
AllowOverride seems to allow it.
Version info:
[8]ahiker:~$ dpkg --status apache2
Package: apache2
Status: install ok installed
Priority: optional
Section: httpd
Installed-Size: 36
Maintainer: Debian Apache Maintainers <de...@lists.debian.org>
Architecture: i386
Version: 2.2.16-6+squeeze1
--
Ian Zimmerman
gpg public key: 1024D/C6FF61AD
fingerprint: 66DC D68F 5C1B 4D71 2EE5 BD03 8A00 786C C6FF 61AD
Rule 420: All persons more than eight miles high to leave the court.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] htaccess hell
Posted by Ian Zimmerman <it...@buug.org>.
On Wed, 15 Jun 2011 21:22:28 +0200
Jeroen Geilman <je...@adaptr.nl> wrote:
Ian> > UserDir public_html
Ian> > UserDir disabled root
Ian> >
Ian> > <Directory /home/*/public_html>
Ian> > AllowOverride FileInfo AuthConfig Limit Indexes
Ian> > Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
Ian> > <Limit GET POST OPTIONS>
Ian> > Order allow,deny
Ian> > Allow from all
Ian> > </Limit>
Ian> > <LimitExcept GET POST OPTIONS>
Ian> > Order deny,allow
Ian> > Deny from all
Ian> > </LimitExcept>
Ian> > </Directory>
Ian> > </IfModule>
Ian> >
Jeroen> urgh
Well, as I wrote, this is the unchanged configuration from Debian. If I
have to change it I might as well configure all the authentication there
and not bother with .htaccess files. (I know that works, BTW.) The
idea was to avoid editing the original configuration as much as
possible.
Ian> > Document root is configured as follows:
Ian> >
Ian> > <Location />
Jeroen> No. Nonononononononono. A Documentroot MUST point to a physical
Jeroen> filesystem <Directory>.
I misspoke. There is a normal DocumentRoot definition elsewhere in the
file which does point to a physical directory, namely /var/www. I just
meant to say this is how I configured the authentication for /. See
below why I thought this was preferable.
Ian> > Options Indexes FollowSymLinks MultiViews
Ian> > AuthType Basic
Ian> > AuthName "Root Realm"
Ian> > AuthBasicProvider file
Ian> > AuthUserFile /etc/apache2/passwd
Ian> > Require valid-user
Ian> > Order allow,deny
Ian> > allow from all
Ian> > </Location>
Ian> >
Ian> > Now, I try to override the auth settings in a subtree of my
Ian> > ~/public_html by putting a .htaccess file there, which reads as follows:
Jeroen> Authentication SHOULD always be done on physical files if possible.
Jeroen> This prevents people bypassing it by using an alternate URL.
I get this point to a degree. Still, before diving in I'd like to
understand _why_ it fails as it is. Is it that all the Location info is
applied after all the physical (and htaccess) info and overrides the
latter?
And if I do as you say, it looks like I'd need 2 htaccess files, an
extra one for the top of my public_html, since it won't be covered by
whatever is set for /var/www. Correct? And I'll also need to
separately define authentication for all aliases like /usr/share/doc if
I want them covered. Right? This is what I was trying to avoid by putting
the Auth stuff in the <Location /> block.
--
Ian Zimmerman
gpg public key: 1024D/C6FF61AD
fingerprint: 66DC D68F 5C1B 4D71 2EE5 BD03 8A00 786C C6FF 61AD
Rule 420: All persons more than eight miles high to leave the court.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] htaccess hell
Posted by Jeroen Geilman <je...@adaptr.nl>.
On 06/15/2011 08:56 PM, Ian Zimmerman wrote:
> I (or rather my distro) enabled userdir as follows:
>
> LoadModule userdir_module /usr/lib/apache2/modules/mod_userdir.so
>
> <IfModule mod_userdir.c>
urgh
> UserDir public_html
> UserDir disabled root
>
> <Directory /home/*/public_html>
> AllowOverride FileInfo AuthConfig Limit Indexes
Don't allow Limit overrides here.
> Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
> <Limit GET POST OPTIONS>
> Order allow,deny
> Allow from all
> </Limit>
> <LimitExcept GET POST OPTIONS>
> Order deny,allow
> Deny from all
> </LimitExcept>
Exactly the same thing twice. Use LimitExcept.
> </Directory>
> </IfModule>
>
> Document root is configured as follows:
>
> <Location />
No. Nonononononononono.
A Documentroot MUST point to a physical filesystem <Directory>.
> Options Indexes FollowSymLinks MultiViews
> AuthType Basic
> AuthName "Root Realm"
> AuthBasicProvider file
> AuthUserFile /etc/apache2/passwd
> Require valid-user
> Order allow,deny
> allow from all
> </Location>
>
> Now, I try to override the auth settings in a subtree of my
> ~/public_html by putting a .htaccess file there, which reads as follows:
>
Authentication SHOULD always be done on physical files if possible.
This prevents people bypassing it by using an alternate URL.
> AuthType Basic
> AuthName "My Personal Space"
> AuthUserFile /etc/apache2/passwd
> Require User itz
>
> Yet, no matter how many hairs I pull, when I GET anything under that
> subtree, I'm asked to authenticate for "Root Realm".
>
Fix the above first, it will be obvious then.
> I know that the .htaccess file is getting read, because when I drop
> garbage there I get a server error upon loading that page. So somehow
> the AuthName directive in the .htaccess is getting ignored. Why??
> AllowOverride seems to allow it.
>
> Version info:
>
> [8]ahiker:~$ dpkg --status apache2
> Package: apache2
> Status: install ok installed
> Priority: optional
> Section: httpd
> Installed-Size: 36
> Maintainer: Debian Apache Maintainers<de...@lists.debian.org>
> Architecture: i386
> Version: 2.2.16-6+squeeze1
>
--
J.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] Re: htaccess hell
Posted by Ian Zimmerman <it...@buug.org>.
On Wed, 15 Jun 2011 23:11:29 +0200
Stefan Fritsch <sf...@sfritsch.de> wrote:
Ian> I know that the .htaccess file is getting read, because when I drop
Ian> garbage there I get a server error upon loading that page. So
Ian> somehow the AuthName directive in the .htaccess is getting ignored.
Ian> Why?? AllowOverride seems to allow it.
Stefan> See http://httpd.apache.org/docs/2.2/sections.html#mergin
Stefan> <Location> always wins against .htaccess
Thanks, this was the precise answer I was looking for. I swear I have
read that part of the documentation, but obviously not carefully enough.
--
Ian Zimmerman
gpg public key: 1024D/C6FF61AD
fingerprint: 66DC D68F 5C1B 4D71 2EE5 BD03 8A00 786C C6FF 61AD
Rule 420: All persons more than eight miles high to leave the court.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org