You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Gary Hennigan <gl...@sandia.gov> on 2002/04/26 20:55:00 UTC
Newbie help with
I'm trying to restrict access to URLs that have a particular string in
them and LocationMatch, along with Digest authentication, seemed to be
exactly what I was looking for. Unfortunately I can't seem to get it
to work. Here's the entry in my configuration file:
<LocationMatch "/cgi-bin/viewcvs.cgi/.*cvsroot=Developer.*">
AuthType Digest
AuthName "Developer Access Only"
AuthDigestFile /etc/herewego
Order Deny,Allow
Deny from all
Require valid-user
</LocationMatch>
What I'm trying to do is require authentication anytime the URL
includes the "cvsroot=Developer" string. But no matter what I do it's
still wide open. I don't have a lot of access restrictions and so I
don't *think* I have a <Directory> section in my config that's
overriding my LocationMatch. Here's an excerpt of what might be
applicable:
============== Begin excerpt
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory /usr/lib/cgi-bin/>
AllowOverride None
Options ExecCGI
Order allow,deny
Allow from all
</Directory>
<Directory /usr/lib/cgi-bin/bonsai/>
AllowOverride None
Options ExecCGI
Order deny,allow
AuthType Digest
AuthName "Developer Access Only"
AuthDigestFile /etc/herewego
Require valid-user
</Directory>
# LocationMatch above inserted here
============== End excerpt
I see the GET request in my logs, and Apache dutifully sends over the
page. Doesn't seem to be using the LocationMatch section at all.
Here's an example from the log:
134.xxx.xxx.xx - - [26/Apr/2002:11:32:42 -0600] "GET /cgi-bin/viewcvs.cgi/Documents/?cvsroot=Developer HTTP/1.1" 200 1754 "http://thehost.sandia.gov/cgi-bin/viewcvs.cgi/?cvsroot=Developer" "Mozilla/5.0 Galeon/1.2.0 (X11; Linux i686; U;) Gecko/20020412 Debian/1.2.0-6"
What am I missing? Why is it feeding that page out without
authentication? I have DigestAuthentication working fine in the
Directory section above so I have at least an inkling of how to use
authentication. Any ideas appreciated!
Apache Version: 1.3.24
Thanks,
Gary Hennigan
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
SSL and Win2k, narrowing it down...
Posted by Subscribed <su...@myarchive.biz>.
Hi all,
I've got it narrowed down to the openssl libaries ssleay32.dll and
libeay32.dll
I've downloaded and re-compiled the latest from Openssl.org but with zero
change.
The error coming from the dll (libeay32.dll) is The ordinal 291 could not be
located in the dynamic link library
LIBEAY32.DLL
So... Im compiling with cygwin and Im thinking I should use another
compiler.
My question today is...
Is there another way to compile these dll's on a free compiler? Im a poor
student :(
or
Can I just "borrow" precompiled dll's from somewhere on the net and have it
work?
Thanks in advance!
Paisley
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Newbie help with
Posted by Jack Nerad <jn...@cimedia.com>.
On Friday 26 April 2002 14:55, Gary Hennigan wrote:
> I'm trying to restrict access to URLs that have a particular string
> in them and LocationMatch, along with Digest authentication, seemed
> to be exactly what I was looking for. Unfortunately I can't seem to
> get it to work. Here's the entry in my configuration file:
>
> <LocationMatch "/cgi-bin/viewcvs.cgi/.*cvsroot=Developer.*">
> AuthType Digest
> AuthName "Developer Access Only"
> AuthDigestFile /etc/herewego
> Order Deny,Allow
> Deny from all
> Require valid-user
> </LocationMatch>
>
> What I'm trying to do is require authentication anytime the URL
> includes the "cvsroot=Developer" string. But no matter what I do it's
> still wide open. I don't have a lot of access restrictions and so I
> don't *think* I have a <Directory> section in my config that's
> overriding my LocationMatch. Here's an excerpt of what might be
> applicable:
> ============== Begin excerpt
> ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
>
> <Directory /usr/lib/cgi-bin/>
> AllowOverride None
> Options ExecCGI
> Order allow,deny
> Allow from all
> </Directory>
>
> <Directory /usr/lib/cgi-bin/bonsai/>
> AllowOverride None
> Options ExecCGI
> Order deny,allow
> AuthType Digest
> AuthName "Developer Access Only"
> AuthDigestFile /etc/herewego
> Require valid-user
> </Directory>
>
> # LocationMatch above inserted here
> ============== End excerpt
>
> I see the GET request in my logs, and Apache dutifully sends over the
> page. Doesn't seem to be using the LocationMatch section at all.
>
> Here's an example from the log:
>
>
> 134.xxx.xxx.xx - - [26/Apr/2002:11:32:42 -0600] "GET
> /cgi-bin/viewcvs.cgi/Documents/?cvsroot=Developer HTTP/1.1" 200 1754
> "http://thehost.sandia.gov/cgi-bin/viewcvs.cgi/?cvsroot=Developer"
> "Mozilla/5.0 Galeon/1.2.0 (X11; Linux i686; U;) Gecko/20020412
> Debian/1.2.0-6"
>
> What am I missing? Why is it feeding that page out without
> authentication? I have DigestAuthentication working fine in the
> Directory section above so I have at least an inkling of how to use
> authentication. Any ideas appreciated!
>
You are so close. The problem is not the location, it is the request.
You don't need to use the cvsroot=Developer as a query string to
control the access. You just pass it as part of the url.
instead of doing <a href="/cgi-bin/viewcvs.cgi/?cvsroot=Developer">
do
<a href="/cgi-bin/viewcvs.cgi/cvsroot=Developer">
and that should fix the problem. (of course, you might also need that
info in the script..., but you could include that by doing
<a href="/cgi-bin/viewcvs.cgi/cvsroot=Developer?cvsroot=Developer">
which looks kinda funny, better is
<a href="/cgi-bin/viewcvs.cgi/Developer?cvsroot=Developer">
or whatever you want to have the cvsroot be.
Of course, this won't prevent the script from setting the
cvsroot=Developer, should it be requested to do that in a normal
request. (/cgi-bin/viewcvs.cgi?cvsroot=Developer) And if someone used
a POST request to that same cgi, you'll never actually see the
parameters in the request or in the query string.
The way to avoid that is to
1) put the authentication in the script
2) check in the script the REQUEST_URI and REMOTE_USER environment
variables when cvsroot is specified. I'm not crazy about this option
because I don't _know_ if they can be forged or not...
3) make a copy of the script that does not have the capability to
switch to the developers' cvsroot and make that script public, while
password protecting the other completely.
4) Others, more elegant and obvious, that I've overlooked.
Of these solutions, I like 3 the best, but it means that you have to
maintain two different scripts (that may or may not be a significant
burden).
(As well.. you don't really need the Order deny,allow on that stuff on
the location as the require valid user will take care of that.)
--
Jack
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Newbie help with
Posted by Joshua Slive <jo...@slive.ca>.
On 26 Apr 2002, Gary Hennigan wrote:
> I'm trying to restrict access to URLs that have a particular string in
> them and LocationMatch, along with Digest authentication, seemed to be
> exactly what I was looking for. Unfortunately I can't seem to get it
> to work. Here's the entry in my configuration file:
>
> <LocationMatch "/cgi-bin/viewcvs.cgi/.*cvsroot=Developer.*">
> 134.xxx.xxx.xx - - [26/Apr/2002:11:32:42 -0600] "GET /cgi-bin/viewcvs.cgi/Documents/?cvsroot=Developer HTTP/1.1" 200 1754 "http://thehost.sandia.gov/cgi-bin/viewcvs.cgi/?cvsroot=Developer" "Mozilla/5.0 Galeon/1.2.0 (X11; Linux i686; U;) Gecko/20020412 Debian/1.2.0-6"
>
Unfortunately, LocationMatch does not match against the query string
(the part after the ? in the URL).
One possible workaround (untested):
RewriteEngine On
RewriteCond %{QUERY_STRING} cvsroot=Developer
RerwiteRule /cgi-bin/viewcvs.cgi.* - [E=developer]
Order deny,allow
deny from all
allow from env=!developer
require valid-user
satisfy any
That's pretty darn complicated (and I'm not even sure that it works),
but I can't think of a better way to do it.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org