You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Gary Hennigan <gl...@sandia.gov> on 2002/04/26 20:55:00 UTC

Newbie help with

I'm trying to restrict access to URLs that have a particular string in
them and LocationMatch, along with Digest authentication, seemed to be
exactly what I was looking for. Unfortunately I can't seem to get it
to work. Here's the entry in my configuration file:

<LocationMatch "/cgi-bin/viewcvs.cgi/.*cvsroot=Developer.*">
     AuthType Digest
     AuthName "Developer Access Only"
     AuthDigestFile /etc/herewego
     Order Deny,Allow
     Deny from all
     Require valid-user
</LocationMatch>

What I'm trying to do is require authentication anytime the URL
includes the "cvsroot=Developer" string. But no matter what I do it's
still wide open. I don't have a lot of access restrictions and so I
don't *think* I have a <Directory> section in my config that's
overriding my LocationMatch. Here's an excerpt of what might be
applicable:
============== Begin excerpt
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/

<Directory /usr/lib/cgi-bin/>
    AllowOverride None
    Options ExecCGI
    Order allow,deny
    Allow from all
</Directory>

<Directory /usr/lib/cgi-bin/bonsai/>
    AllowOverride None
    Options ExecCGI
    Order deny,allow
    AuthType Digest
    AuthName "Developer Access Only"
    AuthDigestFile /etc/herewego
    Require valid-user
</Directory>

# LocationMatch above inserted here
============== End excerpt

I see the GET request in my logs, and Apache dutifully sends over the
page. Doesn't seem to be using the LocationMatch section at all.

Here's an example from the log:


134.xxx.xxx.xx - - [26/Apr/2002:11:32:42 -0600] "GET /cgi-bin/viewcvs.cgi/Documents/?cvsroot=Developer HTTP/1.1" 200 1754 "http://thehost.sandia.gov/cgi-bin/viewcvs.cgi/?cvsroot=Developer" "Mozilla/5.0 Galeon/1.2.0 (X11; Linux i686; U;) Gecko/20020412 Debian/1.2.0-6"

What am I missing? Why is it feeding that page out without
authentication? I have DigestAuthentication working fine in the
Directory section above so I have at least an inkling of how to use
authentication. Any ideas appreciated!

Apache Version: 1.3.24

Thanks,
Gary Hennigan


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

SSL and Win2k, narrowing it down...

Posted by Subscribed <su...@myarchive.biz>.

Hi all,
I've got it narrowed down to the openssl libaries ssleay32.dll and
libeay32.dll
I've downloaded and re-compiled the latest from Openssl.org but with zero
change.
The error coming from the dll (libeay32.dll) is The ordinal 291 could not be
located in the dynamic link library
LIBEAY32.DLL

So... Im compiling with cygwin and Im thinking I should use another
compiler.
My question today is...


Is there another way to compile these dll's on a free compiler? Im a poor
student :(
or
Can I just "borrow" precompiled dll's from somewhere on the net and have it
work?

Thanks in advance!

Paisley



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Newbie help with

Posted by Jack Nerad <jn...@cimedia.com>.

On Friday 26 April 2002 14:55, Gary Hennigan wrote:
> I'm trying to restrict access to URLs that have a particular string
> in them and LocationMatch, along with Digest authentication, seemed
> to be exactly what I was looking for. Unfortunately I can't seem to
> get it to work. Here's the entry in my configuration file:
>
> <LocationMatch "/cgi-bin/viewcvs.cgi/.*cvsroot=Developer.*">
>      AuthType Digest
>      AuthName "Developer Access Only"
>      AuthDigestFile /etc/herewego
>      Order Deny,Allow
>      Deny from all
>      Require valid-user
> </LocationMatch>
>
> What I'm trying to do is require authentication anytime the URL
> includes the "cvsroot=Developer" string. But no matter what I do it's
> still wide open. I don't have a lot of access restrictions and so I
> don't *think* I have a <Directory> section in my config that's
> overriding my LocationMatch. Here's an excerpt of what might be
> applicable:
> ============== Begin excerpt
> ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
>
> <Directory /usr/lib/cgi-bin/>
>     AllowOverride None
>     Options ExecCGI
>     Order allow,deny
>     Allow from all
> </Directory>
>
> <Directory /usr/lib/cgi-bin/bonsai/>
>     AllowOverride None
>     Options ExecCGI
>     Order deny,allow
>     AuthType Digest
>     AuthName "Developer Access Only"
>     AuthDigestFile /etc/herewego
>     Require valid-user
> </Directory>
>
> # LocationMatch above inserted here
> ============== End excerpt
>
> I see the GET request in my logs, and Apache dutifully sends over the
> page. Doesn't seem to be using the LocationMatch section at all.
>
> Here's an example from the log:
>
>
> 134.xxx.xxx.xx - - [26/Apr/2002:11:32:42 -0600] "GET
> /cgi-bin/viewcvs.cgi/Documents/?cvsroot=Developer HTTP/1.1" 200 1754
> "http://thehost.sandia.gov/cgi-bin/viewcvs.cgi/?cvsroot=Developer"
> "Mozilla/5.0 Galeon/1.2.0 (X11; Linux i686; U;) Gecko/20020412
> Debian/1.2.0-6"
>
> What am I missing? Why is it feeding that page out without
> authentication? I have DigestAuthentication working fine in the
> Directory section above so I have at least an inkling of how to use
> authentication. Any ideas appreciated!
>

You are so close.  The problem is not the location, it is the request. 
You don't need to use the cvsroot=Developer as a query string to 
control the access.  You just pass it as part of the url.

instead of doing <a href="/cgi-bin/viewcvs.cgi/?cvsroot=Developer">

do 
<a href="/cgi-bin/viewcvs.cgi/cvsroot=Developer"> 

and that should fix the problem.  (of course, you might also need that 
info in the script..., but you could include that by doing 

<a href="/cgi-bin/viewcvs.cgi/cvsroot=Developer?cvsroot=Developer">

which looks kinda funny, better is

<a href="/cgi-bin/viewcvs.cgi/Developer?cvsroot=Developer"> 

or whatever you want to have the cvsroot be.

Of course, this won't prevent the script from setting the 
cvsroot=Developer, should it be requested to do that in a normal 
request. (/cgi-bin/viewcvs.cgi?cvsroot=Developer)  And if someone used 
a POST request to that same cgi, you'll never actually see the 
parameters in the request or in the query string.

The way to avoid that is to 

1) put the authentication in the script

2) check in the script the REQUEST_URI and REMOTE_USER environment 
variables when cvsroot is specified. I'm not crazy about this option 
because I don't _know_ if they can be forged or not...

3) make a copy of the script that does not have the capability to 
switch to the developers' cvsroot and make that script public, while 
password protecting the other completely.

4) Others, more elegant and obvious, that I've overlooked.

Of these solutions, I like 3 the best, but it means that you have to 
maintain two different scripts (that may or may not be a significant 
burden).

(As well.. you don't really need the Order deny,allow on that stuff on 
the location as the require valid user will take care of that.)

--
Jack

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Newbie help with

Posted by Joshua Slive <jo...@slive.ca>.

On 26 Apr 2002, Gary Hennigan wrote:

> I'm trying to restrict access to URLs that have a particular string in
> them and LocationMatch, along with Digest authentication, seemed to be
> exactly what I was looking for. Unfortunately I can't seem to get it
> to work. Here's the entry in my configuration file:
>
> <LocationMatch "/cgi-bin/viewcvs.cgi/.*cvsroot=Developer.*">

> 134.xxx.xxx.xx - - [26/Apr/2002:11:32:42 -0600] "GET /cgi-bin/viewcvs.cgi/Documents/?cvsroot=Developer HTTP/1.1" 200 1754 "http://thehost.sandia.gov/cgi-bin/viewcvs.cgi/?cvsroot=Developer" "Mozilla/5.0 Galeon/1.2.0 (X11; Linux i686; U;) Gecko/20020412 Debian/1.2.0-6"
>

Unfortunately, LocationMatch does not match against the query string
(the part after the ? in the URL).

One possible workaround (untested):
RewriteEngine On
RewriteCond %{QUERY_STRING} cvsroot=Developer
RerwiteRule /cgi-bin/viewcvs.cgi.* - [E=developer]

Order deny,allow
deny from all
allow from env=!developer
require valid-user
satisfy any

That's pretty darn complicated (and I'm not even sure that it works),
but I can't think of a better way to do it.

Joshua.



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org