You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Sacha Varma <sa...@ssl.co.uk> on 2010/10/25 15:14:58 UTC

[users@httpd] Basic authentication for a virtual/rewritten URL?

Sorry to interrupt you fine folks, I wasn't able to google up the answer 
to this.

Is it possible to configure Apache to do basic authentication for a URL 
that doesn't correspond to a physical location in the filesystem (e.g. 
because it is rewritten to be served by CGI)?

It appears that the authentication directives are only valid in 
Directory and htacces contexts, so I'm not able to password-protect a 
Location.

On a filthy hunch I tried creating the directory in the filesystem that 
would correspond to the URL, and password-protecting that via a 
Directory configuration block, but that didn't work.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Basic authentication for a virtual/rewritten URL?

Posted by Sacha Varma <sa...@ssl.co.uk>.

Ok, thanks Brian.

For the log - after a bit of experimentation, the problem I have appears 
to be that while you can password-protect a Location, Location 
directives are applied after rewrites. So if you have:

     ScriptAlias /cgi-bin/ /some/where/cgi-bin/

     RewriteRule ^.*$ /cgi-bin/my-cms [QSA,PT,L]

     <Location /somepath>
         AuthType Basic
         ....
     </Location>

Your Location will never match (because the Location is always 
/cgi-bin/my-cms by the time Apache applies the Location to it).

I'll see if I can find a way around this that doesn't involve 
implementing basic auth inside the CGI script.



On 26/10/2010 18:07, Brian Hirt wrote:
> I don't use htaccess anywhere, but we use things like this in our config that work just fine.  You might want to make sure your Order and Allow are set up to work correctly.
>
> 	<Location /somepath>
> 		AuthType Basic
> 		  AuthName "Restricted Directory"
> 		  AuthUserFile /some/where/user.pass
> 		  Require user someuser
> 	</Location>
>
>
> On Oct 26, 2010, at 9:55 AM, Sacha Varma wrote:
>
>> On 19:59, Brian Hirt wrote:
>>> Use<Location>   instead of<Directory>
>>
>> That's the first thing I tried, and was surprised when it didn't work.
>>
>> The documentation is explicit though, the only valid contexts for the mod_auth directives are Directory and htaccess:
>>
>>     http://httpd.apache.org/docs/2.0/mod/mod_auth.html
>>
>> Do you have a working example of doing this via<Location>?


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Basic authentication for a virtual/rewritten URL?

Posted by Brian Hirt <bh...@me.com>.

I don't use htaccess anywhere, but we use things like this in our config that work just fine.  You might want to make sure your Order and Allow are set up to work correctly.

	<Location /somepath>
		  AuthType Basic
		  AuthName "Restricted Directory"
		  AuthUserFile /some/where/user.pass
		  Require user someuser
	</Location>


On Oct 26, 2010, at 9:55 AM, Sacha Varma wrote:

> On 19:59, Brian Hirt wrote:
>> Use<Location>  instead of<Directory>
> 
> That's the first thing I tried, and was surprised when it didn't work.
> 
> The documentation is explicit though, the only valid contexts for the mod_auth directives are Directory and htaccess:
> 
>    http://httpd.apache.org/docs/2.0/mod/mod_auth.html
> 
> Do you have a working example of doing this via <Location>?


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Basic authentication for a virtual/rewritten URL?

Posted by Sacha Varma <sa...@ssl.co.uk>.

On 19:59, Brian Hirt wrote:
> Use<Location>  instead of<Directory>

That's the first thing I tried, and was surprised when it didn't work.

The documentation is explicit though, the only valid contexts for the 
mod_auth directives are Directory and htaccess:

     http://httpd.apache.org/docs/2.0/mod/mod_auth.html

Do you have a working example of doing this via <Location>?

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Basic authentication for a virtual/rewritten URL?

Posted by Brian Hirt <bh...@me.com>.

Use <Location> instead of <Directory>

Brian Hirt
bhirt@me.com



On Oct 25, 2010, at 7:14 AM, Sacha Varma wrote:

> Sorry to interrupt you fine folks, I wasn't able to google up the answer to this.
> 
> Is it possible to configure Apache to do basic authentication for a URL that doesn't correspond to a physical location in the filesystem (e.g. because it is rewritten to be served by CGI)?
> 
> It appears that the authentication directives are only valid in Directory and htacces contexts, so I'm not able to password-protect a Location.
> 
> On a filthy hunch I tried creating the directory in the filesystem that would correspond to the URL, and password-protecting that via a Directory configuration block, but that didn't work.
> 
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>  "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org