You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Mike Dewhirst <mi...@dewhirst.com.au> on 2005/11/17 05:02:38 UTC
Re: [users@httpd] [SOLVED] basic auth config
Mike Dewhirst wrote:
> Mike Dewhirst wrote:
>
>> Boyle Owen wrote:
>>
>>>> -----Original Message-----
>>>> From: Mike Dewhirst [mailto:miked@dewhirst.com.au]
>
> <snip>
>
>>> Some people are convinced the Earth is flat but that don't make it so
>>> :-) By far the most likely reason for your problem still is that
>>> apache is misconfigured.
My deepest most dyslexic apologies for wasting your bandwidth. The error
log gave me the answer /svr/... is not /srv/...
Sorry one and all
Mike
>
>
> You are still right and I am up a gum tree.
>
> I can edit my Basic Auth entry realm and see it change in the userid
> dialog in the browser so I at least know SuSE Linux 9.1, Apache 2.0.53
> is reading what I write. However none of my password attempts work. I
> even started a spurious thread (sorry!) before checking the error_log.
>
> httpd -t returns Syntax OK
>
> Here are some relevant error_log entries ...
>
> [Thu Nov 17 11:02:37 2005] [error] [client 192.168.0.29] Could not fetch
> resource information. [301, #0]
> [Thu Nov 17 11:02:37 2005] [error] [client 192.168.0.29] (84)Invalid or
> incomplete multibyte or wide character: Requests for a collection must
> have a trailing slash on the URI. [301, #0]
>
> This was another machine which I used to access one of the subversion
> repositories successfully. I didn't know it produced these errors until
> I checked for the basic auth errors below!
>
> <error_log>
>
> [Thu Nov 17 11:14:27 2005] [error] [client 192.168.0.38] (2)No such file
> or directory: Could not open password file:
> /svr/www/data/pwl/academics/memb
> [Thu Nov 17 11:14:27 2005] [error] [client 192.168.0.38] user miked not
> found: /auth/mcfs/
>
> </error_log>
>
> That /svr/www/data/pwl/academics/memb password file definitely exists
> and all the permissions are OK (775) and owner of every directory in
> that path and the memb file itself is wwwrun.www
>
> The Basic Auth config is as follows ...
>
> #
> <IfModule mod_alias.c>
> Alias /auth/mcfs /srv/www/htdocs/auth/mcfs
> </IfModule>
> #
> <Directory /srv/www/htdocs/auth/mcfs>
> Order allow,deny
> Allow from all
> </Directory>
> #
> <Location /auth/mcfs>
> AuthType Basic
> AuthName "Academics"
> AuthUserFile /svr/www/data/pwl/academics/memb
> Require valid-user
> </Location>
> #
>
> Here are the modules apache loads from
> /etc/apache2/sysconfig.d/loadmodule.conf ...
>
> #
> # Files in this directory are created at apache start time by
> /usr/sbin/rcapache2.
> # Do not edit them!
> #
>
> # as listed in APACHE_MODULES (/etc/sysconfig/apache2)
>
> LoadModule access_module /usr/lib/apache2-prefork/mod_access.so
> LoadModule actions_module /usr/lib/apache2-prefork/mod_actions.so
> LoadModule alias_module /usr/lib/apache2-prefork/mod_alias.so
> LoadModule asis_module /usr/lib/apache2-prefork/mod_asis.so
> LoadModule auth_module /usr/lib/apache2-prefork/mod_auth.so
> LoadModule autoindex_module /usr/lib/apache2-prefork/mod_autoindex.so
> LoadModule cgi_module /usr/lib/apache2-prefork/mod_cgi.so
> LoadModule dav_module /usr/lib/apache2-prefork/mod_dav.so
> LoadModule dav_svn_module /usr/lib/apache2/mod_dav_svn.so
> LoadModule authz_svn_module /usr/lib/apache2/mod_authz_svn.so
> LoadModule dir_module /usr/lib/apache2-prefork/mod_dir.so
> LoadModule env_module /usr/lib/apache2-prefork/mod_env.so
> LoadModule imap_module /usr/lib/apache2-prefork/mod_imap.so
> LoadModule include_module /usr/lib/apache2-prefork/mod_include.so
> LoadModule log_config_module /usr/lib/apache2-prefork/mod_log_config.so
> LoadModule mime_module /usr/lib/apache2-prefork/mod_mime.so
> LoadModule negotiation_module /usr/lib/apache2-prefork/mod_negotiation.so
> LoadModule setenvif_module /usr/lib/apache2-prefork/mod_setenvif.so
> LoadModule status_module /usr/lib/apache2-prefork/mod_status.so
> #
>
> As previously indicated, subversion is working perfectly with this
> configuration. It calls for a Basic Auth userid and password which work
> fine and generously let me see the contents of the repositories despite
> the errors shown in the log. However, as you can see, passwords are
> stored elsewhere. Here is the working subversion.conf ...
>
> # subversion
> # see /usr/share/doc/packages/subversion for the full documentation
> #
> <IfModule mod_dav_svn.c>
> <IfModule mod_alias.c>
> Alias /repos /srv/svn/html
> </IfModule>
> #
> <Directory /srv/svn/html>
> Options Indexes +Multiviews -FollowSymLinks
> IndexOptions FancyIndexing \
> ScanHTMLTitles \
> NameWidth=* \
> DescriptionWidth=* \
> SuppressLastModified \
> SuppressSize
> Order allow,deny
> Allow from all
> </Directory>
> #
> <Location /repos>
> DAV svn
> SVNParentPath /srv/svn/repos
> # Require SSL connection for password protection.
> # SSLRequireSSL
> AuthType Basic
> AuthName "repositories"
> AuthUserFile /srv/svn/user_access/auth-file
> AuthzSVNAccessFile /srv/svn/user_access/access-policy
> Require valid-user
> </Location>
> </IfModule>
> #
>
> I really appreciate your help.
>
> Thanks
>
> Mike
>
>
>
>
>>
>>>
>>> I have a couple of points you might like to consider:
>>>
>>> 1) Your config structure is complicated (/etc/Apache2/httpd.conf
>>> includes /etc/Apache2/default_server.conf and
>>> /etc/Apache2/conf.d/basic_auth.conf... I think?). There's nothing
>>> wrong in principle with using Include but it does lead to complicated
>>> configs where the order and positioning of the Include statements
>>> becomes vitally important. Your "directive having no effect" problem
>>> is typical of a misconfiguration in such a set up. As an exercise,
>>> open up a copy of the main config file in an editor and then, using
>>> cut'n'paste, replace the Includes with the actual contents of the
>>> subsidiary config files. This will produce a single, flat config
>>> which is what apache sees. Read that - does it seem to make sense?
>>> Having said that, I believe you have moved the Auth directives into
>>> the main config and they are still apparently ignored.
>>>
>>> 2) You are still a bit ambiguous about how apache is started... I get
>>> the impression that you routinely start it using "apache2ctl start".
>>> But when you test it to see if the syntax error is reported, you use
>>> "./httpd". Look inside apache2ctl (it is just a shell script) - does
>>> it have a "-f" argument to "httpd"? If so, this is the config file
>>> apache uses. When you start with "./httpd" on the command line,
>>> apache uses a compiled-in path to the config file. To see this, do
>>> "./httpd -V" and check the lines "HTTPD_ROOT" and
>>> "SERVER_CONFIG_FILE". Is this the same as in "apache2ctl"?
>>>
>>> 3) Could it be that there are two virtual hosts leading to the same
>>> content? Eg, if you set up VH1 and VH2 with the same (or overlapping)
>>> docroots and then put all your Auth directives under VH2, they would
>>> be ignored if the URL actually led to the content via VH1. This could
>>> happen if you screwed up the ServerName in VH2 (because then, apache
>>> serves any unidentified request from VH1 by default)...
>>>
>>> 4) Do you have a "Satisfy Any" directive anywhere in any config file?
>>> You stated earlier that you didn't understand this directive so it
>>> shouldn't be in use anywhere. If it is, you realise that it switches
>>> off password challenges from "Allowed" users...
>>>
>>>
>>>> I can get it to request a userid and password with AllowOverride
>>>> AuthConfig and using a .htaccess file.
>>>
>>>
>>>
>>>
>>> This is a definate indication that apache is either not reading the
>>> file containing these directives or the directory block containing
>>> them is not being read when parsing the request (ie, the request is
>>> going through a different VH).
>>>
>>> As a final thought, just to convince yourself that apache does work
>>> as advertised, make a little hello_world website. Just one file
>>> (index.html) containing "hello world" in one dir (eg
>>> /tmp/hello_world). Config file:
>>>
>>> /tmp/hw.conf contains:
>>>
>>> DocumentRoot /tmp/hello_world
>>> <Directory /tmp/hello_world>
>>> Allow from all
>>> </Directory>
>>>
>>> (leave everything else as default)
>>>
>>> and start it with:
>>>
>>> ./httpd -f /tmp/hw.conf
>>>
>>> Test it (http://localhost/)
>>>
>>> Now add the Auth directives to the Directory block above. Does it
>>> work now?
>>>
>>> Rgds,
>>> Owen Boyle
>>> Disclaimer: Any disclaimer attached to this message may be ignored.
>>>
>>>
>>>
>>>> Which brings me to a followup question ...
>>>>
>>>> It doesn't like the passwords in the password file. They work fine
>>>> under Apache 1.3 on my ISP's Linux server. I used htpasswd to create
>>>> the passwords.
>>>>
>>>> Is there way to force Apache2 to use DES or whatever Apache 1.3 is
>>>> comfortable with?
>>>>
>>>> Thanks for being there
>>>>
>>>> Mike
>>>>
>>>>
>>>> Mike Dewhirst wrote:
>>>>
>>>>> Joshua Slive wrote:
>>>>>
>>>>>
>>>>>> On 11/12/05, Mike Dewhirst <mi...@dewhirst.com.au> wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>> Does apache2ctl confirm that httpd actually reads that
>>>>
>>>>
>>>>
>>>> file on startup?
>>>>
>>>>>>
>>>>>>
>>>>>> Depends on how httpd normally gets started. If it is started using
>>>>>> apache2ctl, then that is a good indication.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> OK - on investigation it ain't apachectl. It is httpd. I
>>>>
>>>>
>>>>
>>>> ran httpd -t
>>>>
>>>>> and it complained about FooBar Nonsense too.
>>>>>
>>>>> So - we are definitely reading the conf files. That means ...
>>>>>
>>>>> 1. I'm not reaching the right directory - Yes I am. 100% sure.
>>>>>
>>>>> 2. Some sort of caching? 100% no way. I've tried four
>>>>
>>>>
>>>>
>>>> different browsers
>>>>
>>>>> on three different machines.
>>>>>
>>>>> 3. Apache is reading the conf but ignoring the directive
>>>>
>>>>
>>>>
>>>> for some reason
>>>>
>>>>> What else do I need for Basic Auth to work?
>>>>>
>>>>> As it happens, I have subversion running via apache on that
>>>>
>>>>
>>>>
>>>> machine and
>>>>
>>>>> when I access it from a foreign machine it asks me to
>>>>
>>>>
>>>>
>>>> authenticate. I
>>>>
>>>>> have copied subversion.conf below. Maybe I should copy that?
>>>>>
>>>>> Modules? I deleted all files in /etc/apache2/sysconfig.d
>>>>
>>>>
>>>>
>>>> and restarted
>>>>
>>>>> the computer whereupon we got a brand-new loadmodule.conf ...
>>>>>
>>>>> #
>>>>> # Files in this directory are created at apache start time by
>>>>> /usr/sbin/rcapache2.
>>>>> # Do not edit them!
>>>>> #
>>>>>
>>>>> # as listed in APACHE_MODULES (/etc/sysconfig/apache2)
>>>>>
>>>>> LoadModule access_module /usr/lib/apache2-prefork/mod_access.so
>>>>> LoadModule actions_module /usr/lib/apache2-prefork/mod_actions.so
>>>>> LoadModule alias_module /usr/lib/apache2-prefork/mod_alias.so
>>>>> LoadModule asis_module /usr/lib/apache2-prefork/mod_asis.so
>>>>> LoadModule auth_module /usr/lib/apache2-prefork/mod_auth.so
>>>>> LoadModule autoindex_module
>>>>
>>>>
>>>>
>>>> /usr/lib/apache2-prefork/mod_autoindex.so
>>>>
>>>>> LoadModule cgi_module /usr/lib/apache2-prefork/mod_cgi.so
>>>>> LoadModule dav_module /usr/lib/apache2-prefork/mod_dav.so
>>>>> LoadModule dav_svn_module
>>>>
>>>>
>>>>
>>>> /usr/lib/apache2/mod_dav_svn.so
>>>>
>>>>> LoadModule authz_svn_module
>>>>
>>>>
>>>>
>>>> /usr/lib/apache2/mod_authz_svn.so
>>>>
>>>>> LoadModule dir_module /usr/lib/apache2-prefork/mod_dir.so
>>>>> LoadModule env_module /usr/lib/apache2-prefork/mod_env.so
>>>>> LoadModule imap_module /usr/lib/apache2-prefork/mod_imap.so
>>>>> LoadModule include_module /usr/lib/apache2-prefork/mod_include.so
>>>>> LoadModule log_config_module
>>>>
>>>>
>>>>
>>>> /usr/lib/apache2-prefork/mod_log_config.so
>>>>
>>>>> LoadModule mime_module /usr/lib/apache2-prefork/mod_mime.so
>>>>> LoadModule negotiation_module
>>>>
>>>>
>>>>
>>>> /usr/lib/apache2-prefork/mod_negotiation.so
>>>>
>>>>> LoadModule setenvif_module /usr/lib/apache2-prefork/mod_setenvif.so
>>>>> #
>>>>>
>>>>>
>>>>> Here is /etc/apache2/conf.d/subversion.conf
>>>>>
>>>>> # see /usr/share/doc/packages/subversion for the full documentation
>>>>> #
>>>>>
>>>>> <IfModule mod_dav_svn.c>
>>>>>
>>>>> ##
>>>>> ## project related HTML files
>>>>> ##
>>>>> <IfModule mod_alias.c>
>>>>> Alias /repos /srv/svn/html
>>>>> </IfModule>
>>>>> <Directory /srv/svn/html>
>>>>> Options Indexes +Multiviews -FollowSymLinks
>>>>> IndexOptions FancyIndexing \
>>>>> ScanHTMLTitles \
>>>>> NameWidth=* \
>>>>> DescriptionWidth=* \
>>>>> SuppressLastModified \
>>>>> SuppressSize
>>>>>
>>>>> order allow,deny
>>>>> allow from all
>>>>> </Directory>
>>>>> <Location /repos>
>>>>> DAV svn
>>>>> SVNParentPath /srv/svn/repos
>>>>> AuthzSVNAccessFile /srv/svn/user_access/access-policy
>>>>> #<moved from LimitExcept>
>>>>> # how to authenticate users
>>>>> AuthType Basic
>>>>> AuthName "repositories"
>>>>> AuthUserFile /srv/svn/user_access/auth-file
>>>>> Require valid-user
>>>>> #</moved from LimitExcept>
>>>>>
>>>>> # move 'Require valid-user' to here
>>>>> # to provide public read only access
>>>>> # and require a valid user for GET etc below
>>>>> <LimitExcept GET PROPFIND OPTIONS REPORT>
>>>>> #
>>>>> </LimitExcept>
>>>>> </Location>
>>>>> </IfModule>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> Joshua.
>>>>>>
>>>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>>
>>>>>> The official User-To-User support forum of the Apache HTTP Server
>>>>>> Project.
>>>>>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>>>>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>>>>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>>>>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>> ---------------------------------------------------------------------
>>>>
>>>>> The official User-To-User support forum of the Apache HTTP
>>>>
>>>>
>>>>
>>>> Server Project.
>>>>
>>>>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>>>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>>>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>>>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> The official User-To-User support forum of the Apache HTTP Server
>>>> Project.
>>>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>>
>>>>
>>>
>>> Diese E-mail ist eine private und persönliche Kommunikation. Sie hat
>>> keinen Bezug zur Börsen- bzw. Geschäftstätigkeit der SWX Gruppe. This
>>> e-mail is of a private and personal nature. It is not related to the
>>> exchange or business activities of the SWX Group. Le présent e-mail
>>> est un message privé et personnel, sans rapport avec l'activité
>>> boursière du Groupe SWX.
>>>
>>>
>>> This message is for the named person's use only. It may contain
>>> confidential, proprietary or legally privileged information. No
>>> confidentiality or privilege is waived or lost by any
>>> mistransmission. If you receive this message in error, please notify
>>> the sender urgently and then immediately delete the message and any
>>> copies of it from your system. Please also immediately destroy any
>>> hardcopies of the message. You must not, directly or indirectly, use,
>>> disclose, distribute, print, or copy any part of this message if you
>>> are not the intended recipient. The sender's company reserves the
>>> right to monitor all e-mail communications through their networks.
>>> Any views expressed in this message are those of the individual
>>> sender, except where the message states otherwise and the sender is
>>> authorised to state them to be the views of the sender's company.
>>>
>>> ---------------------------------------------------------------------
>>> The official User-To-User support forum of the Apache HTTP Server
>>> Project.
>>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>
>>>
>>>
>>
>>
>> ---------------------------------------------------------------------
>> The official User-To-User support forum of the Apache HTTP Server
>> Project.
>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org