You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by "Robert L. Harris" <Ro...@rdlg.net> on 2003/06/18 17:46:03 UTC
[users@httpd] apache2 and htaccess files?
I'm trying to lock down some directories on a server before I put it
live. The .htaccess files though seem to have no bearing and are not
preventing anyone anywhere from accessing the site. Here's what I have:
Debian unstable, kernel 2.4.21 (same problem since kernel 2.4.18 though)
dpkg -l | grep -i apache:
ii apache2-common 2.0.46-3 Next generation, scalable, extendable web se
ii apache2-mpm-wo 2.0.46-3 High speed threaded model for Apache2
ii libapache-mod- 2.8.14-3.0.ipv Documentation for Apache module mod_ssl
ii libapr0 2.0.46-3 The Apache Portable Runtime
root 9688 1 0 Jun12 ? 00:00:13 /usr/sbin/apache2 -k start -DSSL
www-data 27866 9688 0 11:29 ? 00:00:00 /usr/sbin/apache2 -k start -DSSL
.
.<more children>
Snippets from my /etc/apache2/apache.conf:
AccessFileName .htaccess
<Files ~ "^\.ht">
Order allow,deny
Deny from all
</Files>
<Directory />
Options FollowSymLinks
# AllowOverride None
AllowOverride AuthConfig
</Directory>
<Directory /cgi-bin/roast/root>
AllowOverride AuthConfig
Order deny,allow
Deny from all
</Directory>
/cgi-bin/roast/root/.htaccess:
{0}:>ls -la .htaccess
-rwxr-xr-x 1 www-data www-data 174 Apr 15 10:40 .htaccess
root@wally
{0}:>cat .htaccess
AuthType Basic
AuthName "Password Required"
AuthUserFile /var/www/passwords/password.file.roast.rdlg
#AuthGroupFile /var/www/passwords/group.file
Require user nomad mamma
{0}:>ls -la /var/www/passwords/password.file.roast.rdlg
-rw-r----- 1 www-data www-data 40 Jun 12 20:51 /var/www/passwords/password.file.roast.rdlg
{0}:>cat /var/www/passwords/password.file.idsadmin.rdlg
mamma:B0avyPzxbvqEo
nomad:FT8afZBwnSulo
If I hit http://server/cgi-bin/roast/root/base.cgi it loads up and displays the
output of the base.cgi script just fine without prompting for a password
of any sort.
Help?
Thanks,
Robert
:wq!
---------------------------------------------------------------------------
Robert L. Harris | GPG Key ID: E344DA3B
@ x-hkp://pgp.mit.edu
DISCLAIMER:
These are MY OPINIONS ALONE. I speak for no-one else.
Diagnosis: witzelsucht
IPv6 = robert@ipv6.rdlg.net http://ipv6.rdlg.net
IPv4 = robert@mail.rdlg.net http://www.rdlg.net
Re: [users@httpd] apache2 and htaccess files?
Posted by "Robert L. Harris" <Ro...@rdlg.net>.
Got rid of that, fixed the perms on my password files and it's finally
working right. Thank you very much.
What do you recomend for the Allow, Order, section? Right now it reads:
<Directory /var/www/cgi-bin/roast/root>
AllowOverride AuthConfig
Options ExecCGI
Order deny,allow
Allow from all
AuthType Basic
AuthName "Password Required"
AuthUserFile /var/www/passwords/password.file
Require user nomad mamma
</Directory>
Thus spake Joshua Slive (joshua@slive.ca):
>
> On Wed, 18 Jun 2003, Robert L. Harris wrote:
> > <Directory /var/www/cgi-bin/roast/root>
> > AllowOverride AuthConfig
> > Order deny,allow
> > Deny from all
>
> What is the "Deny from all" doing in there. With that set (and without
> "Satisfy any"), everyone will be denied access by hostname.
>
> Joshua.
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
:wq!
---------------------------------------------------------------------------
Robert L. Harris | GPG Key ID: E344DA3B
@ x-hkp://pgp.mit.edu
DISCLAIMER:
These are MY OPINIONS ALONE. I speak for no-one else.
Diagnosis: witzelsucht
IPv6 = robert@ipv6.rdlg.net http://ipv6.rdlg.net
IPv4 = robert@mail.rdlg.net http://www.rdlg.net
Re: [users@httpd] apache2 and htaccess files?
Posted by Joshua Slive <jo...@slive.ca>.
On Wed, 18 Jun 2003, Robert L. Harris wrote:
> <Directory /var/www/cgi-bin/ids/admin>
> AllowOverride AuthConfig
> Order deny,allow
> Deny from all
What is the "Deny from all" doing in there. With that set (and without
"Satisfy any"), everyone will be denied access by hostname.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] apache2 and htaccess files?
Posted by "Robert L. Harris" <Ro...@rdlg.net>.
No, it's off /var/www which used to be DocumentRoot which I'm guessing
is depreciated. I changed it to /var/www/cgi-bin/roast/root and now it
doesn't let me in and gives a 403 but still doesn't ask for passwd. I
guess it's probably because I'm using the .htaccess.
Given this:
<Directory /var/www/cgi-bin/ids/admin>
AllowOverride AuthConfig
Order deny,allow
Deny from all
</Directory>
and the .htaccess:
AuthType Basic
AuthName "Password Required"
AuthUserFile /var/www/passwords/password.file.idsadmin.rdlg
#AuthGroupFile /var/www/passwords/group.file
Require user nomad mamma
How would you you reform the Directory directive? Something like this?
<Directory /var/www/cgi-bin/ids/admin>
AllowOverride AuthConfig
Order deny,allow
Deny from all
AuthType Basic
AuthName "Password Required"
AuthUserFile /var/www/passwords/password.file.idsadmin.rdlg
Require user nomad mamma
</Directory>
Thanks,
Robert
Thus spake Joshua Slive (joshua@slive.ca):
>
> On Wed, 18 Jun 2003, Robert L. Harris wrote:
> > <Directory /cgi-bin/roast/root>
>
> Is /cgi-bin really a directory off the root of your filesystem? That
> would be strange. More likely, you want something like <Directory
> /var/www/cgi-bin/roast/root>.
>
> Also note that there is no need to use .htaccess files when you have
> access to the main config. See:
> http://httpd.apache.org/docs-2.0/howto/htaccess.html#when
>
> Joshua.
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
:wq!
---------------------------------------------------------------------------
Robert L. Harris | GPG Key ID: E344DA3B
@ x-hkp://pgp.mit.edu
DISCLAIMER:
These are MY OPINIONS ALONE. I speak for no-one else.
Diagnosis: witzelsucht
IPv6 = robert@ipv6.rdlg.net http://ipv6.rdlg.net
IPv4 = robert@mail.rdlg.net http://www.rdlg.net
Re: [users@httpd] apache2 and htaccess files?
Posted by Joshua Slive <jo...@slive.ca>.
On Wed, 18 Jun 2003, Robert L. Harris wrote:
> <Directory /cgi-bin/roast/root>
Is /cgi-bin really a directory off the root of your filesystem? That
would be strange. More likely, you want something like <Directory
/var/www/cgi-bin/roast/root>.
Also note that there is no need to use .htaccess files when you have
access to the main config. See:
http://httpd.apache.org/docs-2.0/howto/htaccess.html#when
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org