You are viewing a plain text version of this content. The canonical link for it is here.
Posted to apache-bugdb@apache.org by John Stewart <jo...@heurikon.com> on 1998/08/11 20:06:44 UTC

mod_proxy/2830: ProxyPass does not follow .htaccess directives

>Number:         2830
>Category:       mod_proxy
>Synopsis:       ProxyPass does not follow .htaccess directives
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    apache
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Tue Aug 11 11:10:01 PDT 1998
>Last-Modified:
>Originator:     johns@heurikon.com
>Organization:
apache
>Release:        1.3.0
>Environment:
Solaris 2.6 x86 

uname -a == SunOS goat 5.6 Generic i86pc i386 i86pc
>Description:
Not sure if this is a bug, or a documentation issue (didn't know if sw-bug,
doc-bug, or change request was most appropriate for Class)

I am trying to use ProxyPass to provide external access to our internal
web server. However, I also want to protect it with a .htpasswd file, which
resides in the /Ntra directory. When loading any files underneath /Ntra,
apache properly requires a password for access.

However, when loading the /Ntra/intranet/, access is granted without a
password.

Here is the directive from my httpd.conf file:

ProxyPass /Ntra/intranet/ http://<internal webserver>.heurikon.com/

If this is the intended behaviour, then I would request that this be mentioned
in the ProxyPass section of the mod_proxy docs.

thanks!

johnS

Also I noticed that the links are not properly rewritten if any of the trailing
/'s are omitted from the directive. For example, if the directive is this:

ProxyPass /Ntra/intranet http://<internal webserver>.heurikon.com

Then the links do not work after the root html file under /Ntra/intranet



>How-To-Repeat:
Set up a ProxyPass directive with a .htaccess and .htpasswd file in the parent
directory to try and limit access.
>Fix:
Either change the behaviour of ProxyPass to check for .ht files before allowing
access (this would be my preferred solution) or simply mention in the docs that
these files do not affect access to the ProxyPass directory.
>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, ]
[you need to include <ap...@Apache.Org> in the Cc line ]
[and leave the subject line UNCHANGED.  This is not done]
[automatically because of the potential for mail loops. ]
[If you do not include this Cc, your reply may be ig-   ]
[nored unless you are responding to an explicit request ]
[from a developer.                                      ]
[Reply only with text; DO NOT SEND ATTACHMENTS!         ]