User authentication not working in Apache2

Charles Howse chowse at charter.net
Tue Oct 28 10:20:43 PST 2003 

> Hi,
> I'd like to restrict access to 1 of several cgi scripts on my 
> website to
> authorized users only.
> Problem is, after configuring httpd.conf, .htaccess, .passwd, 
> anyone can
> still run the script.
> I created the .passwd file with htpasswd -c myfilename myusername.
> Of course, I restarted apache after all changes to httpd.conf with
> apachectl restart.  No errors.
> I've poured over the Apache documentation on their website, 
> and Googled
> all day yesterday, no joy.
> The error log shows *nothing* related to execution of this 
> script.  The
> access log shows nothing other than the GET line for this script.
> Any help would be appreciated.
> 
> Here are some relevant sections from httpd.conf (I'll post the entire
> 38k file if allowed.)
> 
> # Dynamic Shared Object (DSO) Support
> #
> # To be able to use the functionality of a module which was built as a
> DSO you
> # have to place corresponding `LoadModule' lines at this 
> location so the
> # directives contained in it are actually available _before_ they are
> used.
> # Statically compiled modules (those listed by `httpd -l') do not need
> # to be loaded here.
> #
> # Example:
> # LoadModule foo_module modules/mod_foo.so
> #
> LoadModule access_module libexec/apache2/mod_access.so
> LoadModule auth_module libexec/apache2/mod_auth.so
> 
> [snip]
> 
> # DocumentRoot: The directory out of which you will serve your
> # documents. By default, all requests are taken from this 
> directory, but
> # symbolic links and aliases may be used to point to other locations.
> #
> DocumentRoot "/usr/local/www/data"
> 
> #
> # Each directory to which Apache has access can be configured with
> respect
> # to which services and features are allowed and/or disabled in that
> # directory (and its subdirectories). 
> #
> # First, we configure the "default" to be a very restrictive set of 
> # features.  
> #
> <Directory />
>     Options FollowSymLinks
>     AllowOverride None
> </Directory>
> <Directory /usr/local/www/cgi-bin>
>     AllowOverride AuthConfig
> </Directory>
> 
> Here is the .htaccess file which resides in /usr/local/www/cgi-bin:
> 
> <Files "myscript.cgi">
> Options ExecCGI
> AuthType Basic
> AuthName "Password Required"
> AuthUserFile /usr/local/www/.passwd  # Not the best location for this
> file, I know.
> Require valid-user
> </Files>

Well, I got it working.  :-)
I'm not perfectly satisfied yet, but I'm much better off than I was. 

I deleted the .htaccess file and put the directives in httpd.conf.

# Each directory to which Apache has access can be configured with
respect
# to which services and features are allowed and/or disabled in that
# directory (and its subdirectories). 
#
# First, we configure the "default" to be a very restrictive set of 
# features.  
#
<Directory />
    Options FollowSymLinks
    AllowOverride None
</Directory>
<Directory /usr/local/www/cgi-bin>
    AllowOverride AuthConfig
    <Files status.cgi>
	AuthType Basic
	AuthName "Restricted File"
	AuthUserFile /home/charles/.htpasswd
	Require user charles
    </Files>
</Directory>

I still would like to protect an additional script.
I tried: <Files status.cgi another.file.pl>
That's unsupported.

I just tried <Files ~ "\(file1.cgi|file2.pl)$">
Trying to match 2 specific filenames...no joy.

The Apache documentation for the Files directive says, "The directives
given within this section will be applied to any object with a basename
(last component of filename) matching the specified filename."

I wonder if that means that I can only match files based on the
extension?

More information about the freebsd-questions mailing list