User authentication not working in Apache2
Charles Howse
chowse at charter.net
Tue Oct 28 10:20:43 PST 2003
> Hi,
> I'd like to restrict access to 1 of several cgi scripts on my
> website to
> authorized users only.
> Problem is, after configuring httpd.conf, .htaccess, .passwd,
> anyone can
> still run the script.
> I created the .passwd file with htpasswd -c myfilename myusername.
> Of course, I restarted apache after all changes to httpd.conf with
> apachectl restart. No errors.
> I've poured over the Apache documentation on their website,
> and Googled
> all day yesterday, no joy.
> The error log shows *nothing* related to execution of this
> script. The
> access log shows nothing other than the GET line for this script.
> Any help would be appreciated.
>
> Here are some relevant sections from httpd.conf (I'll post the entire
> 38k file if allowed.)
>
> # Dynamic Shared Object (DSO) Support
> #
> # To be able to use the functionality of a module which was built as a
> DSO you
> # have to place corresponding `LoadModule' lines at this
> location so the
> # directives contained in it are actually available _before_ they are
> used.
> # Statically compiled modules (those listed by `httpd -l') do not need
> # to be loaded here.
> #
> # Example:
> # LoadModule foo_module modules/mod_foo.so
> #
> LoadModule access_module libexec/apache2/mod_access.so
> LoadModule auth_module libexec/apache2/mod_auth.so
>
> [snip]
>
> # DocumentRoot: The directory out of which you will serve your
> # documents. By default, all requests are taken from this
> directory, but
> # symbolic links and aliases may be used to point to other locations.
> #
> DocumentRoot "/usr/local/www/data"
>
> #
> # Each directory to which Apache has access can be configured with
> respect
> # to which services and features are allowed and/or disabled in that
> # directory (and its subdirectories).
> #
> # First, we configure the "default" to be a very restrictive set of
> # features.
> #
> <Directory />
> Options FollowSymLinks
> AllowOverride None
> </Directory>
> <Directory /usr/local/www/cgi-bin>
> AllowOverride AuthConfig
> </Directory>
>
> Here is the .htaccess file which resides in /usr/local/www/cgi-bin:
>
> <Files "myscript.cgi">
> Options ExecCGI
> AuthType Basic
> AuthName "Password Required"
> AuthUserFile /usr/local/www/.passwd # Not the best location for this
> file, I know.
> Require valid-user
> </Files>
Well, I got it working. :-)
I'm not perfectly satisfied yet, but I'm much better off than I was.
I deleted the .htaccess file and put the directives in httpd.conf.
# Each directory to which Apache has access can be configured with
respect
# to which services and features are allowed and/or disabled in that
# directory (and its subdirectories).
#
# First, we configure the "default" to be a very restrictive set of
# features.
#
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /usr/local/www/cgi-bin>
AllowOverride AuthConfig
<Files status.cgi>
AuthType Basic
AuthName "Restricted File"
AuthUserFile /home/charles/.htpasswd
Require user charles
</Files>
</Directory>
I still would like to protect an additional script.
I tried: <Files status.cgi another.file.pl>
That's unsupported.
I just tried <Files ~ "\(file1.cgi|file2.pl)$">
Trying to match 2 specific filenames...no joy.
The Apache documentation for the Files directive says, "The directives
given within this section will be applied to any object with a basename
(last component of filename) matching the specified filename."
I wonder if that means that I can only match files based on the
extension?
More information about the freebsd-questions
mailing list