Apache LDAP Authentication only for some virtualhosts - apache

I have a webserver running Apache 2.4.6 under CentOS 7 in which I have several web resources. I want to apply LDAP authentication only to some of them, so I am trying to do it by creating a single virtualhost for every resource and configure the LDAP authentication only to the resources I want.
This is my attempt:
/etc/httpd/conf.d/test1.conf:
<VirtualHost *:80>
Servername server_name
DocumentRoot /var/www/html/test1
<Directory "/var/www/html/test1">
Options FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
#LDAP
SetHandler php-script
Require all denied
AuthBasicProvider ldap
AuthUserFile /dev/null
AuthName "ldap_auth"
AuthType Basic
AuthLDAPURL ldap_url
AuthLDAPBindDN ldap_dn
AuthLDAPBindPassword ldap_pass
Require ldap-group ldap_group
</Directory>
</VirtualHost>
/etc/httpd/conf.d/test2.conf:
<VirtualHost *:80>
Servername server_name
DocumentRoot /var/www/html/test2
<Directory "/var/www/html/test2">
Options FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
This is the relevant information of my current httpd.conf file:
ServerRoot "/etc/httpd"
Listen 80
Include conf.modules.d/*.conf
User apache
Group apache
<Directory />
AllowOverride none
Require all denied
</Directory>
<Directory "/var/www">
AllowOverride None
Require all granted
</Directory>
<IfModule dir_module>
DirectoryIndex index.html
</IfModule>
IncludeOptional conf.d/*.conf
But it always asks for authentication for both test1 and test2 and for test2 I am not even able to load the content after logged in (test1 loads fine).

Finally achieved by using Alias directive, so:
/etc/httpd/conf.d/test1.conf:
<VirtualHost *:80>
Servername server_name
DocumentRoot /var/www/html/test1
Alias /test1 /var/www/html/test1
<Directory "/var/www/html/test1">
Options FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
#LDAP
SetHandler php-script
Require all denied
AuthBasicProvider ldap
AuthUserFile /dev/null
AuthName "ldap_auth"
AuthType Basic
AuthLDAPURL ldap_url
AuthLDAPBindDN ldap_dn
AuthLDAPBindPassword ldap_pass
Require ldap-group ldap_group
</Directory>
</VirtualHost>
/etc/httpd/conf.d/test2.conf:
<VirtualHost *:80>
Servername server_name
DocumentRoot /var/www/html/test2
Alias /test2 /var/www/html/test2
<Directory "/var/www/html/test2">
Options FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all

Related

Apache issue on Mac "You don't have permission to access / on this server"

I have the following issue with Apache, I am trying to load a website locally, but I get a Forbidden error.
This is my configuration:
/etc/hosts:
127.0.0.1 nop33.local
/etc/apache2/httpd.conf:
Listen 80
<Directory />
Order allow,deny
Require all granted
# AllowOverride none
# Require all denied
</Directory>
DocumentRoot "/Users/nop33/dev"
<Directory "/Users/nop33/dev">
Options FollowSymLinks Multiviews
MultiviewsMatch Any
AllowOverride None
Require all granted
</Directory>
ErrorLog "/private/var/log/apache2/error_log"
/etc/apache2/extra/httpd-vhosts.conf:
NameVirtualHost *:80
<VirtualHost *:80>
ServerAdmin nop33#example.com
DocumentRoot /Users/nop33/dev/project-name/public
ServerName nop33.local
<Directory /Users/nop33/dev/project-name/public>
Order allow,deny
Require all granted
</Directory>
</VirtualHost>

ssl issue with name based virtual hosting for multiple domain

I have three domains:-
abc.local without ssl configuration
<VirtualHost 10.0.0.87:80>
ServerName abc.local
DocumentRoot /var/www/alpha/abc.local/
ServerAlias hey.abc.local
DirectoryIndex index.php index.html
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/alpha/abc.local/>
Options FollowSymLinks
AllowOverride all
Require all granted
</Directory>
ErrorLog /var/log/abc.local/error.log
CustomLog /var/log/abc.local/access.log combined
<Directory /var/www/alpha/abc.local >
AuthType Basic
AuthName abc_test
AuthBasicProvider file
AuthUserFile /var/www/alpha/abc.local/.htpasswd
Require valid-user
</Directory>
</VirtualHost>
test.local with ssl configuration
<VirtualHost 10.0.0.87:80>
ServerName test.local
DocumentRoot /var/www/alpha/test.local/
ServerAlias hey.test.local
DirectoryIndex index.php index.html
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/alpha/test.local/>
Options FollowSymLinks
AllowOverride all
Require all granted
</Directory>
ErrorLog /var/log/test.local/error.log
CustomLog /var/log/test.local/access.log combined
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost 10.0.0.87:443>
ServerName test.local
DocumentRoot /var/www/alpha/test.local/
ServerAlias hey.test.local
DirectoryIndex index.php index.html
SSLEngine on
SSLCertificateFile /var/www/alpha/ssl/test.local/test.crt
SSLCertificateKeyFile /var/www/alpha/ssl/test.local/test.key
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/alpha/test.local/>
Options FollowSymLinks
AllowOverride all
Require all granted
</Directory>
ErrorLog /var/log/test.local/error.log
CustomLog /var/log/test.local/access.log combined
SSLHonorCipherOrder On
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5
SSLProtocol all -SSLv2 -SSLv3
</VirtualHost>
</ifModule>
and third one example.local have ssl configuration same like test.local
But issue is when i am trying to access https://abc.local it serving the content of first loaded domain from test.local or example.local

Multiple Trac sites on one domain using Apache2

How do I get one domain to serve up multiple sites under Apache2. What I would like is something like this:
trac.mysite.net/project1
trac.mysite.net/project2
What I have working now, is this:
project1.mysite.net/
project2.mysite.net/
using two separate virtual hosts, which works great. However, every time I create a new project, I have to update the DNS.
What I would like is to have one virtual host configuration that points to a different directory for each project.
What I have tried is creating a 'trac' virtual host with different sections for each site. According to the error log, it tries to access the directory, but gets an access denied.
[Sun Sep 14 16:50:59.022354 2014] [autoindex:error] [pid 9811] [client 10.1.1.112:58207] AH01276: Cannot serve directory /usr/share/trac/projects/project1/htdocs/: No matching DirectoryIndex (index.html,index.cgi,index.pl,index.php,index.xhtml,index.htm) found, and server-generated directory index forbidden by Options directive
I tried removing indexes with Options -Indexes but that didn't get rid of the error above.
Here is my virtual host configuration:
<VirtualHost *:80>
ServerName trac.mysite.net
ServerAlias trac
ServerAdmin vv#mysite.net
# trac ####################################################################
DocumentRoot /usr/share/trac/htdocs
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /usr/share/trac/cgi-bin/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
AuthType Digest
AuthName login
AuthUserFile /etc/apache2/loginpasswd
Require valid-user
Order allow,deny
allow from all
</Directory>
Alias /chrome/common /usr/share/trac/htdocs/common
Alias /chrome/site /usr/share/trac/htdocs/site
<Directory /usr/share/trac/htdocs/>
Order allow,deny
allow from all
</Directory>
WSGIScriptAlias / /usr/share/trac/cgi-bin/trac.wsgi
# project1 ###############################################################
Alias /project1 /usr/share/trac/projects/project1/htdocs
<Directory /usr/share/trac/projects/project1/htdocs/>
Order allow,deny
allow from all
</Directory>
<Directory /usr/share/trac/projects/project1/cgi-bin/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
AuthType Digest
AuthName login
AuthUserFile /etc/apache2/loginpasswd
Require valid-user
Order allow,deny
allow from all
</Directory>
Alias /project1/chrome/common /usr/share/trac/projects/project1/htdocs/common
Alias /project1/chrome/site /usr/share/trac/projects/project1/htdocs/site
WSGIScriptAlias /project1 /usr/share/trac/projects/project1/cgi-bin/trac.wsgi
# project2 ################################################################
Alias /project2 /usr/share/trac/projects/project2/htdocs
<Directory /usr/share/trac/projects/project2/htdocs/>
Options FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>
<Directory /usr/share/trac/projects/project2/cgi-bin/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
AuthType Digest
AuthName login
AuthUserFile /etc/apache2/loginpasswd
Require valid-user
Order allow,deny
Allow from all
</Directory>
Alias /project2/chrome/common /usr/share/trac/projects/project2/htdocs/common
Alias /project2/chrome/site /usr/share/trac/projects/project2/htdocs/site
WSGIScriptAlias /project2/ /usr/share/trac/projects/project2/cgi-bin/trac.wsgi
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
ErrorLog ${APACHE_LOG_DIR}/trac_error.log
CustomLog ${APACHE_LOG_DIR}/trac_access.log combined
</VirtualHost>
I know this is possible, I'm just not sure how. Any suggestions would be appreciated.
Ah. I figured out what I was doing wrong. I was using an Alias for each project directory. The Alias was overriding the WSGIScriptAlias. And it was this WSGIScriptAlias that was necessary for everything to work. It allows urls with /projectX/ in them to be an alias for the trac.wsgi script.
My new vhost config is given below. I cleaned it up a bit by removing the directives for the trac vhost and only left the DocumentRoot.
<VirtualHost *:80>
ServerName trac.mysite.net
ServerAlias trac
ServerAdmin vv#mysite.net
# trac ####################################################################
DocumentRoot /usr/share/trac/htdocs
# project1 ###############################################################
<Directory /usr/share/trac/projects/project1/htdocs/>
Order allow,deny
allow from all
</Directory>
<Directory /usr/share/trac/projects/project1/cgi-bin/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
AuthType Digest
AuthName login
AuthUserFile /etc/apache2/loginpasswd
Require valid-user
Order allow,deny
allow from all
</Directory>
Alias /project1/chrome/common /usr/share/trac/projects/project1/htdocs/common
Alias /project1/chrome/site /usr/share/trac/projects/project1/htdocs/site
WSGIScriptAlias /project1 /usr/share/trac/projects/project1/cgi-bin/trac.wsgi
# project2 ################################################################
<Directory /usr/share/trac/projects/project2/htdocs/>
Options FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>
<Directory /usr/share/trac/projects/project2/cgi-bin/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
AuthType Digest
AuthName login
AuthUserFile /etc/apache2/loginpasswd
Require valid-user
Order allow,deny
Allow from all
</Directory>
Alias /project2/chrome/common /usr/share/trac/projects/project2/htdocs/common
Alias /project2/chrome/site /usr/share/trac/projects/project2/htdocs/site
WSGIScriptAlias /project2/ /usr/share/trac/projects/project2/cgi-bin/trac.wsgi
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
ErrorLog ${APACHE_LOG_DIR}/trac_error.log
CustomLog ${APACHE_LOG_DIR}/trac_access.log combined
</VirtualHost>
Thanks for listening.

Password protect directories when accessed from external IPs using Apache

Currently have password protection on my main and sub directories, however I'd like to make it only required when connecting from an outside IP address and password free when connecting from the local subnet.
Currently /etc/apache2/sites-available/default looks like this:
<VirtualHost *:80>
ServerAdmin webmaster#localhost
DocumentRoot /var/www
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>
<Location / >
AuthType Digest
AuthName "intranet"
AuthDigestDomain /var/www/ http://10.1.2.2
AuthDigestProvider file
AuthUserFile /etc/apache2/passwords
Require user user1
SetEnv R_ENV "/var/www"
</Location>
<Location /dir1>
AuthType Digest
AuthName "dir"
AuthDigestDomain /var/www/dir1/ http://10.1.2.2/dir1
AuthDigestProvider file
AuthUserFile /etc/apache2/passwords
Require user user2
SetEnv R_ENV "/var/www/dir1"
</Location>
<Location /dir2>
AuthType Digest
AuthName "dir"
AuthDigestDomain /var/www/ http://10.1.2.2/dir2
AuthDigestProvider file
AuthUserFile /etc/apache2/passwords
Require user user2
SetEnv R_ENV "/var/www/dir2"
</Location>
</VirtualHost>
I've had a loot at Apache's documentation on auth but can't make sense of how I'd then implement the password protection in with that.
A bit of searching brought this up http://www.askapache.com/htaccess/apache-authentication-in-htaccess.html
Basically changed this:
<Location / >
AuthType Digest
AuthName "intranet"
AuthDigestDomain /var/www/ http://10.1.2.2
AuthDigestProvider file
AuthUserFile /etc/apache2/passwords
Require user user1
SetEnv R_ENV "/var/www"
</Location>
to this:
<Location />
Order deny,allow
Deny from all
AuthType Digest
AuthName "intranet"
AuthDigestDomain /var/www/ http://10.1.2.2
AuthDigestProvider file
AuthUserFile /etc/apache2/passwords
Require valid-user
SetEnv R_ENV "/var/www"
Allow from 10.1.2.0/24
Satisfy Any
</Location>
Tested and it's all running smoothly.

CakePHP - Apache un-htpasswd certain path

I have a CakePHP application still in development.
Our server has a password protection done through the apache vhost file.
e.g
<Directory "/var/www/vhosts/project">
Order deny,allow
Deny from all
AuthType Basic AuthUserFile /etc/httpd/conf/htpasswd
AuthName "Authorized users only!"
...
</Directory>
Now, I'm trying to open up certain path. e.g http://project.com/shares/*
This is the virtualhost setup
<VirtualHost *:80>
DocumentRoot /var/to/cakephp/app
Options FollowSymLinks
ServerName project.com
ServerAdmin ...
DirectoryIndex index.php index.jsp index.htm index.html
ErrorLog ...
CustomLog ...
</VirtualHost>
How can I do that?
Doing this just removes the whole password protection
<Directory "/var/to/cakephp/app">
Options All
AuthType None
AllowOverride All
Order allow,deny
Allow from all
</Directory>
And I can't just do
<Directory "/var/to/cakephp/app/shares">
</Directory>
Basically the htaccess is messing with me now.
Thank you,
Tee
Just add another directory , and add something like this :
<Directory /var/www/vhosts/project/shares/>
Order Allow,Deny
Satisfy Any
Allow from all
Options Indexes
</Directory>
Use the Options you need.
http://httpd.apache.org/docs/2.0/mod/core.html#satisfy