When we decided to move to LDAP auth for SVN I had assumed that authentication & authorisation would be automatic, i.e. if a user is logged into the network, subversion would accept the user as legitimate and not pop up a login dialog, but just get on with life. Unfortunately, so far we have not achieved this.
It causes problems with, amongst other things, my Source Control extranet web application which used to do a user password lookup (not secure) but now must request authorisation.
Should SVN/LDAP work like I had hoped? If so, is there some arcane config item I need to set? What am I missing?
This, I think, is the appropriate .conf [redacted and obfuscated, of course]
#
#
# DO NOT EDIT THIS FILE IT WILL BE REGENERATED AUTOMATICALLY BY SUBVERSION EDGE
#
# If you must make a change to the contents of this file then copy and paste the
# content into the httpd.conf file and comment out the Include statement for
# this file. The httpd.conf file is not modified or generated and is safe for
# you to modify.
#
#
Include "F:\csvn\data/conf/ctf_httpd.conf"
<VirtualHost *:18080>
# SSL is off
# Required for SCRIPT_URI/URL in viewvc libs, not just rewrite rules
RewriteEngine on
RewriteOptions inherit
# Apache will issue sub_req for PATH_INFO on ScriptAlias which
# gives a spurious error message. Setting auth at root level to avoid clogging logs.
<Location />
AuthType Basic
AuthName "CollabNet Subversion Repository"
AuthBasicProvider file ldap
AuthLDAPUrl "ldap://192.168.0.249:3268/OU=Technical Staff,OU=DomainUsers,DC=snip,DC=net?samAccountName?sub" "NONE"
AuthLDAPBindDN "CN=subversion,OU=Technical Staff,OU=DomainUsers,DC=snip,DC=net"
AuthLDAPBindPassword "kasd8asdik"
LDAPReferrals Off
AuthUserFile "F:\csvn\data/conf/svn_auth_file"
Require valid-user
</Location>
# Work around authz and SVNListParentPath issue
RedirectMatch ^(/svn)$ $1/
<Location /svn/>
DAV svn
SVNParentPath "F:/csvn/data/repositories"
SVNReposName "CollabNet Subversion Repository"
<IfModule deflate_module>
SetOutputFilter DEFLATE
</IfModule>
AuthzSVNAccessFile "F:\csvn\data/conf/svn_access_file"
SVNPathAuthz short_circuit
SVNListParentPath On
</Location>
<Directory "F:\csvn\www\viewVC/docroot">
AllowOverride None
Options None
</Directory>
<Location /viewvc-static>
Require all granted
</Location>
Alias /viewvc-static "F:\csvn\www\viewVC/docroot"
ScriptAlias /viewvc "F:\csvn\bin/cgi-bin/viewvc.cgi"
<Location /viewvc>
AddDefaultCharset UTF-8
SetEnv CSVN_HOME "F:\csvn"
</Location>
</VirtualHost>
#
# auth helper endpoint for use by SvnEdge
#
<VirtualHost localhost:50123>
<Location "/">
AuthType Basic
AuthName "CollabNet Subversion Repository"
AuthBasicProvider file ldap
AuthLDAPUrl "ldap://192.168.0.249:3268/OU=Technical Staff,OU=DomainUsers,DC=snip,DC=net?samAccountName?sub" "NONE"
AuthLDAPBindDN "CN=subversion,OU=Technical Staff,OU=DomainUsers,DC=snip,DC=net"
AuthLDAPBindPassword "kasd8asdik"
LDAPReferrals Off
AuthUserFile "F:\csvn\data/conf/svn_auth_file"
Require valid-user
</Location>
</VirtualHost>
Should SVN/LDAP work like I had hoped?
Yes
If so, is there some arcane config item I need to set?
Probably
What am I missing?
Show your full SVN-related location (from Apache, you have use it?!)
Related
Here's the essential part of my current configuration, where I protect my entire website using HTTP basic authentication:
<VirtualHost *:443>
<Location "/">
AuthType Basic
AuthName "Protected Area"
AuthBasicProvider file
AuthUserFile /path/to/passwords_file
Require valid-user
</Location>
</VirtualHost>
However, I want to except certain paths so they are publicly available, specifically robots.txt, favicon.ico, manifest.json. How to do this?
Adding the following configuration block after the existing Location one will except the specified paths from requiring a password:
<Location ~ "^/favicon\.ico$|^/manifest\.json$|^/robots\.txt$">
Require all granted
</Location>
This one uses a single regex matching string for all files, but you could also specify each of them individually, one at a time, without using regex:
<Location "/favicon.ico">
Require all granted
</Location>
<Location "/manifest.json">
Require all granted
</Location>
<Location "/robots.txt">
Require all granted
</Location>
I got a VM with a aplication running on it. It doenst support password protection. I connect to it like sub.domain.com:6000 (redirecting port 6000 to 80 of VM)
So i like to use apache as a Proxy with authentication.
My VirtualHost config:
<VirtualHost *:*>
DocumentRoot /var/www/html/
<Directory "/var/www">
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
</Directory>
ProxyPass "/" "http://127.0.0.1:5000/"
ProxyPassReverse "/" "http://127.0.0.1:5000/"
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
It redirects me, but there is no password protection.
What's wrong?
The <Directory> directive is used to enclose a group of directives that will apply only to the named directory, sub-directories of that directory, and the files within the respective directories. Proxied server is none of that, so you have to use <Location> directive which limits the scope of the enclosed directives by URL:
<Location />
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
</Location>
I've got a file accessible through my web website by typing http://www.mywebsite.com/myfile and the server run on debian.
I'd like to put an authentication with a .htaccess and .htpasswd when trying to access to previous url.
I'm quite new to .htaccess and I tried to configure it with the doc but it doesn't seems to work since when i try nothing change and when i check the error log I've got :
[error] [client IP] client denied by server configuration:
/home/file1/myfile/www/.htaccess
The content of my .htaccess is :
<Directory /home/file1/myfile/www/>
AuthUserFile /home/file1/myfile/.htpasswd
AuthGroupFile /dev/null
AuthName "My authentication"
AuthType Basic
Require valid-user
Otions Indexes FollowSymLinks Multiviews
AllowOverride All
Order allow,deny
allow from all
Redirect permanent /.htaccess http://www.mywebsite.com/myfile
ServerSignature Off
</Directory>
How may I solve this problem please ?
You can't use a <Directory> container in an htaccess file. Remove them so you just have:
AuthUserFile /home/file1/myfile/.htpasswd
AuthGroupFile /dev/null
AuthName "My authentication"
AuthType Basic
Require valid-user
Options Indexes FollowSymLinks Multiviews
AllowOverride All
Order deny,allow
deny from all
Redirect permanent /.htaccess http://www.mywebsite.com/myfile
ServerSignature Off
(you have Otions mispelled)
Also, by looking at your error, it looks as if you were trying to access the htaccess file directly, instead of myfile. It's possible there's extra configuration on the server to deny accessing htaccess files (or all files that start with a .).
It seems that deleting et creating again the user is enough to fix the FTP connexion problem.
I've modified my global apache configuration with the following :
DirectoryIndex index.html index.htm index.xhtml index.php index.txt
ServerName debian.domain.tld
#ServerName localhost
HostnameLookups Off
ServerAdmin myadressemail
UserDir www
UserDir disable root
<Directory />
Options -Indexes FollowSymLinks
AllowOverride All
</Directory>
ServerSignature Off
An now my .htaccess is :
AuthUserFile /home/file1/myfile/.htpasswd
AuthGroupFile /dev/null
AuthName "My authentification"
AuthType Basic
Require user user1
But I still have got no authentication asked, what did I do wrong ?
I am having trouble understanding how I can get to edit files on a WebDAV setup. I have set up the Auth correctly, as verified by loads of online tutorials, yet there are some files like .htaccess which I can't edit.
The contents of the VirtualHost setup are
<VirtualHost *:80>
ServerAdmin xxx
ServerName xxx
DocumentRoot /data/www/vhosts/xxx
<Directory /data/www/vhosts/xxx>
Options Indexes MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
<Location />
DAV On
AuthType Basic
AuthName "WebDAV Access"
AuthUserFile /data/www/.htpasswd-webdav
Require valid-user
</Location>
</VirtualHost>
I've generated the correct username in the file too, and I can log in successfully and see all the files. Like I say, the problem is that certain files are unreadable and unwritable, the main culprits being .htaccess and .gitignore.
I have set the permissions on all files to 664 and all folders to 775 and a user:group of xxx:www-data. The reason being that this allows PHP to read/write the files ok, and our remote login user xxx to do the same without permissions issues.
Is there something specific I need to do to allow reading writing to these hidden dot files? I'm completely stumped, as most tutorials I've read are telling me that if I don't set the rights on dot files to root:root then they will be writable. I am using a Mac to connect to the WebDAV service, which runs on Ubuntu, if this makes any difference
Just for clarity, all of the xxx in this question is to hide info.
So it seems that I can allow access to specific files using the below
<Files .htaccess>
order allow,deny
deny from all
</Files>
I forgot that .htaccess files are blocked over HTTP by default.
EDIT:
The final working setup, to make all files writeable in the webdav environment, with Digest secure authentication is:
<VirtualHost *:80>
ServerAdmin xxx
ServerName www.domain.name
DocumentRoot xxx
<Directory xxx>
Options Indexes MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
<FilesMatch "\.(htaccess|php)$">
Order allow,deny
allow from all
ForceType text/plain
</FilesMatch>
<Location />
DAV On
AuthType Digest
AuthName "Webdav Access"
AuthDigestDomain / http://www.domain.name/
AuthDigestProvider file
AuthUserFile /data/www/digest.users
Require valid-user
php_value engine off
</Location>
</VirtualHost>
I hope this helps someone else. It took days to find all this info out on the web.
Also check the permissions of /data/www/ itself. It should be writable for the apache user.
I've got several sites: example.com, example1.com, and example2.com. All of them point to my server's /public_html folder, which is my Apache root folder.
What do I need to add to my .htaccess file to use http authentication only if the user is coming from example2.com? example.com and example1.com should NOT use authentication.
I know I need something like
AuthType Basic
AuthName "Password Required"
AuthUserFile "/path/to/.htpasswd"
Require valid-user
But I only want to require a password if the user is visiting example2.com.
Edit
Using an approach suggested in an answer, I have the following in my .htaccess file:
SetEnvIfNoCase Host ^(.*)$ testauth
<IfDefine testauth>
RewriteRule ^(.*)$ index2.php?q=$1 [L,QSA]
</IfDefine>
I know that the mod_setenvif.c module is enabled (I verified with an <IfModule> block), but it would appear that "testauth" is never getting defined, because my test to verify (redirecting to index2.php) is not executing (whereas it was getting executed in my <IfModule> block). Any ideas why?
How about something along the lines of this in the htaccess file in the document root:
# set the "require_auth" var if Host ends with "example2.com"
SetEnvIfNoCase Host example2\.com$ require_auth=true
# Auth stuff
AuthUserFile /var/www/htpasswd
AuthName "Password Protected"
AuthType Basic
# Setup a deny/allow
Order Deny,Allow
# Deny from everyone
Deny from all
# except if either of these are satisfied
Satisfy any
# 1. a valid authenticated user
Require valid-user
# or 2. the "require_auth" var is NOT set
Allow from env=!require_auth
This will make it so authentication is not required unless the host ends with example2.com (e.g. www.example2.com, dev.example2.com, etc). The expression can be tweaked if needed. Any other host will cause the require_auth var not to get set so authentication is not required. If this needs to be the other way around, the last line could be changed to: Allow from env=require_auth, removing the !.
Apache 2.4 offers a semantic alternative with the If directive:
<If "req('Host') == 'example2.com'">
AuthUserFile /path/to/htpasswd
AuthType Basic
AuthName "Password Protected"
Require valid-user
</If>
<Else>
Require all granted
</Else>
Here is one recommendation:
Create a file called common.conf and save in an accessible location
In this file place the Apache configuration common to all sites (hosts).
The remove the current single VirtualHost entry an replace with VirtualHost entries as follows:
# These are the password protected hosts
<VirtualHost *:80>
ServerName example.com
ServerAlias example1.com
Include /path-to-common-configuration/common.conf
AuthType Basic
AuthName "Password Required"
AuthUserFile "/path/to/.htpasswd"
Require valid-user
</VirtualHost>
# These are hosts not requiring authentication
<VirtualHost *:80>
ServerName example2.com
ServerAlias example3.com
Include /path-to-common-configuration/common.conf
</VirtualHost>
I wonder if DanH would be helped by an approach that allows access per IP address?
Something like
SetEnvIf Remote_Addr 1\.2\.3\.4 AllowMeIn
SetEnvIfNoCase Host this\.host\.is\.ok\.com AllowMeIn
SetEnvIfNoCase Host this\.host\.is\.also\.ok\.com AllowMeIn
and then in your Drupal "container"
Order Allow,Deny
Allow from env=AllowMeIn
should do the trick.
Any host that is "live" should be configured to "AllowMeIn", or else you have to come from a known IP address (ie you and other developers).
You shouldn't be putting per-vhost configuration into .htaccess. Instead, put the config block in the VirtualHost block in the proper config file in /etc/apache/sites-enabled/*.