I sorta have a HTTP config working for Apache 2.2 that allows WebDav. At least I can use the WinSCP client to attach with the DAV account listed below.
But I also have much older clunkier clients that may only work for anonymous access. And they are not working.
Windows 7 (Map drive), it pops up the credentials but does not log in.
FalconView (probably only understands anonymous login
Any idea what I am doing wrong here with the anon access? I am a novice at HTTPD.conf
(the environment variable ${EGPL_JobsPath} resolves to a windows path:
E.g. F:\Jobs
Alias /jobs ${EGPL_JobsPath}
<IfModule dav_lock_module>
DavLockDB "${EGPL_JobsPath}"
</IfModule>
<Directory "${EGPL_JobsPath}">
Header set Access-Control-Allow-Origin "*"
Dav On
Require valid-user
Options Indexes FollowSymLinks
Order allow,deny
Allow from all
<LimitExcept GET PROPFIND OPTIONS REPORT>
Require user me
</LimitExcept>
AuthType Basic
AuthName DAV
AuthUserFile conf/users.passwords
</Directory>
The only way I could get this to work, is to turn off all Authentication and leave the webdav folder open to the world. I would still like to hear from people with better ideas:
Alias /jobs ${EGPL_JobsPath}
<IfModule dav_lock_module>
DavLockDB "${EGPL_LibrarianPath}"
</IfModule>
<Directory "${EGPL_JobsPath}">
Header set Access-Control-Allow-Origin "*"
Dav On
</Directory>
Related
There's a server with several instances of Apache running. One instance needs access from anywhere, but only for authorized users. Instance is started up by a systemctl script with the -f option pointing to a config file in /opt/.
Config includes directives from another file in the same folder under /opt/. The relevant part of the included directives looks like the following at the present moment:
"
[...]
<Location "/subfolder">
<RequireAll>
Require all granted
Require valid-user
</RequireAll>
LimitRequestBody <someNumber>
</Location>
[...]
DavLockDB /somepath/webdav/DavLock
Alias /subfolder /mainfolder/subfolder
<Directory /mainfolder/subfolder>
Dav on
AuthType Basic
AuthName "Restricted Files"
AuthUserFile /somepath/webdav/.htpasswd
<RequireAll>
Require all granted
Require valid-user
</RequireAll>
AllowOverride All
SSLRequireSSL
Options FollowSymLinks Indexes
</Directory>
[...]
"
This works so far, it only permits access to folder if you enter your username and password.
Problem is, if I comment out the <Location directive to comply with security recommendations, then access is flat-out denied. There is no way to enter a username and a password, and if I supply them on the command line, they are ignored, while they previously worked with the <Location block intact.
The <RequireAll> block inside the <Directory> directive is completely ineffectual. In fact, if I comment it out there, it changes nothing whatsoever in the behaviour of the httpd instance. It works only when it is placed inside the <Location block. The rest of the <Directory> block on the other hand seems to be working.
Does someone have any tips as to what I may be missing here? Thanks in advance!
H/T to Apache Basic Auth not working in .htaccess or Directory blocks; works fine in Location blocks
The problem was that the configuration file the Apache instance is started up with included one of the system-wide configs in /etc/ with a default location block inside, similar to the following:
<Location />
Require all denied
[...]
</Location>
When I commented out the line Require all denied from here, the access control directives in the <Directory> block started to work as expected.
The explanation of the above is that, unlike "normal" <Location> directives, which "operate completely outside the filesystem", <Location /> refers to the entire server (see the Apache documentation: https://httpd.apache.org/docs/2.4/mod/core.html#location ), so it means pretty much the same as <Directory /> (at least when it comes to its scope), except that it can only be overridden by another <Location> directive.
I have written an angular app that works with a 3rd party backend server that uses Apache to serve pages. Many of my users enable basic authentication in Apache. One of the functions of the server is to send MJPEG image streams that are rendered on browsers using <img src> tags. Browsers don't allow Authorization headers to be inserted in image tags (and I know there are client side plugins that try and do this, but so as not to digress, they don't work for MJPEG image streams, so lets assume this is not up for discussion to keep things simple :) ).
So here is what I need to do in my apache config:
Enable basic auth for my primary portal, which is /zm
Disable basic auth for URLs that have /zm?view=image&<whatever>
Disable basic auth for URLs that have /zm/cgi-bin/nph-zms?<whatever>
Now, in addition, ideally I'd like to ensure that 2 & 3 rules don't result in a user directly loading those URLs and bypassing security. I'd somehow like to mandate that if the user did not get authenticated in 1, 2&3 won't work either. In other words, I am looking for a means to check if a user has been authenticated in the /zm url.
I hope that explains the context
(I am using apache 2.4)
So far I have
<Location /zm>
SetEnvIf Request_URI "/zm/cgi-bin" noauth=1
SetEnvIf Request_URI "/zm/index.php?view=image" noauth=1 #darn, query params not allowed
AuthType Basic
AuthName "Auth required"
AuthUserFile "/etc/apache2/.htpasswd"
Require valid-user
Order Deny,Allow
Satisfy any
Deny from all
Allow from env=noauth
</Location>
I have 2 problems:
The settings above allow a user to navigate to "/zm/cgi-bin" even if
/ is not authenticated (not what I want)
SetEnvIf doesn't allow query parameters. I need the "view=image" part
setting no_auth to /index.php is too broad
Thanks
Sidenote: Just to make sure I present the full picture, my conf-enabled directory has the following aliases (created by the 3rd party server)
ScriptAlias /zm/cgi-bin "/usr/lib/zoneminder/cgi-bin"
<Directory "/usr/lib/zoneminder/cgi-bin">
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
AllowOverride All
Require all granted
</Directory>
Alias /zm /usr/share/zoneminder/www
<Directory /usr/share/zoneminder/www>
Options -Indexes +FollowSymLinks
<IfModule mod_dir.c>
DirectoryIndex index.php
</IfModule>
</Directory>
I have a cakephp project consisting of website URLs and a URL for an API, say:
http://myproject.com/controller1/someaction
http://myproject.com/controller2/someotheraction
http://myproject.com/api/controller1/someapiaction
For production deployment, the websites and API both handle authentication & authorization using cakephp's methods.
I would like to deploy the whole project on a staging server. There, the websites should be HTTP Auth protected, whilst the API should be unprotected (because I don't want to add auth to the API consumers). I do not want to change the project's sources or configuration and instead solve it via Apache configuration.
I tried several vhost configurations, basically following this scheme:
<LocationMatch "/api/.*">
Order allow,deny
Allow from all
Satisfy any
</LocationMatch>
<Location />
Order allow,deny
Allow from all
AllowOverride all
AuthType Basic
AuthName "myproject"
AuthUserFile /path/to/.htpasswd
AuthGroupFile /path/to/.htgroup
Require group mytesters
</Location>
I also tried mixing Location & Directory directives, using Location or LocationMatch for both sections, negated regex for LocationMatch, separate vhosts for both sections, ... - none of this worked: Either the whole site was protected, or nothing.
Am I getting something really wrong, or is it just not possible (due to Apache or the the way cakephp handles rewrites)?
Try the following configuration:
<Directory /path/to/your/htdocs>
AuthType Basic
AuthName "myproject"
AuthUserFile /path/to/.htpasswd
AuthGroupFile /path/to/.htgroup
Require valid-user
AllowOverride AuthConfig
</Directory>
<Location "/api">
Satisfy any
</Location>
I have trac installed and running great using apache2 and mod_wsgi. However when ever a user tries to access even the front page they are greeted with a login. I've tried several things, but everything I try either disables the authentication all together or won't allow unauthenticated users to view the site. Here's the authentication section of my httpd.conf file:
<Location '/'>
AuthType Basic
AuthName "Trac"
AuthUserFile /home/trac/.htpasswd
Require valid-user
</Location>
I'm almost certain that the solution lies int the require line but I've exhausted my ow creativity. Any thoughts?
EDIT: The answer I selected works great. The link given doesn't have instructions on connecting the password file to the system.
My memory is hazy, but the only solution I found when I had this issue was switching to from Apache authentication to the AccountManagerPlugin.
You can specify when apache should ask about password.
In trac when you select Login it will open site: /trac_folder/login
So defining location for authentication should do the trick.
Check my trac.conf:
WSGIScriptAlias /trac /var/lib/trac/apache/trac.wsgi
## This is required if you plan to use HTTP authorization. Without it the
## user name won't be passed
WSGIPassAuthorization On
<Directory /trac>
WSGIApplicationGroup %{GLOBAL}
Order deny,allow
Allow from all
#AuthType Basic
#AuthName "TracHaselko"
#AuthUserFile /var/lib/trac/authfiles/htpasswd
#Require valid-user
</Directory>
<Location /trac/login>
AuthType Basic
AuthName "TracHaslo"
AuthUserFile /var/lib/trac/authfiles/htpasswd
Require valid-user
</Location>
In you file change:
<Location '/'>
to:
<Location '/login'>
I have setup my repo at /home/adil/hg/sample-repo and want to serve it via httpd. I am following the tutorial at https://www.mercurial-scm.org/wiki/PublishingRepositories#multiple and have created the hgweb.config file and have copied hgweb.cgi (renamed it to index.cgi) to /home/adil/web/mercurial/
My apache config (/etc/httpd/conf/httpd.conf) looks like this :
ScriptAlias /hg "/home/adil/web/mercurial/index.cgi"
<Directory "/home/adil/web/mercurial">
Order allow,deny
Allow from all
AllowOverride All
Options ExecCGI
AddHandler cgi-script .cgi
</Directory>
index.cgi, hgweb.config and all the dirs upwards have world read permissions
http://localhost/hg gives a "403 Forbidden" error. WTF?
PS: Apache error log shows :
[Sun Oct 17 06:45:38 2010] [error] [client 1.2.3.4] (13)Permission denied: access to /hg denied
I'm not an Apache config expert by any means, but I was experiencing this error and managed to get rid of it.
Before I did, I was getting this error in my error_log: client denied by server configuration: /Users/svn/Public/hg/hgwebdir.cgi
This was my original config:
ScriptAlias /hg "/Users/svn/Public/hg/hgwebdir.cgi"
<Location /hg>
AuthType Basic
AuthName "Mercurial Repositories"
AuthUserFile /Users/svn/Public/hg/auth
Require valid-user
</Location>
I added some options:
ScriptAlias /hg "/Users/svn/Public/hg/hgwebdir.cgi"
<Location /hg>
Options ExecCGI FollowSymLinks
Options None
Order allow,deny
Allow from all
AuthType Basic
AuthName "Mercurial Repositories"
AuthUserFile /Users/svn/Public/hg/auth
Require valid-user
</Location>
I tried Pablo's version too - one problem I experienced was that "ScriptAliasMatch ^/hg(.*)" was capturing the hg logo and stylesheets needed to render the browser repo explorer. I'm not sure if this even applies to hgweb.cgi because I don't use that one, but it was definitely an issue while using hgwebdir.cgi. Specifically: script not found or unable to stat: /Users/svn/Public/hg/hgweb.cgilogo.png
Probably Apache's process owner does not have permissions to access /home/adil/web/mercurial.
Also, do check Apache's error log (usually located in /var/log/httpd-error.log or some place similar. It will give you extra information to debug your installation.
To check what's the user running Apache's process do:
$ ps aux | grep http
ps should show what's the user running Apache.
Also, in case it helps, here's the way I do it:
ScriptAliasMatch ^/hg(.*) /usr/local/share/mercurial/www/hgweb.cgi$1
<Directory /usr/local/share/mercurial/www>
Options ExecCGI FollowSymLinks
AllowOverride None
Options None
Order allow,deny
Allow from all
</Directory>