I'm trying to setup very basic username/password protection for my site using apache v2.4.7. I have the following in my sites conf file:
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
DocumentRoot /var/my.site
DirectoryIndex index.html
<Directory /var/my.site>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
Allow from all
Options +ExecCGI
AddHandler cgi-script .pl
Require all granted
AuthType Basic
AuthName "Authentication Required"
AuthUserFile "/etc/my-site/.htpasswd"
Require valid-user
</Directory>
...
...but it's serving all requests without any auth challenges. I've also tried putting the auth options into their own separate <Location> block, but it's the same. I haven't explicitly enabled any additional auth mods myself, but I've checked auth_basic, authn_core, authn_file and authz_user mods and they're all enabled.
Related
We use Apache 2.4.10 on a Debian Server. Requests are redirected from an Apache Proxy Server (same system and version) who acts as balancer (only the one balance member at the moment).
The access to the related single virtual host is generally restricted via AuthType Basic. Just one folder containing public documents should be accessable without authentication.
I tested multiple ways (new apache 2.4 syntax) to accomplish that - but no matter, which method i tried, i always stucked at the same issue: any comparison with the REQUEST_URI does not work as expected - with or without a regular expression. It seems as if the REQUEST_URI had an invalid value at the time when a comparison takes place.
I tried i.a. the following alternatives:
A)
<VirtualHost *:80>
ServerName domain.name
DocumentRoot /var/www/domain.name
DirectoryIndex index.php
<Directory "/var/www/domain.name/">
AuthType Basic
AuthName "Restricted"
AuthBasicProvider file
AuthUserFile /path/to/user/file
<RequireAny>
Require method OPTIONS
Require expr %{REQUEST_URI} =~ m#^/docs#
Require valid-user
</RequireAny>
Options +ExecCGI +FollowSymLinks
AllowOverride All
</Directory>
CustomLog "/var/log/apache2/test_log" "%t REQUEST_URI:%{REQUEST_URI}e"
</VirtualHost>
B)
<VirtualHost *:80>
ServerName domain.name
DocumentRoot /var/www/domain.name
DirectoryIndex index.php
<Directory "/var/www/domain.name/">
AuthType Basic
AuthName "Restricted"
AuthBasicProvider file
AuthUserFile /path/to/user/file
<RequireAny>
Require method OPTIONS
Require valid-user
</RequireAny>
Options +ExecCGI +FollowSymLinks
AllowOverride All
</Directory>
<LocationMatch "^/docs">
AuthType None
Require all granted
</LocationMatch>
CustomLog "/var/log/apache2/test_log" "%t REQUEST_URI:%{REQUEST_URI}e"
</VirtualHost>
C)
<VirtualHost *:80>
ServerName domain.name
DocumentRoot /var/www/domain.name
DirectoryIndex index.php
<Directory "/var/www/domain.name/">
SetEnvIf Request_URI /docs noAuth=1
AuthType Basic
AuthName "Restricted Files"
AuthBasicProvider file
AuthUserFile /path/to/user/file
<RequireAny>
Require method OPTIONS
Require env noauth
Require valid-user
</RequireAny>
Options +ExecCGI +FollowSymLinks
AllowOverride All
</Directory>
CustomLog "/var/log/apache2/test_log" "%t REQUEST_URI:%{REQUEST_URI}e"
</VirtualHost>
Every alternative seems to stuck at the same issue. The comparison with the REQUEST_URI failes or does not work properly.
An example: When i change line 16 in example A to
Require expr %{REQUEST_URI} =~ m#^/[a-z]#
(as a test) then it works (access granted without credentials).
When i change [a-z] to e.g. [d-i], it still works, but when i change [a-z] to e.g. [d-g], it does not work anymore and the user/pass dialogue appears.
The exact same behaviour appears, when i change the regular expression in the LocationMatch directive in example B accordingly.
Another hint:
Using <Location /docs> instead of <LocationMatch... (see example B) does also not work. But <Location /> works.
And:
The log-output is always identical:
When access is granted without credentials the value of the REQUEST_URI is the same as the path part of the requested URL (e.g. /docs).
But when the user/pass-dialogue appears, the value is a dash ("-") this seems to be default value that apache uses for empty or not available values.
And:
The problem does persist, even when i access the server directly (without the proxy) or when i use e.g. wget to make a request to localhost on the server.
Does anyone have an idea whats going on here!?...
I finally found a workaround by myself. I use version A) - but with the environment variable THE_REQUEST instead of REQUEST_URI. Fortunately it works!
The adjusted version of A) - for GET requests only:
<VirtualHost *:80>
ServerName domain.name
DocumentRoot /var/www/domain.name
DirectoryIndex index.php
<Directory "/var/www/domain.name/">
AuthType Basic
AuthName "Restricted"
AuthBasicProvider file
AuthUserFile /path/to/user/file
<RequireAny>
Require method OPTIONS
Require expr %{THE_REQUEST} =~ m#GET\s+\/docs\/[^\/]+\s+HTTP#
Require valid-user
</RequireAny>
Options +ExecCGI +FollowSymLinks
AllowOverride All
</Directory>
</VirtualHost>
Instead of using Location, you can use another directory.
<VirtualHost *:80>
ServerName domain.name
DocumentRoot /var/www/domain.name
DirectoryIndex index.php
<Directory "/var/www/domain.name/">
AuthType Basic
AuthName "Restricted"
AuthBasicProvider file
AuthUserFile /path/to/user/file
<RequireAny>
Require method OPTIONS
Require valid-user
</RequireAny>
Options +ExecCGI +FollowSymLinks
AllowOverride All
</Directory>
**<Directory "/var/www/domain.name/docs/">
AuthType None
Require all granted
</Directory>**
CustomLog "/var/log/apache2/test_log" "%t REQUEST_URI:%{REQUEST_URI}e"
</VirtualHost>
The same can be accomplished through the use of .htaccess. A related question has been answered in How to remove .htaccess password protection from a subdirectory
I'm trying to configure a WebDAV environment. However, I keep getting this error:
htaccess: require valid-user not given a valid session, are you using lazy sessions?
Looking at Fiddler, I see HTTP Code 500.
All google searches seem to include references to Shibboleth, which I have installed, but not calling in this path structure.
<Directory "/path/to/webdav">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>
<VirtualHost *:443>
ServerName my.domain.com
DocumentRoot "/path/to/root"
...
Alias /aaa/bbb /path/to/webdav/aaa/bbb
<Location /aaa/bbb>
Options Indexes
DAV On
AuthType Basic
AuthName "webdav"
AuthUserFile /path/to/webdav.pwd
Require valid-user
</Location>
</VirtualHost>
Solution below...
Essentially, there's a blanket requirement for a Shibboleth session in the last lines of my Host configuration.
<PathRegex regex=".*" authType="shibboleth"
requireSession="true" requireSessionWith="Intranet" />
I simply had to add an exception on the webdav folder before those lines.
<Path name="webdav" authType="shibboleth" requireSession="false" />
How do I get one domain to serve up multiple sites under Apache2. What I would like is something like this:
trac.mysite.net/project1
trac.mysite.net/project2
What I have working now, is this:
project1.mysite.net/
project2.mysite.net/
using two separate virtual hosts, which works great. However, every time I create a new project, I have to update the DNS.
What I would like is to have one virtual host configuration that points to a different directory for each project.
What I have tried is creating a 'trac' virtual host with different sections for each site. According to the error log, it tries to access the directory, but gets an access denied.
[Sun Sep 14 16:50:59.022354 2014] [autoindex:error] [pid 9811] [client 10.1.1.112:58207] AH01276: Cannot serve directory /usr/share/trac/projects/project1/htdocs/: No matching DirectoryIndex (index.html,index.cgi,index.pl,index.php,index.xhtml,index.htm) found, and server-generated directory index forbidden by Options directive
I tried removing indexes with Options -Indexes but that didn't get rid of the error above.
Here is my virtual host configuration:
<VirtualHost *:80>
ServerName trac.mysite.net
ServerAlias trac
ServerAdmin vv#mysite.net
# trac ####################################################################
DocumentRoot /usr/share/trac/htdocs
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /usr/share/trac/cgi-bin/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
AuthType Digest
AuthName login
AuthUserFile /etc/apache2/loginpasswd
Require valid-user
Order allow,deny
allow from all
</Directory>
Alias /chrome/common /usr/share/trac/htdocs/common
Alias /chrome/site /usr/share/trac/htdocs/site
<Directory /usr/share/trac/htdocs/>
Order allow,deny
allow from all
</Directory>
WSGIScriptAlias / /usr/share/trac/cgi-bin/trac.wsgi
# project1 ###############################################################
Alias /project1 /usr/share/trac/projects/project1/htdocs
<Directory /usr/share/trac/projects/project1/htdocs/>
Order allow,deny
allow from all
</Directory>
<Directory /usr/share/trac/projects/project1/cgi-bin/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
AuthType Digest
AuthName login
AuthUserFile /etc/apache2/loginpasswd
Require valid-user
Order allow,deny
allow from all
</Directory>
Alias /project1/chrome/common /usr/share/trac/projects/project1/htdocs/common
Alias /project1/chrome/site /usr/share/trac/projects/project1/htdocs/site
WSGIScriptAlias /project1 /usr/share/trac/projects/project1/cgi-bin/trac.wsgi
# project2 ################################################################
Alias /project2 /usr/share/trac/projects/project2/htdocs
<Directory /usr/share/trac/projects/project2/htdocs/>
Options FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>
<Directory /usr/share/trac/projects/project2/cgi-bin/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
AuthType Digest
AuthName login
AuthUserFile /etc/apache2/loginpasswd
Require valid-user
Order allow,deny
Allow from all
</Directory>
Alias /project2/chrome/common /usr/share/trac/projects/project2/htdocs/common
Alias /project2/chrome/site /usr/share/trac/projects/project2/htdocs/site
WSGIScriptAlias /project2/ /usr/share/trac/projects/project2/cgi-bin/trac.wsgi
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
ErrorLog ${APACHE_LOG_DIR}/trac_error.log
CustomLog ${APACHE_LOG_DIR}/trac_access.log combined
</VirtualHost>
I know this is possible, I'm just not sure how. Any suggestions would be appreciated.
Ah. I figured out what I was doing wrong. I was using an Alias for each project directory. The Alias was overriding the WSGIScriptAlias. And it was this WSGIScriptAlias that was necessary for everything to work. It allows urls with /projectX/ in them to be an alias for the trac.wsgi script.
My new vhost config is given below. I cleaned it up a bit by removing the directives for the trac vhost and only left the DocumentRoot.
<VirtualHost *:80>
ServerName trac.mysite.net
ServerAlias trac
ServerAdmin vv#mysite.net
# trac ####################################################################
DocumentRoot /usr/share/trac/htdocs
# project1 ###############################################################
<Directory /usr/share/trac/projects/project1/htdocs/>
Order allow,deny
allow from all
</Directory>
<Directory /usr/share/trac/projects/project1/cgi-bin/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
AuthType Digest
AuthName login
AuthUserFile /etc/apache2/loginpasswd
Require valid-user
Order allow,deny
allow from all
</Directory>
Alias /project1/chrome/common /usr/share/trac/projects/project1/htdocs/common
Alias /project1/chrome/site /usr/share/trac/projects/project1/htdocs/site
WSGIScriptAlias /project1 /usr/share/trac/projects/project1/cgi-bin/trac.wsgi
# project2 ################################################################
<Directory /usr/share/trac/projects/project2/htdocs/>
Options FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>
<Directory /usr/share/trac/projects/project2/cgi-bin/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
AuthType Digest
AuthName login
AuthUserFile /etc/apache2/loginpasswd
Require valid-user
Order allow,deny
Allow from all
</Directory>
Alias /project2/chrome/common /usr/share/trac/projects/project2/htdocs/common
Alias /project2/chrome/site /usr/share/trac/projects/project2/htdocs/site
WSGIScriptAlias /project2/ /usr/share/trac/projects/project2/cgi-bin/trac.wsgi
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
ErrorLog ${APACHE_LOG_DIR}/trac_error.log
CustomLog ${APACHE_LOG_DIR}/trac_access.log combined
</VirtualHost>
Thanks for listening.
I've got a file accessible through my web website by typing http://www.mywebsite.com/myfile and the server run on debian.
I'd like to put an authentication with a .htaccess and .htpasswd when trying to access to previous url.
I'm quite new to .htaccess and I tried to configure it with the doc but it doesn't seems to work since when i try nothing change and when i check the error log I've got :
[error] [client IP] client denied by server configuration:
/home/file1/myfile/www/.htaccess
The content of my .htaccess is :
<Directory /home/file1/myfile/www/>
AuthUserFile /home/file1/myfile/.htpasswd
AuthGroupFile /dev/null
AuthName "My authentication"
AuthType Basic
Require valid-user
Otions Indexes FollowSymLinks Multiviews
AllowOverride All
Order allow,deny
allow from all
Redirect permanent /.htaccess http://www.mywebsite.com/myfile
ServerSignature Off
</Directory>
How may I solve this problem please ?
You can't use a <Directory> container in an htaccess file. Remove them so you just have:
AuthUserFile /home/file1/myfile/.htpasswd
AuthGroupFile /dev/null
AuthName "My authentication"
AuthType Basic
Require valid-user
Options Indexes FollowSymLinks Multiviews
AllowOverride All
Order deny,allow
deny from all
Redirect permanent /.htaccess http://www.mywebsite.com/myfile
ServerSignature Off
(you have Otions mispelled)
Also, by looking at your error, it looks as if you were trying to access the htaccess file directly, instead of myfile. It's possible there's extra configuration on the server to deny accessing htaccess files (or all files that start with a .).
It seems that deleting et creating again the user is enough to fix the FTP connexion problem.
I've modified my global apache configuration with the following :
DirectoryIndex index.html index.htm index.xhtml index.php index.txt
ServerName debian.domain.tld
#ServerName localhost
HostnameLookups Off
ServerAdmin myadressemail
UserDir www
UserDir disable root
<Directory />
Options -Indexes FollowSymLinks
AllowOverride All
</Directory>
ServerSignature Off
An now my .htaccess is :
AuthUserFile /home/file1/myfile/.htpasswd
AuthGroupFile /dev/null
AuthName "My authentification"
AuthType Basic
Require user user1
But I still have got no authentication asked, what did I do wrong ?
I have a UBUNTU/APACHE box, when I try to get to the web server using the HOST-NAME it gets me to the DocumentRoot (which is /var/www) and shows me all the files/folders there (as expected).
In my /var/www I have a few folders such as /var/www/devel and var/www/live, how can I update my config so that when I hit the server through its host-name [http://servername] it goes into a sub folder of the DocumentRoot by default.
I tried to change DocumnetRoot to point to /var/www/live, this works when I hit the host-name it sends me to the correct path, however I cannot then access /var/www/dev (by going to [http://servername/dev]).
This is most likely because now /dev is outside DocumentRoot, how can I adjust the config so that I can still get to [http://servername/dev] while [http://servername] resolves to /live.
Here is my config...
DocumentRoot /var/www
<Directory />
Options FollowSymLinks
AllowOverride All
</Directory>
<Directory /var/www>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
<Directory "/var/www/dev">
AuthName "NTLM Authentication"
NTLMAuth on
NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp"
NTLMBasicAuthoritative on
AuthType NTLM
require valid-user
</Directory>
<Directory "/var/www/live">
AuthName "NTLM Authentication"
NTLMAuth on
NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp"
NTLMBasicAuthoritative on
AuthType NTLM
require valid-user
</Directory>
You don't change the DocumentRoot if you want the behavior you describe. What you need to do is redirect using something like mod_rewrite to "rewrite" that one url to point to the dir you need. That way you still have the DocumentRoot preserved. Its going to look something like this:
RewriteEngine on
RewriteRule ^/$ /live/ [R]
Check this link out for some more ideas.
Redirects