Multi-project Trac Install for Ubuntu 14.04 - apache

I'm going to preface this wall of text by saying that there are a few similar questions about, none of which deal with my particular use-case... I'm trying to get a Trac running under Ubuntu 14.04, specifically with support for multiple projects (Most guides don't seem to cover that one). I'd like to eventually move it to a proper VirtualHost with SSL support, but that's beyond the scope of this for now. [Feel free to pitch in on that too though, if you like.]
Following this old-ish guide, I've gotten the server going to the point where I can get to the Trac pages, but...
Even with a user added as TRAC-ADMIN, I get a "Authentication information not available. Please refer to the installation documentation." error when I go to the login page.
Apache is not enforcing the .htpasswd login requirement for that folder.
Snippet of apache2.conf, taken from the very end (rest is default Ubuntu 14.04 config):
WSGIScriptAlias /trac /var/trac/apache/trac.wsgi
<Directory /var/trac/apache>
WSGIApplicationGroup %{GLOBAL}
Require all granted
Order deny,allow
Allow from all
</Directory>
<Location "/trac/login">
AuthType Basic
AuthName "trac"
AuthUserFile /var/trac/.htpasswd
Require valid-user
</Location>

It sounds as though this will be OBE in the 1.1 Trac release, and as such I'm going to wait for a proper solution. We'll get by with one install and a project field and port over when the new release is available.

Related

Enable deletion of files through Apache Web Directory Listing

I have an Apache server with a Document Root pointing to a location on Linux file system. The directory structure is read-only right now, but I need to provide a way for specific users to either directly delete files or mark files to be deleted (where some automated process can run after words and deleted the files that have been marked as so).
The users don't have ssh access to the box and I need them to be able to do this through the web directory listing.
I should mention all this is happening behind a firewall, so disregard any security risks in your response.
What you're really asking is either:
some file-manager web-app
WebDAV
For filemanager there are myriads of alternatives (for example: eXplorer, phpFileManager
For WebDAV - you need to enable DAV module :
DavLockDB /usr/local/apache2/var/DavLock
<Location /foo>
Order Allow,Deny
Allow from all
Dav On
AuthType Basic
AuthName DAV
AuthUserFile user.passwd
<LimitExcept GET OPTIONS>
Require user admin
</LimitExcept>
</Location>
then use webdav software (Windows calls it web folders AFAIR, Mac and Linux have decent native support as well).

No handler matched request to /login for Trac 1.0 using WSGI

I am trying to configure Trac 1.0 on Apache 2.4 using WSGI in Ubuntu 13.10. I have multiple Trac projects. I used to use mod_python but this is not longer suggested and I am a bit lost. I used trac-admin /path/to/project deploy /path/to/project to generate my trac.wsgi. I then configured a new site in /etc/apache2/sites-available like this:
WSGIScriptAliasMatch ^/trac/([^/]+) /data/trac/$1/cgi-bin/trac.wsgi
<Directory /data/trac>
WSGIApplicationGroup %{GLOBAL}
Options +Indexes +ExecCGI +SymLinksIfOwnerMatch
AllowOverride None
Require all granted
</Directory>
<LocationMatch /trac/[^/]+/login>
AuthType Basic
AuthName "Trac Authentication"
AuthUserFile /data/access/htpassword
Require valid-user
</LocationMatch>
and created a link in sites-enabled and restarted apache. I had removed all permissions for the trac modules (I originally had the project running on an old 0.11 version, I did the upgrade steps described on the Trac site) so I get a msg saying I need to login, but once I have entered my creds I get the error in the subject.
Does anyone know why?
Thanks,
Gabriel
yes, I have. I ended up installing a plugin that redirects the user to the login page: http://trac-hacks.org/wiki/PermRedirectPlugin, this works great.
I think it is due to the fact that I don't give unauthenticated users access to anything, on Trac 0.11 this simply displayed a msg asking them to login and once they logged in they got sent to the main wiki page. With 1.0 they must have changed this behavior so it no longer works with my usecase. I think it is cleaner with this plugin in cases like mine where unauthenticated uses don't see anything, it should be the default in this case.
Thanks

Using "require group" with mod_authn_dbm in Apache HTTPD 2.4

I am using Apache HTTPD 2.4 and I've decided it's time for me to move from mod_authn_file to mod_authn_dbm. I've got it mostly working but it won't check my AuthDBMUserFile for group information. I've googled it and it appears that this kind of functionality should still be available, via mod_authz_dbm which I've now included. The documentation for mod_authz_dbm makes it appear that you just have to use the AuthDBMGroupFile directive as in my configuration below:
<Directory "C:/Apache24/site/requests">
AuthType Basic
AuthName "Secure Area"
AuthBasicProvider dbm
AuthDBMUserFile site/data/users
AuthDBMGroupFile site/data/users
Require group admin
</Directory>
(Don't worry, site/data is not accessible via the webserver!)
However, even though the directive is clearly known (httpd -t doesn't complain and the server starts OK), it is either being ignored or something else is trying to find a different group file. The error I see in the log file is:
AH01664: No group file was specified in the configuration
Does my configuration look incomplete somehow?
I have an answer via the Apache HTTPD Users Mailing List courtesy of Eric Covener, who says:
mod_authz_dbm responds to Require dbm-group (and dbm-file-group) only in 2.4 which seems to be a change from 2.2.
So my configuration should have been:
<Directory "C:/Apache24/site/requests">
AuthType Basic
AuthName "Secure Area"
AuthBasicProvider dbm
AuthDBMUserFile site/data/users
AuthDBMGroupFile site/data/users
Require dbm-group admin
</Directory>
I have tried this and it does exactly what I wanted. Many thanks Eric!

Apache 2.4 Require statements not parsing as expected

I'm trying to migrate from Apache 2.2 over to 2.4. One problem I'm having is getting one of my .htaccess files working as it does in 2.2. Essentially what I'm trying to do is allow all of my servers to get to the website without a password, and then require a simple password when someone not from my network, or on one of our desktops trys to get to it. The statements below are from 2.2 and work as intended. The deny statement is a subset of IP's inside the allowed from group.
AuthType Basic
AuthName "Dev password"
AuthUserFile /path/.htpass
Require user devuser
order allow,deny
allow from xxx.xxx.xx.x/24 xxx.xxx.xx.x/16 xxx.xxx.xxx.x/24
deny from xxx.xxx.xxx.xxx/25
Satisfy any
This however is how I thought I would do the same thing in 2.4 but I cannot get it to work:
RequireAny
RequireAll
RequireAny
Require ip 10.0
Require ip 192.168.0
/RequireAny
RequireNone
Require ip 10.0.10
Require ip 192.168.0.128/25
/RequireNone
/RequireAll
AuthType Basic
AuthName "Dev password"
AuthUserFile /path/.htpass
Require user dev
/RequireAny
Can someone tell me what I'm doing wrong? It's not requesting authenticate from my desktops.
Sorry it's not showing my tags for requireall and requireany. so I don't have them tagged.
You seem to be doing it right. Crank-up the LogLevel for authz:
LogLevel authz_core:trace3
and see, what gets logged for each hit. It may be something as silly as a typo in the IP-range specification, for example.

How do I read/write as the authenticated user with Apache/WebDAV?

I've set up DAV in apache2, which works great. The thing is, all read/write operations are done with the apache user's credentials. Instead I want to use the HTTP authenticated user's credentials. If I authenticate as "john", all read and write operations should use the system user john's credentials (from /etc/passwd). suEXEC seems like overkill since I am not executing anything, but I might be wrong...
Here's the current configuration:
<VirtualHost *:80>
DocumentRoot /var/www/webdav
ServerName webdav.mydomain.com
ServerAdmin webmaster#mydomain.com
<Location "/">
DAV On
AuthType Basic
AuthName "WebDAV Restricted"
AuthUserFile /etc/apache2/extra/webdav-passwords
require valid-user
Options +Indexes
</Location>
DAVLockDB /var/lib/dav/lockdb
ErrorLog /var/log/apache2/webdav-error.log
TransferLog /var/log/apache2/webdav-access.log
</VirtualHost>
Shot answer, and as far as I know: you don't.
Long answer: it is possible to implement such a feature with an appropriate mpm, and there were various attempts to do so, but they don't seem to be very actively supported, and are at least not in the mainline Apache codebase.
peruser:
Q. Is peruser ready for production use?
A. In general, no.
perchild:
This module is not functional. Development of this module is not complete and is not currently active. Do not use perchild unless you are a programmer willing to help fix it.
That's too bad, really; most uses of WebDav I've seen store ownership information at the application layer, in the database, anyway. The consensus for doing file sharing is to use Samba instead; and that's not really a solution, I admit.
We have been using davenport (http://davenport.sourceforge.net/) for years to provide access to Windows/samba shares over webdav. Samba/Windows gives a lot of control over this sort of thing, and the Davenport just makes it usable over the web over SSL without a VPN