Using "require group" with mod_authn_dbm in Apache HTTPD 2.4 - apache

I am using Apache HTTPD 2.4 and I've decided it's time for me to move from mod_authn_file to mod_authn_dbm. I've got it mostly working but it won't check my AuthDBMUserFile for group information. I've googled it and it appears that this kind of functionality should still be available, via mod_authz_dbm which I've now included. The documentation for mod_authz_dbm makes it appear that you just have to use the AuthDBMGroupFile directive as in my configuration below:
<Directory "C:/Apache24/site/requests">
AuthType Basic
AuthName "Secure Area"
AuthBasicProvider dbm
AuthDBMUserFile site/data/users
AuthDBMGroupFile site/data/users
Require group admin
</Directory>
(Don't worry, site/data is not accessible via the webserver!)
However, even though the directive is clearly known (httpd -t doesn't complain and the server starts OK), it is either being ignored or something else is trying to find a different group file. The error I see in the log file is:
AH01664: No group file was specified in the configuration
Does my configuration look incomplete somehow?

I have an answer via the Apache HTTPD Users Mailing List courtesy of Eric Covener, who says:
mod_authz_dbm responds to Require dbm-group (and dbm-file-group) only in 2.4 which seems to be a change from 2.2.
So my configuration should have been:
<Directory "C:/Apache24/site/requests">
AuthType Basic
AuthName "Secure Area"
AuthBasicProvider dbm
AuthDBMUserFile site/data/users
AuthDBMGroupFile site/data/users
Require dbm-group admin
</Directory>
I have tried this and it does exactly what I wanted. Many thanks Eric!

Related

How to add Apache2 (XAMPP) runtime argument in Windows

I am trying to set development variable for xampp under Windows in order to do this:
<IfDefine !development>
AuthType Basic
AuthName "Say the secret word"
AuthUserFile /var/www/hostname/.htpasswd
Require valid-user
</IfDefine>
on Linux you do it like this
export APACHE_ARGUMENTS=-Ddevelopment
How do I do this on Windows? I've tried to do
set APACHE_ARGUMENTS=-Ddevelopment
but it didn't work.
Any ideas?
Edit: tried to add startup parameters to apache service config, but didn't help either.
This may be a duplicate of Apache .htaccess - applying basic authentication conditionally based on environment or hostname
I have solved this issue by using the 'Allow from ....' directive.
This way I can blanket enable based off an IP ADDRESS
Here is the contents of my .htaccess file
Order deny,allow
Deny from all
AuthType Basic
AuthName "Secure Area"
AuthUserFile "/path/to/file/.htpasswd"
Require valid-user
Allow from 127.0.0.1
Satisfy Any

apache basic auth across multiple virtualhosts

I have a few staging sites as virtual hosts on a server, plus a couple of public-facing virtual host sites. The stating sites are all under a single directory (e.g., /var/www/staging-sites/[site-document-root]).
Up to now I've been configuring HTTP Basic Auth for each virtual host, but it seems like there should be a way to do it once for all of them.
The question "apache global basic auth" indicates that I could place Basic Auth directives in a <Directory /var/www/staging-sites> container in the main apache config file, but doing so doesn't cause the browser to prompt for credentials.
Here's the output of tail -n 7 /etc/apache2/apache2.conf:
<Directory "/var/www/staging-sites/">
AuthType Basic
AuthName "Authentication Required"
AuthBasicProvider file
AuthUserFile /var/www/staging-sites/.htpasswd
Require valid-user
</Directory>
I've verified that /var/www/staging-sites/.htpasswd exists, and that the site foo.mydomain.com uses the Document Root /var/www/staging-sites/foo.
I've restarted apache to ensure the new config gets loaded.
However, when I open http://foo.mydomain.com, the site is displayed without prompting for Basic Auth credentials.
What am I doing wrong?
Solved. The problem was this section in the virtualhost configuration itself:
<Directory /var/www/staging-sites/foo>
Require all granted
</Directory>
Apparently all the virtualhosts were created with an equivalent configuration. As might be expected, Require all granted in the virtualhost config outdoes Require valid-user in the global config.
Removing that line allows the Basic Auth, as configured above, to work properly.
You can also leave Require all granted but add Satisfy all

Allow subdirectory Apache 2.4

I'm struggling with the htaccess system of apache.
My apache directories are set as follow:
www/ (Protected via /var/www/.htaccess)
www/public/ (Supposed to be unprotected via /var/www/public/.htaccess)
However i still can't access the public folder without the need to log in via my AuthType Basic from my www/.htaccess...
www/.htaccess:
AuthType Basic
AuthName "Acces restreint"
AuthUserFile "/var/www/.htpasswd"
Require valid-user
www/public/.htaccess:
AuthType None
Require All Granted
I really am not an expert in Apache so I may have missed the obvious.
Ok, I just figured out that what I was doing works but using H5AI as browser it needed to access the files.
I simply added a rule in the apache2.conf to prevent him being overwritten by the main directory .htaccess and all worked fine.

Multi-project Trac Install for Ubuntu 14.04

I'm going to preface this wall of text by saying that there are a few similar questions about, none of which deal with my particular use-case... I'm trying to get a Trac running under Ubuntu 14.04, specifically with support for multiple projects (Most guides don't seem to cover that one). I'd like to eventually move it to a proper VirtualHost with SSL support, but that's beyond the scope of this for now. [Feel free to pitch in on that too though, if you like.]
Following this old-ish guide, I've gotten the server going to the point where I can get to the Trac pages, but...
Even with a user added as TRAC-ADMIN, I get a "Authentication information not available. Please refer to the installation documentation." error when I go to the login page.
Apache is not enforcing the .htpasswd login requirement for that folder.
Snippet of apache2.conf, taken from the very end (rest is default Ubuntu 14.04 config):
WSGIScriptAlias /trac /var/trac/apache/trac.wsgi
<Directory /var/trac/apache>
WSGIApplicationGroup %{GLOBAL}
Require all granted
Order deny,allow
Allow from all
</Directory>
<Location "/trac/login">
AuthType Basic
AuthName "trac"
AuthUserFile /var/trac/.htpasswd
Require valid-user
</Location>
It sounds as though this will be OBE in the 1.1 Trac release, and as such I'm going to wait for a proper solution. We'll get by with one install and a project field and port over when the new release is available.

Apache 2.4 Require statements not parsing as expected

I'm trying to migrate from Apache 2.2 over to 2.4. One problem I'm having is getting one of my .htaccess files working as it does in 2.2. Essentially what I'm trying to do is allow all of my servers to get to the website without a password, and then require a simple password when someone not from my network, or on one of our desktops trys to get to it. The statements below are from 2.2 and work as intended. The deny statement is a subset of IP's inside the allowed from group.
AuthType Basic
AuthName "Dev password"
AuthUserFile /path/.htpass
Require user devuser
order allow,deny
allow from xxx.xxx.xx.x/24 xxx.xxx.xx.x/16 xxx.xxx.xxx.x/24
deny from xxx.xxx.xxx.xxx/25
Satisfy any
This however is how I thought I would do the same thing in 2.4 but I cannot get it to work:
RequireAny
RequireAll
RequireAny
Require ip 10.0
Require ip 192.168.0
/RequireAny
RequireNone
Require ip 10.0.10
Require ip 192.168.0.128/25
/RequireNone
/RequireAll
AuthType Basic
AuthName "Dev password"
AuthUserFile /path/.htpass
Require user dev
/RequireAny
Can someone tell me what I'm doing wrong? It's not requesting authenticate from my desktops.
Sorry it's not showing my tags for requireall and requireany. so I don't have them tagged.
You seem to be doing it right. Crank-up the LogLevel for authz:
LogLevel authz_core:trace3
and see, what gets logged for each hit. It may be something as silly as a typo in the IP-range specification, for example.