I have an apache configuration containing the following directives. It is for a trac environment with multiple projects, each containing a different set of users that are allowed access.
I want to use a wildcard to allow only a defined group access to this environment, how can this be done? Currently my config allowes all users:
<LocationMatch "/private/[^/]+/login">
AuthType Basic
AuthName "Trac"
AuthUserFile /home/auth/private.access.user
Require valid-user
</LocationMatch>
But I would like it to read something like:
<LocationMatch "/private/[^/]+/login">
AuthType Basic
AuthName "Trac"
AuthUserFile /home/auth/private.access.user
Require Group [^/]
</LocationMatch>
Is this possible?
With Trac, I find it much easier to allow access to everybody in the Apache config and then use Trac's account manager plugin (http://trac-hacks.org/wiki/AccountManagerPlugin) to control access to each project's Trac instance. Revoke all permissions from the 'anonymous' user, and users from group2 won't be able to do anything with group1's Trac instance except see an error page and be prompted to login.
What I would do is the following...
<LocationMatch "/private/[^/]+/login">
AuthType Basic
AuthName "Trac"
AuthUserFile /home/auth/private.access.user
AuthGroupFile /home/auth/private.access.groups
Require Group group1 group2
</LocationMatch>
Where the group file /home/auth/private.access.groups is just a simple text (ascii) file, for example it could look like this:
group1: john barry
group2: frank jeremy
I'm not sure it Regular Expressions are possible in Require Group directive (I doubt they are), I always name particular names of groups listed in the group authentication file.
Related
Is it possible to require Basic Authentication for all but specified User Agents in Apache configuration?
P.S. I know that User Agents can be easily faked, but for my use case such conditional authentication would be enough.
After searching for quite a bit and experimenting, I came up with the answer. One needs these lines in their .htaccess file:
SetEnvIf User-Agent ^VipAgent1 vip_agent
SetEnvIf User-Agent ^VipAgent2 vip_agent
Order Allow,Deny
Allow from env=vip_agent
AuthType Basic
AuthName "Protected Login"
AuthUserFile /path/to/htpasswd
Require valid-user
Satisfy any
In addition, for this to work, one would need to make sure that mod_rewrite, mod_authn_file, and mod_setenvif are enabled in httpd.conf and also this directive is set there:
AllowOverride All
This configuration gives access for requests with User Agent starting "VipAgent1" and "VipAgent2", but asks for the authentication credentials for all other visitors.
I would like to know if I can merge group and specific users authorisation.
I have in my httpd.conf something like:
<Directory /path/to/dir>
AuthType Basic
AuthName "Private pages"
AuthBasicProvider file
AuthUserFile /path/to/dir/.htpasswd
AuthGroupFile /path/to/dir/.htgroup
Require user user1 user2 user3
Require group group1 group2
</Directory>
Then I access it from browser. I use user1, I did not success and I got, in the error_log, the error:
Authorization of user user1 to access /path/to/dir failed, reason: user is not part of the 'require'ed group(s).
Can I do it?
Yes, but the user would have to match both the user directive AND the group directive. You should be able to use the
Satisfy Any
setting if you want just the group or the user directive to match
In Apache, what would be the best way to only give access to users who pass the two following tests:
User does not appear in blacklist (alternatively, appears in whitelist)
User has valid LDAP user account
I already have the second test in place but I now need to bar some of the valid LDAP users. Note that I cannot create an AD group to represent my black/white list.
I have managed to do that using
mod_auth_ldap to authenticate valid users
mod_authz_host to blacklist IP ranges
The config then looks something like:
<Location /blacklisted >
AuthType Basic
AuthName "PAM"
AuthBasicProvider ldap
Require valid-user
AuthLDAPURL ldap://ldap.example.com/?sAMAccountName?sub
AuthzLDAPAuthoritative off
AuthLDAPBindDN bindUser#example.com
AuthLDAPBindPassword verySecurePasswd
Order allow,deny
Deny from 192.168.1
Allow from all
</Location>
However, I still don't know whether that would be feasible if I wanted to blacklist LDAP usernames instead of IP addresses. (Covener seems to suggest some complex config could do it but I haven't tried it).
Say I have a htaccess file shared by "dev.server" and "server.site.com".
The first domain should allow all users to access it unchallenged (it only exists on my local development server).
The second domain I want to authenticate users with Apache (NOT by database).
The code to authenticate users is:
AuthType Basic
AuthName "Server Admin"
AuthUserFile "/path/to/passwd"
require valid-user
What I can't do is make those 4 lines only matter if the domain is "server.site.com". How can I do this?
I searched for something like <IfEnv HTTP_HOST "site.server.com"> but had no luck.
This appears to work, still need to do some testing on it though.
Order Deny,Allow
Deny from all
SetEnvIf Host domain.for.no.auth dev
Allow from env=dev
AuthUserFile .pwd
AuthType Basic
AuthName MySite
Require valid-user
Satisfy Any
As far as I know, this can't be done in a .htaccess file. You'd have to put this into a Directory or VirtualHost section, both of which can't be used in a .htaccess file.
You would have to define it in two separate files, or directly in the server's configuration in the VirtualHost section.
I'm trying to work out how to check if a user is a member of Group A and Group B with basic authorisation in Apache. Currently I have:
AuthType Basic
AuthName "Log Authors"
AuthUserFile /iweb/s3078033/apache2-secure/auth/user.file
AuthGroupFile /iweb/s3078033/apache2-secure/auth/group.file
Require group admin logger
which only checks if the user is a member of admin OR logger. I've tried looking all through the Apache documentation, but am not having much luck.
Any help would be great.
This should work <RequireAll>
Compatibility: Available in Apache 2.3 and later
Requires mod_authz_core
PS: I didn't try as I've only Apache 2.2.
You've likely already tried but would placing the Require directive on two lines help?
AuthType Basic
AuthName "Log Authors"
AuthUserFile /iweb/s3078033/apache2-secure/auth/user.file
AuthGroupFile /iweb/s3078033/apache2-secure/auth/group.file
Require group admin
Require group logger