I've set up DAV in apache2, which works great. The thing is, all read/write operations are done with the apache user's credentials. Instead I want to use the HTTP authenticated user's credentials. If I authenticate as "john", all read and write operations should use the system user john's credentials (from /etc/passwd). suEXEC seems like overkill since I am not executing anything, but I might be wrong...
Here's the current configuration:
<VirtualHost *:80>
DocumentRoot /var/www/webdav
ServerName webdav.mydomain.com
ServerAdmin webmaster#mydomain.com
<Location "/">
DAV On
AuthType Basic
AuthName "WebDAV Restricted"
AuthUserFile /etc/apache2/extra/webdav-passwords
require valid-user
Options +Indexes
</Location>
DAVLockDB /var/lib/dav/lockdb
ErrorLog /var/log/apache2/webdav-error.log
TransferLog /var/log/apache2/webdav-access.log
</VirtualHost>
Shot answer, and as far as I know: you don't.
Long answer: it is possible to implement such a feature with an appropriate mpm, and there were various attempts to do so, but they don't seem to be very actively supported, and are at least not in the mainline Apache codebase.
peruser:
Q. Is peruser ready for production use?
A. In general, no.
perchild:
This module is not functional. Development of this module is not complete and is not currently active. Do not use perchild unless you are a programmer willing to help fix it.
That's too bad, really; most uses of WebDav I've seen store ownership information at the application layer, in the database, anyway. The consensus for doing file sharing is to use Samba instead; and that's not really a solution, I admit.
We have been using davenport (http://davenport.sourceforge.net/) for years to provide access to Windows/samba shares over webdav. Samba/Windows gives a lot of control over this sort of thing, and the Davenport just makes it usable over the web over SSL without a VPN
Related
I'm new to apache so sorry if this is a newbie question. I have a reverse proxy set-up (and working) with the following code which includes a working authentication:
<VirtualHost *:80>
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html
ProxyPass /PIZZA/ http://localhost:3636/PIZZA/
ProxyPassReverse /PIZZA/ http://localhost:3636/PIZZA/
ProxyPreserveHost On
<Location /PIZZA/>
AuthUserFile /etc/USER_PWD/PIZZA_PWD
AuthName "Password Protected"
AuthType Basic
require valid-user
</Location>
</VirtualHost>
The above authentication is working if I go do my /PIZZA/ url.
However, if I type in the source IP address for the same url (ex: 192.168.1.11:3636/PIZZA/) the webpage loads without the need for authentication.
My question, is there a way to authenticate the specific source ip address? Something like the following (which doesn't work)?
<Location http://192.168.1.11:3636/PIZZA/>
AuthUserFile /etc/USER_PWD/PIZZA_PWD
AuthName "Password Protected"
AuthType Basic
require valid-user
</Location>
Any help would be very much appreciated. Thanks!
In the 2nd case, you're not even accessing Apache, so no Apache configuration is going to make any difference. If you want the backend server to only accept connections from your proxy server, you'll have to configure the backend server appropriately (or count on it being inaccessible over TCP)
Thanks for the responses. It was probably a rookie error trying to do the second authentication.
Arkascha - your answer pointed me in the right direction and I got it to work. I essentially just blocked access to the port in the firewall and that worked.
I would have never figured this out without your pointing me in the right direction so thanks!
I'm going to preface this wall of text by saying that there are a few similar questions about, none of which deal with my particular use-case... I'm trying to get a Trac running under Ubuntu 14.04, specifically with support for multiple projects (Most guides don't seem to cover that one). I'd like to eventually move it to a proper VirtualHost with SSL support, but that's beyond the scope of this for now. [Feel free to pitch in on that too though, if you like.]
Following this old-ish guide, I've gotten the server going to the point where I can get to the Trac pages, but...
Even with a user added as TRAC-ADMIN, I get a "Authentication information not available. Please refer to the installation documentation." error when I go to the login page.
Apache is not enforcing the .htpasswd login requirement for that folder.
Snippet of apache2.conf, taken from the very end (rest is default Ubuntu 14.04 config):
WSGIScriptAlias /trac /var/trac/apache/trac.wsgi
<Directory /var/trac/apache>
WSGIApplicationGroup %{GLOBAL}
Require all granted
Order deny,allow
Allow from all
</Directory>
<Location "/trac/login">
AuthType Basic
AuthName "trac"
AuthUserFile /var/trac/.htpasswd
Require valid-user
</Location>
It sounds as though this will be OBE in the 1.1 Trac release, and as such I'm going to wait for a proper solution. We'll get by with one install and a project field and port over when the new release is available.
I am trying to configure Trac 1.0 on Apache 2.4 using WSGI in Ubuntu 13.10. I have multiple Trac projects. I used to use mod_python but this is not longer suggested and I am a bit lost. I used trac-admin /path/to/project deploy /path/to/project to generate my trac.wsgi. I then configured a new site in /etc/apache2/sites-available like this:
WSGIScriptAliasMatch ^/trac/([^/]+) /data/trac/$1/cgi-bin/trac.wsgi
<Directory /data/trac>
WSGIApplicationGroup %{GLOBAL}
Options +Indexes +ExecCGI +SymLinksIfOwnerMatch
AllowOverride None
Require all granted
</Directory>
<LocationMatch /trac/[^/]+/login>
AuthType Basic
AuthName "Trac Authentication"
AuthUserFile /data/access/htpassword
Require valid-user
</LocationMatch>
and created a link in sites-enabled and restarted apache. I had removed all permissions for the trac modules (I originally had the project running on an old 0.11 version, I did the upgrade steps described on the Trac site) so I get a msg saying I need to login, but once I have entered my creds I get the error in the subject.
Does anyone know why?
Thanks,
Gabriel
yes, I have. I ended up installing a plugin that redirects the user to the login page: http://trac-hacks.org/wiki/PermRedirectPlugin, this works great.
I think it is due to the fact that I don't give unauthenticated users access to anything, on Trac 0.11 this simply displayed a msg asking them to login and once they logged in they got sent to the main wiki page. With 1.0 they must have changed this behavior so it no longer works with my usecase. I think it is cleaner with this plugin in cases like mine where unauthenticated uses don't see anything, it should be the default in this case.
Thanks
We are using a berkeley-db for authorisation of svn-access.
We have it configured like that:
<Location /svn>
AuthType basic
AuthName "svn Authentication"
AuthBasicProvider dbm
AuthDBMUserFile /****/userDatabase.db
AuthDBMType db
AuthDBMGroupFile /****/userDatabase.db
AuthzDBMType db
SSLRequireSSL
</Location>
Until here everything works fine and people gain access according to their respective groups. No I wanted / need to add some specific users to gain (read-only) access to one repository without changing their groups. I tried the following
<Location /svn/administration>
DAV svn
SVNPath /data/svn/administration
SVNPathAuthz off
<LimitExcept GET PROPFIND OPTIONS REPORT>
Require group svn-admin-readwrite
</LimitExcept>
<Limit GET PROPFIND OPTIONS REPORT>
Require group svn-admin-read
Require user testUser testUser2
</Limit>
</Location>
The modules 'authn_dbm' and 'authz_user' are enabled. Anything (obvious) I am missing here? Any help is appreciated!
Anything (obvious) I am missing here?
Reading (and understanding) some parts of SVN Book, at least "Per-directory access control" (maybe full chapter "httpd, the Apache HTTP Server") and "Path-Based Authorization"
I see at least two weakness in current config
Without DAV svn+SVNParentPath in <Location /svn> container you must to have for N repositories N+1 Location containers and add|remove location for every added|removed repository. Subversion-way is to have single location for parent of repository-dirs
For example, if you know you will be creating multiple Subversion repositories in a directory /var/svn that would be accessed via URLs such as http://my.server.com/svn/repos1, http://my.server.com/svn/repos2, and so on, you could use the httpd.conf configuration syntax in the following example:
<Location /svn>
DAV svn
# Automatically map any "/svn/foo" URL to repository /var/svn/foo
SVNParentPath /var/svn
</Location>
Using this syntax, Apache will delegate the handling of all URLs whose path portions begin with /svn/ to the Subversion DAV provider, which will then assume that any items in the directory specified by the SVNParentPath directive are actually Subversion repositories. This is a particularly convenient syntax in that, unlike the use of the SVNPath directive, you don't have to restart Apache to add or remove hosted repositories.
Path-based ACLs for Subversion in Apache implemented (and used in 99% cases) with authz_svn_module and AuthzSVNAccessFile, in which user's and group's access rights (for any repository in tree or part of repo-tree) defined... and also group's membership, which makes AuthDBMGroupFile obsoleted (and Location without LimitExcept & Limit - more compact and readable)
I'm trying to migrate from Apache 2.2 over to 2.4. One problem I'm having is getting one of my .htaccess files working as it does in 2.2. Essentially what I'm trying to do is allow all of my servers to get to the website without a password, and then require a simple password when someone not from my network, or on one of our desktops trys to get to it. The statements below are from 2.2 and work as intended. The deny statement is a subset of IP's inside the allowed from group.
AuthType Basic
AuthName "Dev password"
AuthUserFile /path/.htpass
Require user devuser
order allow,deny
allow from xxx.xxx.xx.x/24 xxx.xxx.xx.x/16 xxx.xxx.xxx.x/24
deny from xxx.xxx.xxx.xxx/25
Satisfy any
This however is how I thought I would do the same thing in 2.4 but I cannot get it to work:
RequireAny
RequireAll
RequireAny
Require ip 10.0
Require ip 192.168.0
/RequireAny
RequireNone
Require ip 10.0.10
Require ip 192.168.0.128/25
/RequireNone
/RequireAll
AuthType Basic
AuthName "Dev password"
AuthUserFile /path/.htpass
Require user dev
/RequireAny
Can someone tell me what I'm doing wrong? It's not requesting authenticate from my desktops.
Sorry it's not showing my tags for requireall and requireany. so I don't have them tagged.
You seem to be doing it right. Crank-up the LogLevel for authz:
LogLevel authz_core:trace3
and see, what gets logged for each hit. It may be something as silly as a typo in the IP-range specification, for example.