httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Boyle Owen" <Owen.Bo...@swx.com>
Subject RE: htaccess files
Date Wed, 10 Jul 2002 07:29:39 GMT
Please see below for a few comments - there are a couple of things still odd about your config...

Rgds,

Owen Boyle

>From: Doug Groves [mailto:groups@valis.net]
>
>Thanks for taking the time...here's what I have set up now....
>
>Overview:
>FreeBSD 4.1  Apache+SSL 1.3.26 - P3 450 with 128 megs ram.
>
>I am restarting Apache each time I make a change, even to the
>.htaccess files.
>
>I am editing the correct httpd.conf and there is only one instance
>of Apache accessing this directory.

Good - so nothing silly going on (you have to check ;-)

>Here are what I assume/remember to be the pertinent parts from the
>httpd.conf file..
>
>------
>   <Directory>
>     AllowOverride AuthConfig
>   </Directory>

I'm not sure what this is for... You need a path in a directory container for it to make any
sense (e.g. <Directory /path/to/dir>). However, I don't think it would cause a problem
since it will just be ignored. For efficiency, it is probably better to remove it or add a
path (n.b. <Directory /> will apply to the whole filesystem, if you want).

>DocumentRoot "/usr/local/www/data"

I assume you have a directory container for the doc-root with "Allow from all" in it. The
CGI directory is not under the doc-root - that is fine since it doesn't need to be, but then
you will have to allow access to it separately...

>   <Directory "/usr/local/www/cgi-bin/testcgi">
>     deny from all
>     AllowOverride AuthConfig
>     Order deny, allow
>   </Directory>

I assume you have "ScriptAlias /cgi /usr/local/www/cgi-bin/testcgi" somewhere... In any case,
this now explains why you are getting the 403 Forbidden - you have "deny from all" in this
container.

>Here is the contents of /usr/local/www/cgi-bin/testcgi/.htaccess
>
>   AuthType Basic
>   AuthUserFile /usr/local/etc/apache/master.passwd
>   AuthName TestCGI
>   require valid-user

This looks OK - I take it the file exists on this path...

>I also chown'd the file to nobody (chgrp nobody as well) and chmod'd
>it to 600.

I'm puzzled here... The file has to be readable by the apache user. If it has mode 600, it
is only readable by its owner. Is the owner apache? If you are very keen on security and want
it to be only readable by its owner, then the owner has to be the apache user. Otherwise,
note that the file contains encrypted passwords (not plaintext) and if security is not so
critical and you don't want to change the owner, you can just have it mode 644 (group and
world readable).  

>Oddly enough, when I try to access it now, I get the Forbidden error
>as opposed to it just executing.  I've tried putting all the .htaccess
>directives in the Directory container as well (so it looks like this...
>
>   <Directory "/usr/local/www/cgi-bin/testcgi">
>     deny from all
>     AllowOverride AuthConfig
>     Order deny, allow
>     AuthType Basic
>     AuthUserFile /usr/local/etc/apache/master.passwd
>     AuthName TestCGI
>     require valid-user
>   </Directory>
>
>With the same Forbidden error.  It does seem I'm getting closer...

As we saw previously, your "deny from all" is now causing the Forbidden error.

Pulling it all together, I would recommend a basic config like this:

DocumentRoot /usr/local/www/data
<Directory /usr/local/www/data
  Allow from all
</Directory>

ScriptAlias /cgi /usr/local/www/cgi-bin/testcgi
<Directory /usr/local/www/cgi-bin/testcgi>
  Allow from all

  AuthType Basic
  AuthUserFile /usr/local/etc/apache/master.passwd
  AuthName TestCGI
  require valid-user
</Directory>

If that works (it should!), move the authentication directives back into .htaccess and do


<Directory /usr/local/www/cgi-bin/testcgi>
  Allow from all
  AllowOverride AuthConfig
</Directory>

If you have any problems, check in the error log - you should see something if it is having
trouble with authentication.

Rgds,

Owen Boyle

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message