httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mike Dewhirst <mi...@dewhirst.com.au>
Subject Re: [users@httpd] basic auth config
Date Thu, 17 Nov 2005 00:29:47 GMT
Mike Dewhirst wrote:
> Boyle Owen wrote:
> 
>>> -----Original Message-----
>>> From: Mike Dewhirst [mailto:miked@dewhirst.com.au]
<snip>
>> Some people are convinced the Earth is flat but that don't make it so 
>> :-) By far the most likely reason for your problem still is that 
>> apache is misconfigured.

You are still right and I am up a gum tree.

I can edit my Basic Auth entry realm and see it change in the userid 
dialog in the browser so I at least know SuSE Linux 9.1, Apache 2.0.53 
is reading what I write. However none of my password attempts work. I 
even started a spurious thread (sorry!) before checking the error_log.

httpd -t returns Syntax OK

Here are some relevant error_log entries ...

[Thu Nov 17 11:02:37 2005] [error] [client 192.168.0.29] Could not fetch 
resource information.  [301, #0]
[Thu Nov 17 11:02:37 2005] [error] [client 192.168.0.29] (84)Invalid or 
incomplete multibyte or wide character: Requests for a collection must 
have a trailing slash on the URI.  [301, #0]

This was another machine which I used to access one of the subversion 
repositories successfully. I didn't know it produced these errors until 
I checked for the basic auth errors below!

<error_log>

[Thu Nov 17 11:14:27 2005] [error] [client 192.168.0.38] (2)No such file 
or directory: Could not open password file: /svr/www/data/pwl/academics/memb
[Thu Nov 17 11:14:27 2005] [error] [client 192.168.0.38] user miked not 
found: /auth/mcfs/

</error_log>

That /svr/www/data/pwl/academics/memb password file definitely exists 
and all the permissions are OK (775) and owner of every directory in 
that path and the memb file itself is wwwrun.www

The Basic Auth config is as follows ...

#
<IfModule mod_alias.c>
     Alias /auth/mcfs    /srv/www/htdocs/auth/mcfs
</IfModule>
#
<Directory /srv/www/htdocs/auth/mcfs>
     Order allow,deny
     Allow from all
</Directory>
#
<Location /auth/mcfs>
     AuthType Basic
     AuthName "Academics"
     AuthUserFile /svr/www/data/pwl/academics/memb
     Require valid-user
</Location>
#

Here are the modules apache loads from 
/etc/apache2/sysconfig.d/loadmodule.conf ...

#
# Files in this directory are created at apache start time by 
/usr/sbin/rcapache2.
# Do not edit them!
#

# as listed in APACHE_MODULES (/etc/sysconfig/apache2)

LoadModule access_module 
/usr/lib/apache2-prefork/mod_access.so
LoadModule actions_module 
/usr/lib/apache2-prefork/mod_actions.so
LoadModule alias_module 
/usr/lib/apache2-prefork/mod_alias.so
LoadModule asis_module 
/usr/lib/apache2-prefork/mod_asis.so
LoadModule auth_module 
/usr/lib/apache2-prefork/mod_auth.so
LoadModule autoindex_module 
/usr/lib/apache2-prefork/mod_autoindex.so
LoadModule cgi_module 
/usr/lib/apache2-prefork/mod_cgi.so
LoadModule dav_module 
/usr/lib/apache2-prefork/mod_dav.so
LoadModule dav_svn_module                 /usr/lib/apache2/mod_dav_svn.so
LoadModule authz_svn_module               /usr/lib/apache2/mod_authz_svn.so
LoadModule dir_module 
/usr/lib/apache2-prefork/mod_dir.so
LoadModule env_module 
/usr/lib/apache2-prefork/mod_env.so
LoadModule imap_module 
/usr/lib/apache2-prefork/mod_imap.so
LoadModule include_module 
/usr/lib/apache2-prefork/mod_include.so
LoadModule log_config_module 
/usr/lib/apache2-prefork/mod_log_config.so
LoadModule mime_module 
/usr/lib/apache2-prefork/mod_mime.so
LoadModule negotiation_module 
/usr/lib/apache2-prefork/mod_negotiation.so
LoadModule setenvif_module 
/usr/lib/apache2-prefork/mod_setenvif.so
LoadModule status_module 
/usr/lib/apache2-prefork/mod_status.so
#

As previously indicated, subversion is working perfectly with this 
configuration. It calls for a Basic Auth userid and password which work 
fine and generously let me see the contents of the repositories despite 
the errors shown in the log. However, as you can see, passwords are 
stored elsewhere. Here is the working subversion.conf ...

# subversion
# see /usr/share/doc/packages/subversion for the full documentation
#
<IfModule mod_dav_svn.c>
     <IfModule mod_alias.c>
         Alias /repos    /srv/svn/html
     </IfModule>
#
     <Directory /srv/svn/html>
         Options         Indexes +Multiviews -FollowSymLinks
         IndexOptions    FancyIndexing \
                         ScanHTMLTitles \
                         NameWidth=* \
                         DescriptionWidth=* \
                         SuppressLastModified \
                         SuppressSize
         Order allow,deny
         Allow from all
     </Directory>
#
     <Location /repos>
         DAV svn
         SVNParentPath /srv/svn/repos
         # Require SSL connection for password protection.
         # SSLRequireSSL
         AuthType Basic
         AuthName "repositories"
         AuthUserFile /srv/svn/user_access/auth-file
         AuthzSVNAccessFile /srv/svn/user_access/access-policy
         Require valid-user
     </Location>
</IfModule>
#

I really appreciate your help.

Thanks

Mike




> 
>>
>> I have a couple of points you might like to consider:
>>
>> 1) Your config structure is complicated (/etc/Apache2/httpd.conf 
>> includes /etc/Apache2/default_server.conf and 
>> /etc/Apache2/conf.d/basic_auth.conf... I think?). There's nothing 
>> wrong in principle with using Include but it does lead to complicated 
>> configs where the order and positioning of the Include statements 
>> becomes vitally important. Your "directive having no effect" problem 
>> is typical of a misconfiguration in such a set up. As an exercise, 
>> open up a copy of the main config file in an editor and then, using 
>> cut'n'paste, replace the Includes with the actual contents of the 
>> subsidiary config files. This will produce a single, flat config which 
>> is what apache sees. Read that - does it seem to make sense?
>> Having said that, I believe you have moved the Auth directives into 
>> the main config and they are still apparently ignored.
>>
>> 2) You are still a bit ambiguous about how apache is started... I get 
>> the impression that you routinely start it using "apache2ctl start". 
>> But when you test it to see if the syntax error is reported, you use 
>> "./httpd". Look inside apache2ctl (it is just a shell script) - does 
>> it have a "-f" argument to "httpd"? If so, this is the config file 
>> apache uses. When you start with "./httpd" on the command line, apache 
>> uses a compiled-in path to the config file. To see this, do "./httpd 
>> -V" and check the lines "HTTPD_ROOT" and "SERVER_CONFIG_FILE". Is this 
>> the same as in "apache2ctl"?
>>
>> 3) Could it be that there are two virtual hosts leading to the same 
>> content? Eg, if you set up VH1 and VH2 with the same (or overlapping) 
>> docroots and then put all your Auth directives under VH2, they would 
>> be ignored if the URL actually led to the content via VH1. This could 
>> happen if you screwed up the ServerName in VH2 (because then, apache 
>> serves any unidentified request from VH1 by default)...
>>
>> 4) Do you have a "Satisfy Any" directive anywhere in any config file? 
>> You stated earlier that you didn't understand this directive so it 
>> shouldn't be in use anywhere. If it is, you realise that it switches 
>> off password challenges from "Allowed" users...
>>
>>
>>> I can get it to request a userid and password with AllowOverride 
>>> AuthConfig and using a .htaccess file.
>>
>>
>>
>> This is a definate indication that apache is either not reading the 
>> file containing these directives or the directory block containing 
>> them is not being read when parsing the request (ie, the request is 
>> going through a different VH).
>>
>> As a final thought, just to convince yourself that apache does work as 
>> advertised, make a little hello_world website. Just one file 
>> (index.html) containing "hello world" in one dir (eg 
>> /tmp/hello_world). Config file:
>>
>> /tmp/hw.conf contains:
>>
>> DocumentRoot /tmp/hello_world
>> <Directory /tmp/hello_world>
>>   Allow from all
>> </Directory>
>>
>> (leave everything else as default)
>>
>> and start it with:
>>
>> ./httpd -f /tmp/hw.conf
>>
>> Test it (http://localhost/)
>>
>> Now add the Auth directives to the Directory block above. Does it work 
>> now?
>>
>> Rgds,
>> Owen Boyle
>> Disclaimer: Any disclaimer attached to this message may be ignored.
>>
>>
>>
>>> Which brings me to a followup question ...
>>>
>>> It doesn't like the passwords in the password file. They work fine 
>>> under Apache 1.3 on my ISP's Linux server. I used htpasswd to create 
>>> the passwords.
>>>
>>> Is there way to force Apache2 to use DES or whatever Apache 1.3 is 
>>> comfortable with?
>>>
>>> Thanks for being there
>>>
>>> Mike
>>>
>>>
>>> Mike Dewhirst wrote:
>>>
>>>> Joshua Slive wrote:
>>>>
>>>>
>>>>> On 11/12/05, Mike Dewhirst <miked@dewhirst.com.au> wrote:
>>>>>
>>>>>
>>>>>
>>>>>> Does apache2ctl confirm that httpd actually reads that 
>>>
>>>
>>> file on startup?
>>>
>>>>>
>>>>>
>>>>> Depends on how httpd normally gets started.  If it is started using
>>>>> apache2ctl, then that is a good indication.
>>>>
>>>>
>>>>
>>>> OK - on investigation it ain't apachectl. It is httpd. I 
>>>
>>>
>>> ran httpd -t
>>>
>>>> and it complained about FooBar Nonsense too.
>>>>
>>>> So - we are definitely reading the conf files. That means ...
>>>>
>>>> 1. I'm not reaching the right directory - Yes I am. 100% sure.
>>>>
>>>> 2. Some sort of caching? 100% no way. I've tried four 
>>>
>>>
>>> different browsers
>>>
>>>> on three different machines.
>>>>
>>>> 3. Apache is reading the conf but ignoring the directive 
>>>
>>>
>>> for some reason
>>>
>>>> What else do I need for Basic Auth to work?
>>>>
>>>> As it happens, I have subversion running via apache on that 
>>>
>>>
>>> machine and
>>>
>>>> when I access it from a foreign machine it asks me to 
>>>
>>>
>>> authenticate. I
>>>
>>>> have copied subversion.conf below. Maybe I should copy that?
>>>>
>>>> Modules? I deleted all files in /etc/apache2/sysconfig.d 
>>>
>>>
>>> and restarted
>>>
>>>> the computer whereupon we got a brand-new loadmodule.conf ...
>>>>
>>>> #
>>>> # Files in this directory are created at apache start time by 
>>>> /usr/sbin/rcapache2.
>>>> # Do not edit them!
>>>> #
>>>>
>>>> # as listed in APACHE_MODULES (/etc/sysconfig/apache2)
>>>>
>>>> LoadModule access_module /usr/lib/apache2-prefork/mod_access.so
>>>> LoadModule actions_module /usr/lib/apache2-prefork/mod_actions.so
>>>> LoadModule alias_module /usr/lib/apache2-prefork/mod_alias.so
>>>> LoadModule asis_module /usr/lib/apache2-prefork/mod_asis.so
>>>> LoadModule auth_module /usr/lib/apache2-prefork/mod_auth.so
>>>> LoadModule autoindex_module 
>>>
>>>
>>> /usr/lib/apache2-prefork/mod_autoindex.so
>>>
>>>> LoadModule cgi_module /usr/lib/apache2-prefork/mod_cgi.so
>>>> LoadModule dav_module /usr/lib/apache2-prefork/mod_dav.so
>>>> LoadModule dav_svn_module                 
>>>
>>>
>>> /usr/lib/apache2/mod_dav_svn.so
>>>
>>>> LoadModule authz_svn_module               
>>>
>>>
>>> /usr/lib/apache2/mod_authz_svn.so
>>>
>>>> LoadModule dir_module /usr/lib/apache2-prefork/mod_dir.so
>>>> LoadModule env_module /usr/lib/apache2-prefork/mod_env.so
>>>> LoadModule imap_module /usr/lib/apache2-prefork/mod_imap.so
>>>> LoadModule include_module /usr/lib/apache2-prefork/mod_include.so
>>>> LoadModule log_config_module 
>>>
>>>
>>> /usr/lib/apache2-prefork/mod_log_config.so
>>>
>>>> LoadModule mime_module /usr/lib/apache2-prefork/mod_mime.so
>>>> LoadModule negotiation_module 
>>>
>>>
>>> /usr/lib/apache2-prefork/mod_negotiation.so
>>>
>>>> LoadModule setenvif_module /usr/lib/apache2-prefork/mod_setenvif.so
>>>> #
>>>>
>>>>
>>>> Here is /etc/apache2/conf.d/subversion.conf
>>>>
>>>> # see /usr/share/doc/packages/subversion for the full documentation
>>>> #
>>>>
>>>> <IfModule mod_dav_svn.c>
>>>>
>>>> ##
>>>> ## project related HTML files
>>>> ##
>>>> <IfModule mod_alias.c>
>>>>  Alias /repos    /srv/svn/html
>>>> </IfModule>
>>>> <Directory /srv/svn/html>
>>>>        Options         Indexes +Multiviews -FollowSymLinks
>>>>        IndexOptions    FancyIndexing \
>>>>                        ScanHTMLTitles \
>>>>                        NameWidth=* \
>>>>                        DescriptionWidth=* \
>>>>                        SuppressLastModified \
>>>>                        SuppressSize
>>>>
>>>>        order allow,deny
>>>>        allow from all
>>>> </Directory>
>>>> <Location /repos>
>>>>   DAV svn
>>>>   SVNParentPath /srv/svn/repos
>>>>   AuthzSVNAccessFile /srv/svn/user_access/access-policy
>>>>   #<moved from LimitExcept>
>>>>   # how to authenticate users
>>>>   AuthType Basic
>>>>   AuthName "repositories"
>>>>   AuthUserFile /srv/svn/user_access/auth-file
>>>>   Require valid-user
>>>>   #</moved from LimitExcept>
>>>>
>>>>   # move 'Require valid-user' to here
>>>>   # to provide public read only access
>>>>   # and require a valid user for GET etc below
>>>>   <LimitExcept GET PROPFIND OPTIONS REPORT>
>>>>      #
>>>>   </LimitExcept>
>>>> </Location>
>>>> </IfModule>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>> Joshua.
>>>>>
>>>>>
>>>
>>> ---------------------------------------------------------------------
>>>
>>>>> The official User-To-User support forum of the Apache HTTP Server 
>>>>> Project.
>>>>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>>>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>>>>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
>>>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>> ---------------------------------------------------------------------
>>>
>>>> The official User-To-User support forum of the Apache HTTP 
>>>
>>>
>>> Server Project.
>>>
>>>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>>>  "   from the digest: users-digest-unsubscribe@httpd.apache.org
>>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>>
>>>>
>>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> The official User-To-User support forum of the Apache HTTP Server 
>>> Project.
>>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>
>>>
>>
>> Diese E-mail ist eine private und persönliche Kommunikation. Sie hat 
>> keinen Bezug zur Börsen- bzw. Geschäftstätigkeit der SWX Gruppe. This 
>> e-mail is of a private and personal nature. It is not related to the 
>> exchange or business activities of the SWX Group. Le présent e-mail 
>> est un message privé et personnel, sans rapport avec l'activité 
>> boursière du Groupe SWX.
>>  
>>  
>> This message is for the named person's use only. It may contain 
>> confidential, proprietary or legally privileged information. No 
>> confidentiality or privilege is waived or lost by any mistransmission. 
>> If you receive this message in error, please notify the sender 
>> urgently and then immediately delete the message and any copies of it 
>> from your system. Please also immediately destroy any hardcopies of 
>> the message. You must not, directly or indirectly, use, disclose, 
>> distribute, print, or copy any part of this message if you are not the 
>> intended recipient. The sender's company reserves the right to monitor 
>> all e-mail communications through their networks. Any views expressed 
>> in this message are those of the individual sender, except where the 
>> message states otherwise and the sender is authorised to state them to 
>> be the views of the sender's company.
>>
>> ---------------------------------------------------------------------
>> The official User-To-User support forum of the Apache HTTP Server 
>> Project.
>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>>
> 
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 
> 
> 


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message