httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mike Dewhirst <mi...@dewhirst.com.au>
Subject Re: [users@httpd] [SOLVED] basic auth config
Date Thu, 17 Nov 2005 04:02:38 GMT
Mike Dewhirst wrote:
> Mike Dewhirst wrote:
> 
>> Boyle Owen wrote:
>>
>>>> -----Original Message-----
>>>> From: Mike Dewhirst [mailto:miked@dewhirst.com.au]
> 
> <snip>
> 
>>> Some people are convinced the Earth is flat but that don't make it so 
>>> :-) By far the most likely reason for your problem still is that 
>>> apache is misconfigured.

My deepest most dyslexic apologies for wasting your bandwidth. The error 
log gave me the answer /svr/... is not /srv/...

Sorry one and all

Mike

> 
> 
> You are still right and I am up a gum tree.
> 
> I can edit my Basic Auth entry realm and see it change in the userid 
> dialog in the browser so I at least know SuSE Linux 9.1, Apache 2.0.53 
> is reading what I write. However none of my password attempts work. I 
> even started a spurious thread (sorry!) before checking the error_log.
> 
> httpd -t returns Syntax OK
> 
> Here are some relevant error_log entries ...
> 
> [Thu Nov 17 11:02:37 2005] [error] [client 192.168.0.29] Could not fetch 
> resource information.  [301, #0]
> [Thu Nov 17 11:02:37 2005] [error] [client 192.168.0.29] (84)Invalid or 
> incomplete multibyte or wide character: Requests for a collection must 
> have a trailing slash on the URI.  [301, #0]
> 
> This was another machine which I used to access one of the subversion 
> repositories successfully. I didn't know it produced these errors until 
> I checked for the basic auth errors below!
> 
> <error_log>
> 
> [Thu Nov 17 11:14:27 2005] [error] [client 192.168.0.38] (2)No such file 
> or directory: Could not open password file: 
> /svr/www/data/pwl/academics/memb
> [Thu Nov 17 11:14:27 2005] [error] [client 192.168.0.38] user miked not 
> found: /auth/mcfs/
> 
> </error_log>
> 
> That /svr/www/data/pwl/academics/memb password file definitely exists 
> and all the permissions are OK (775) and owner of every directory in 
> that path and the memb file itself is wwwrun.www
> 
> The Basic Auth config is as follows ...
> 
> #
> <IfModule mod_alias.c>
>     Alias /auth/mcfs    /srv/www/htdocs/auth/mcfs
> </IfModule>
> #
> <Directory /srv/www/htdocs/auth/mcfs>
>     Order allow,deny
>     Allow from all
> </Directory>
> #
> <Location /auth/mcfs>
>     AuthType Basic
>     AuthName "Academics"
>     AuthUserFile /svr/www/data/pwl/academics/memb
>     Require valid-user
> </Location>
> #
> 
> Here are the modules apache loads from 
> /etc/apache2/sysconfig.d/loadmodule.conf ...
> 
> #
> # Files in this directory are created at apache start time by 
> /usr/sbin/rcapache2.
> # Do not edit them!
> #
> 
> # as listed in APACHE_MODULES (/etc/sysconfig/apache2)
> 
> LoadModule access_module /usr/lib/apache2-prefork/mod_access.so
> LoadModule actions_module /usr/lib/apache2-prefork/mod_actions.so
> LoadModule alias_module /usr/lib/apache2-prefork/mod_alias.so
> LoadModule asis_module /usr/lib/apache2-prefork/mod_asis.so
> LoadModule auth_module /usr/lib/apache2-prefork/mod_auth.so
> LoadModule autoindex_module /usr/lib/apache2-prefork/mod_autoindex.so
> LoadModule cgi_module /usr/lib/apache2-prefork/mod_cgi.so
> LoadModule dav_module /usr/lib/apache2-prefork/mod_dav.so
> LoadModule dav_svn_module                 /usr/lib/apache2/mod_dav_svn.so
> LoadModule authz_svn_module               /usr/lib/apache2/mod_authz_svn.so
> LoadModule dir_module /usr/lib/apache2-prefork/mod_dir.so
> LoadModule env_module /usr/lib/apache2-prefork/mod_env.so
> LoadModule imap_module /usr/lib/apache2-prefork/mod_imap.so
> LoadModule include_module /usr/lib/apache2-prefork/mod_include.so
> LoadModule log_config_module /usr/lib/apache2-prefork/mod_log_config.so
> LoadModule mime_module /usr/lib/apache2-prefork/mod_mime.so
> LoadModule negotiation_module /usr/lib/apache2-prefork/mod_negotiation.so
> LoadModule setenvif_module /usr/lib/apache2-prefork/mod_setenvif.so
> LoadModule status_module /usr/lib/apache2-prefork/mod_status.so
> #
> 
> As previously indicated, subversion is working perfectly with this 
> configuration. It calls for a Basic Auth userid and password which work 
> fine and generously let me see the contents of the repositories despite 
> the errors shown in the log. However, as you can see, passwords are 
> stored elsewhere. Here is the working subversion.conf ...
> 
> # subversion
> # see /usr/share/doc/packages/subversion for the full documentation
> #
> <IfModule mod_dav_svn.c>
>     <IfModule mod_alias.c>
>         Alias /repos    /srv/svn/html
>     </IfModule>
> #
>     <Directory /srv/svn/html>
>         Options         Indexes +Multiviews -FollowSymLinks
>         IndexOptions    FancyIndexing \
>                         ScanHTMLTitles \
>                         NameWidth=* \
>                         DescriptionWidth=* \
>                         SuppressLastModified \
>                         SuppressSize
>         Order allow,deny
>         Allow from all
>     </Directory>
> #
>     <Location /repos>
>         DAV svn
>         SVNParentPath /srv/svn/repos
>         # Require SSL connection for password protection.
>         # SSLRequireSSL
>         AuthType Basic
>         AuthName "repositories"
>         AuthUserFile /srv/svn/user_access/auth-file
>         AuthzSVNAccessFile /srv/svn/user_access/access-policy
>         Require valid-user
>     </Location>
> </IfModule>
> #
> 
> I really appreciate your help.
> 
> Thanks
> 
> Mike
> 
> 
> 
> 
>>
>>>
>>> I have a couple of points you might like to consider:
>>>
>>> 1) Your config structure is complicated (/etc/Apache2/httpd.conf 
>>> includes /etc/Apache2/default_server.conf and 
>>> /etc/Apache2/conf.d/basic_auth.conf... I think?). There's nothing 
>>> wrong in principle with using Include but it does lead to complicated 
>>> configs where the order and positioning of the Include statements 
>>> becomes vitally important. Your "directive having no effect" problem 
>>> is typical of a misconfiguration in such a set up. As an exercise, 
>>> open up a copy of the main config file in an editor and then, using 
>>> cut'n'paste, replace the Includes with the actual contents of the 
>>> subsidiary config files. This will produce a single, flat config 
>>> which is what apache sees. Read that - does it seem to make sense?
>>> Having said that, I believe you have moved the Auth directives into 
>>> the main config and they are still apparently ignored.
>>>
>>> 2) You are still a bit ambiguous about how apache is started... I get 
>>> the impression that you routinely start it using "apache2ctl start". 
>>> But when you test it to see if the syntax error is reported, you use 
>>> "./httpd". Look inside apache2ctl (it is just a shell script) - does 
>>> it have a "-f" argument to "httpd"? If so, this is the config file 
>>> apache uses. When you start with "./httpd" on the command line, 
>>> apache uses a compiled-in path to the config file. To see this, do 
>>> "./httpd -V" and check the lines "HTTPD_ROOT" and 
>>> "SERVER_CONFIG_FILE". Is this the same as in "apache2ctl"?
>>>
>>> 3) Could it be that there are two virtual hosts leading to the same 
>>> content? Eg, if you set up VH1 and VH2 with the same (or overlapping) 
>>> docroots and then put all your Auth directives under VH2, they would 
>>> be ignored if the URL actually led to the content via VH1. This could 
>>> happen if you screwed up the ServerName in VH2 (because then, apache 
>>> serves any unidentified request from VH1 by default)...
>>>
>>> 4) Do you have a "Satisfy Any" directive anywhere in any config file? 
>>> You stated earlier that you didn't understand this directive so it 
>>> shouldn't be in use anywhere. If it is, you realise that it switches 
>>> off password challenges from "Allowed" users...
>>>
>>>
>>>> I can get it to request a userid and password with AllowOverride 
>>>> AuthConfig and using a .htaccess file.
>>>
>>>
>>>
>>>
>>> This is a definate indication that apache is either not reading the 
>>> file containing these directives or the directory block containing 
>>> them is not being read when parsing the request (ie, the request is 
>>> going through a different VH).
>>>
>>> As a final thought, just to convince yourself that apache does work 
>>> as advertised, make a little hello_world website. Just one file 
>>> (index.html) containing "hello world" in one dir (eg 
>>> /tmp/hello_world). Config file:
>>>
>>> /tmp/hw.conf contains:
>>>
>>> DocumentRoot /tmp/hello_world
>>> <Directory /tmp/hello_world>
>>>   Allow from all
>>> </Directory>
>>>
>>> (leave everything else as default)
>>>
>>> and start it with:
>>>
>>> ./httpd -f /tmp/hw.conf
>>>
>>> Test it (http://localhost/)
>>>
>>> Now add the Auth directives to the Directory block above. Does it 
>>> work now?
>>>
>>> Rgds,
>>> Owen Boyle
>>> Disclaimer: Any disclaimer attached to this message may be ignored.
>>>
>>>
>>>
>>>> Which brings me to a followup question ...
>>>>
>>>> It doesn't like the passwords in the password file. They work fine 
>>>> under Apache 1.3 on my ISP's Linux server. I used htpasswd to create 
>>>> the passwords.
>>>>
>>>> Is there way to force Apache2 to use DES or whatever Apache 1.3 is 
>>>> comfortable with?
>>>>
>>>> Thanks for being there
>>>>
>>>> Mike
>>>>
>>>>
>>>> Mike Dewhirst wrote:
>>>>
>>>>> Joshua Slive wrote:
>>>>>
>>>>>
>>>>>> On 11/12/05, Mike Dewhirst <miked@dewhirst.com.au> wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>> Does apache2ctl confirm that httpd actually reads that 
>>>>
>>>>
>>>>
>>>> file on startup?
>>>>
>>>>>>
>>>>>>
>>>>>> Depends on how httpd normally gets started.  If it is started using
>>>>>> apache2ctl, then that is a good indication.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> OK - on investigation it ain't apachectl. It is httpd. I 
>>>>
>>>>
>>>>
>>>> ran httpd -t
>>>>
>>>>> and it complained about FooBar Nonsense too.
>>>>>
>>>>> So - we are definitely reading the conf files. That means ...
>>>>>
>>>>> 1. I'm not reaching the right directory - Yes I am. 100% sure.
>>>>>
>>>>> 2. Some sort of caching? 100% no way. I've tried four 
>>>>
>>>>
>>>>
>>>> different browsers
>>>>
>>>>> on three different machines.
>>>>>
>>>>> 3. Apache is reading the conf but ignoring the directive 
>>>>
>>>>
>>>>
>>>> for some reason
>>>>
>>>>> What else do I need for Basic Auth to work?
>>>>>
>>>>> As it happens, I have subversion running via apache on that 
>>>>
>>>>
>>>>
>>>> machine and
>>>>
>>>>> when I access it from a foreign machine it asks me to 
>>>>
>>>>
>>>>
>>>> authenticate. I
>>>>
>>>>> have copied subversion.conf below. Maybe I should copy that?
>>>>>
>>>>> Modules? I deleted all files in /etc/apache2/sysconfig.d 
>>>>
>>>>
>>>>
>>>> and restarted
>>>>
>>>>> the computer whereupon we got a brand-new loadmodule.conf ...
>>>>>
>>>>> #
>>>>> # Files in this directory are created at apache start time by 
>>>>> /usr/sbin/rcapache2.
>>>>> # Do not edit them!
>>>>> #
>>>>>
>>>>> # as listed in APACHE_MODULES (/etc/sysconfig/apache2)
>>>>>
>>>>> LoadModule access_module /usr/lib/apache2-prefork/mod_access.so
>>>>> LoadModule actions_module /usr/lib/apache2-prefork/mod_actions.so
>>>>> LoadModule alias_module /usr/lib/apache2-prefork/mod_alias.so
>>>>> LoadModule asis_module /usr/lib/apache2-prefork/mod_asis.so
>>>>> LoadModule auth_module /usr/lib/apache2-prefork/mod_auth.so
>>>>> LoadModule autoindex_module 
>>>>
>>>>
>>>>
>>>> /usr/lib/apache2-prefork/mod_autoindex.so
>>>>
>>>>> LoadModule cgi_module /usr/lib/apache2-prefork/mod_cgi.so
>>>>> LoadModule dav_module /usr/lib/apache2-prefork/mod_dav.so
>>>>> LoadModule dav_svn_module                 
>>>>
>>>>
>>>>
>>>> /usr/lib/apache2/mod_dav_svn.so
>>>>
>>>>> LoadModule authz_svn_module               
>>>>
>>>>
>>>>
>>>> /usr/lib/apache2/mod_authz_svn.so
>>>>
>>>>> LoadModule dir_module /usr/lib/apache2-prefork/mod_dir.so
>>>>> LoadModule env_module /usr/lib/apache2-prefork/mod_env.so
>>>>> LoadModule imap_module /usr/lib/apache2-prefork/mod_imap.so
>>>>> LoadModule include_module /usr/lib/apache2-prefork/mod_include.so
>>>>> LoadModule log_config_module 
>>>>
>>>>
>>>>
>>>> /usr/lib/apache2-prefork/mod_log_config.so
>>>>
>>>>> LoadModule mime_module /usr/lib/apache2-prefork/mod_mime.so
>>>>> LoadModule negotiation_module 
>>>>
>>>>
>>>>
>>>> /usr/lib/apache2-prefork/mod_negotiation.so
>>>>
>>>>> LoadModule setenvif_module /usr/lib/apache2-prefork/mod_setenvif.so
>>>>> #
>>>>>
>>>>>
>>>>> Here is /etc/apache2/conf.d/subversion.conf
>>>>>
>>>>> # see /usr/share/doc/packages/subversion for the full documentation
>>>>> #
>>>>>
>>>>> <IfModule mod_dav_svn.c>
>>>>>
>>>>> ##
>>>>> ## project related HTML files
>>>>> ##
>>>>> <IfModule mod_alias.c>
>>>>>  Alias /repos    /srv/svn/html
>>>>> </IfModule>
>>>>> <Directory /srv/svn/html>
>>>>>        Options         Indexes +Multiviews -FollowSymLinks
>>>>>        IndexOptions    FancyIndexing \
>>>>>                        ScanHTMLTitles \
>>>>>                        NameWidth=* \
>>>>>                        DescriptionWidth=* \
>>>>>                        SuppressLastModified \
>>>>>                        SuppressSize
>>>>>
>>>>>        order allow,deny
>>>>>        allow from all
>>>>> </Directory>
>>>>> <Location /repos>
>>>>>   DAV svn
>>>>>   SVNParentPath /srv/svn/repos
>>>>>   AuthzSVNAccessFile /srv/svn/user_access/access-policy
>>>>>   #<moved from LimitExcept>
>>>>>   # how to authenticate users
>>>>>   AuthType Basic
>>>>>   AuthName "repositories"
>>>>>   AuthUserFile /srv/svn/user_access/auth-file
>>>>>   Require valid-user
>>>>>   #</moved from LimitExcept>
>>>>>
>>>>>   # move 'Require valid-user' to here
>>>>>   # to provide public read only access
>>>>>   # and require a valid user for GET etc below
>>>>>   <LimitExcept GET PROPFIND OPTIONS REPORT>
>>>>>      #
>>>>>   </LimitExcept>
>>>>> </Location>
>>>>> </IfModule>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> Joshua.
>>>>>>
>>>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>>
>>>>>> The official User-To-User support forum of the Apache HTTP Server

>>>>>> Project.
>>>>>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>>>>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>>>>>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
>>>>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>> ---------------------------------------------------------------------
>>>>
>>>>> The official User-To-User support forum of the Apache HTTP 
>>>>
>>>>
>>>>
>>>> Server Project.
>>>>
>>>>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>>>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>>>>  "   from the digest: users-digest-unsubscribe@httpd.apache.org
>>>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> The official User-To-User support forum of the Apache HTTP Server 
>>>> Project.
>>>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>>>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
>>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>>
>>>>
>>>
>>> Diese E-mail ist eine private und persönliche Kommunikation. Sie hat 
>>> keinen Bezug zur Börsen- bzw. Geschäftstätigkeit der SWX Gruppe. This 
>>> e-mail is of a private and personal nature. It is not related to the 
>>> exchange or business activities of the SWX Group. Le présent e-mail 
>>> est un message privé et personnel, sans rapport avec l'activité 
>>> boursière du Groupe SWX.
>>>  
>>>  
>>> This message is for the named person's use only. It may contain 
>>> confidential, proprietary or legally privileged information. No 
>>> confidentiality or privilege is waived or lost by any 
>>> mistransmission. If you receive this message in error, please notify 
>>> the sender urgently and then immediately delete the message and any 
>>> copies of it from your system. Please also immediately destroy any 
>>> hardcopies of the message. You must not, directly or indirectly, use, 
>>> disclose, distribute, print, or copy any part of this message if you 
>>> are not the intended recipient. The sender's company reserves the 
>>> right to monitor all e-mail communications through their networks. 
>>> Any views expressed in this message are those of the individual 
>>> sender, except where the message states otherwise and the sender is 
>>> authorised to state them to be the views of the sender's company.
>>>
>>> ---------------------------------------------------------------------
>>> The official User-To-User support forum of the Apache HTTP Server 
>>> Project.
>>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>
>>>
>>>
>>
>>
>> ---------------------------------------------------------------------
>> The official User-To-User support forum of the Apache HTTP Server 
>> Project.
>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>>
> 
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 
> 
> 


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message