httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nico De Ranter <n...@sonycom.com>
Subject Re: [users@httpd] Requiring authentication for the whole server
Date Thu, 13 Aug 2009 07:33:49 GMT
The folders I'm publishing are not coming from a single source tree on
the filesystem. For instance /www/htdocs is the root of my webserver
while Trac is installed in /raid/trac and the wiki comes
from /raid/wiki.  My understanding is that if I'm using Directory I need
to secure a common root on the filesystem, that would be '/' in this
case. I don't want to use <Directory "/"> as then I would potentially
allow access to my whole filesystem if I make a mistake somewhere else.

I even tried putting the Auth... statements in <Directory "/"> but that
didn't work for me.

Nico

On Thu, 2009-08-13 at 09:49 +1000, Igor Cicimov wrote:
> Good work Nico. Just out of curiosity, why did you use Location
> statement instead Directory in your configuration? As far as I know
> the Location is used for file system that doesn't reside on the local
> server (e.g. proxy server) and Directory in case you want to protect
> file system that is local to the server. Is your server proxy?
> 
> Thanks,
> 
> Igor
> 
> On Thu, Aug 13, 2009 at 1:32 AM, Nico De Ranter <nico@sonycom.com>
> wrote:
>         
>         Found it. I was mixing Location and Directory directives.  The
>         following
>         does exactly what I want:
>         
>         <Location "/">
>                Allow from all
>                AuthzLDAPAuthoritative on
>                AuthBasicProvider ldap
>                AuthName "xxxxxxx"
>                AuthType Basic
>                AuthLDAPBindDN xxxxxxxxxxxxxxxx
>                AuthLDAPBindPassword xxxxxxxxxx
>                AuthLDAPURL xxxxxxxxxxxxxxx
>         
>                Require valid-user
>         </Location>
>         
>         
>         <Location "/protected">
>                Require ldap-group cn=group1,....
>         </Location>
>         
>         <Location "/protected2">
>                Require ldap-group cn=group2,.....
>         </Location>
>         
>         
>         Nico
>         
>         
>         On Wed, 2009-08-12 at 16:47 +0200, Nico De Ranter wrote:
>         > To answer my own questions partially:
>         >
>         > - yes it's possible to turn on authentication for the whole
>         server by
>         > creating a <Location "/"> section and putting the Auth...
>         statements in
>         > there.  Unfortunately I'm unable to require different types
>         of
>         > authentication in different parts of the site. If I put
>         'require
>         > valid-user' in '<Location "/">' all valid users can access
>         all parts of
>         > the site even if I put and extra 'require group...'
>         statement in a
>         > specific section. This is clearly not what I want :-(
>         >
>         > - the fact that firefox asks for the password multiple times
>         when
>         > started with a multiple pages opened appears to be a firefox
>         issue
>         > indeed
>         >
>         > Nico
>         >
>         > On Wed, 2009-08-12 at 13:42 +0200, Nico De Ranter wrote:
>         > > Hi,
>         > >
>         > > I have an internal apache 2.2 server that serves a number
>         of
>         > > applications (trac, subversion, twiki, ...).  Every
>         application on the
>         > > webserver requires LDAP authentication.  To do this I
>         added a
>         > > 'AuthLDAP...' sections to each '<Location>' section in the
>         apache config
>         > > files.  Unfortunately this means:
>         > >   1. my LDAP configuration is scattered all over the
>         config files;
>         > >   2. when I start firefox it asks me a username and
>         password for every
>         > > page I had open from the same server (not sure whether
>         this is actually
>         > > a firefox issue or due to the separate authentication
>         section per web
>         > > app).
>         > >
>         > > I'd like to change the config of the apache server so it
>         requires a
>         > > valid LDAP authentication for any page you try to use on
>         the server and
>         > > then only add group restrictions per specific web app.
>          The idea is that
>         > > I have:
>         > >
>         > >     AuthzLDAPAuthoritative off
>         > >         AuthBasicProvider ldap
>         > >         AuthName "Web app server"
>         > >         AuthType Basic
>         > >         AuthLDAPBindDN ...
>         > >         AuthLDAPBindPassword xxxxxxxxxxx
>         > >         AuthLDAPURL "ldaps://ad.mydomain.com:636/ou..."
>         > >
>         > >         Require valid-user
>         > >
>         > > only once in 1 central place and then add:
>         > >
>         > >     Require ldap-group ....
>         > >
>         > > for every section.
>         > >
>         > > The question is:
>         > >   1. will this work?
>         > >   2. where do I put the AuthLDAP... section?
>         > > I figure if I put the AuthLDAP... section in my <Directory
>         > > "/www/htdocs"> section (=root of the webserver) it will
>         only protect the
>         > > static pages in the htdocs directory (e.g.
>         https://server/index.html)
>         > > but it will not protect the web apps (e.g.
>         https://server/trac/mytrac)
>         > > which are actually coming from completely different parts
>         of the
>         > > filesystem, right?
>         > >
>         > >
>         > > I hope this makes sense to anybody :-)
>         > >
>         > >
>         > > Thanks in advance,
>         > >
>         > > Nico
>         > >
>         > >
>         > >
>         ---------------------------------------------------------------------
>         > > The official User-To-User support forum of the Apache HTTP
>         Server Project.
>         > > See <URL:http://httpd.apache.org/userslist.html> for more
>         info.
>         > > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>         > >    "   from the digest:
>         users-digest-unsubscribe@httpd.apache.org
>         > > For additional commands, e-mail:
>         users-help@httpd.apache.org
>         >
>         >
>         >
>         >
>         ---------------------------------------------------------------------
>         > The official User-To-User support forum of the Apache HTTP
>         Server Project.
>         > See <URL:http://httpd.apache.org/userslist.html> for more
>         info.
>         > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>         >    "   from the digest:
>         users-digest-unsubscribe@httpd.apache.org
>         > For additional commands, e-mail: users-help@httpd.apache.org
>         
>         
>         
>         ---------------------------------------------------------------------
>         The official User-To-User support forum of the Apache HTTP
>         Server Project.
>         See <URL:http://httpd.apache.org/userslist.html> for more
>         info.
>         To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>           "   from the digest:
>         users-digest-unsubscribe@httpd.apache.org
>         For additional commands, e-mail: users-help@httpd.apache.org
>         
>         



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message