httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeroen Geilman <jer...@adaptr.nl>
Subject Re: [users@httpd] htaccess hell
Date Wed, 15 Jun 2011 19:22:28 GMT
On 06/15/2011 08:56 PM, Ian Zimmerman wrote:
> I (or rather my distro) enabled userdir as follows:
>
> LoadModule userdir_module /usr/lib/apache2/modules/mod_userdir.so
>
> <IfModule mod_userdir.c>

urgh
>          UserDir public_html
>          UserDir disabled root
>
>          <Directory /home/*/public_html>
>                  AllowOverride FileInfo AuthConfig Limit Indexes

Don't allow Limit overrides here.

>                  Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
>                  <Limit GET POST OPTIONS>
>                          Order allow,deny
>                          Allow from all
>                  </Limit>
>                  <LimitExcept GET POST OPTIONS>
>                          Order deny,allow
>                          Deny from all
>                  </LimitExcept>

Exactly the same thing twice. Use LimitExcept.

>          </Directory>
> </IfModule>
>
> Document root is configured as follows:
>
>          <Location />

No. Nonononononononono.

A Documentroot MUST point to a physical filesystem <Directory>.

>                  Options Indexes FollowSymLinks MultiViews
>                  AuthType Basic
>                  AuthName "Root Realm"
>                  AuthBasicProvider file
>                  AuthUserFile /etc/apache2/passwd
>                  Require valid-user
>                  Order allow,deny
>                  allow from all
>          </Location>
>
> Now, I try to override the auth settings in a subtree of my
> ~/public_html by putting a .htaccess file there, which reads as follows:
>

Authentication SHOULD always be done on physical files if possible.
This prevents people bypassing it by using an alternate URL.


> AuthType Basic
> AuthName "My Personal Space"
> AuthUserFile /etc/apache2/passwd
> Require User itz
>
> Yet, no matter how many hairs I pull, when I GET anything under that
> subtree, I'm asked to authenticate for "Root Realm".
>

Fix the above first, it will be obvious then.


> I know that the .htaccess file is getting read, because when I drop
> garbage there I get a server error upon loading that page.  So somehow
> the AuthName directive in the .htaccess is getting ignored.  Why??
> AllowOverride seems to allow it.
>
> Version info:
>
>   [8]ahiker:~$ dpkg --status apache2
> Package: apache2
> Status: install ok installed
> Priority: optional
> Section: httpd
> Installed-Size: 36
> Maintainer: Debian Apache Maintainers<debian-apache@lists.debian.org>
> Architecture: i386
> Version: 2.2.16-6+squeeze1
>


-- 
J.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message