httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bart Jansen <bart.jan...@esac.climbing.nl>
Subject [users@httpd] How to check for REMOTE_USER using mod_auth_mysql
Date Tue, 06 Sep 2011 11:32:41 GMT
Hi,

I am having some problems with my apache VirtualHost configuration and 
hopefully somebody can help me out.

System:
- Apache/2.2.9 (Debian)
- We use mod_auth_mysql for user authentication.
- most requests are passed to Zope application framework
- requests to /docs/ are mapped to the file system /var/www/sub (as an 
example)

We serve multiple subdomains using a name based virtual hosting 
configuration. For file uploads I would like to use the PUT request 
method (using javascript XMLHttpRequest) using mod_dav to write directly 
to the file system (no high memory usage when uploading gigabytes). This 
is working OK, no problems there.

However I would like to prevent (as a server administrator) anonymous 
users to be able to upload files this way. Because webmasters of 
subdomains have access to .htaccess files, and they must be allowed to 
override any require valid-user rules, just adding
 > <Limit PUT>require valid-user</Limit>
is not enough. I want to prevent local webmasters from accidentally 
creating a security issue.

My approach to limit the access to the PUT request to authenticated 
users was to add the following rewrite rules to the <VirtualHost>:
 > # set response header for debugging purposes
 > RewriteRule . - [E=RU:%{REMOTE_USER}]
 > Header add X_my_userss %{RU}e
 > # check if user is not authenticated and method == PUT, then forbid 
request
 > RewriteCond %{LA-U:REMOTE_USER} ^$
 > RewriteCond %{REQUEST_METHOD} =PUT
 > RewriteRule ^/(.*) - [F]

But the REMOTE_USER variable seems to be "(null)" at every request (have 
checked this by adding a custom header with this value to the response), 
although HTTP Basic Authentication headers are provided by the browser, 
and the user is granted access to restricted resources. Also for 
anonymous access this variable is "(null)".

I have tried this code inside the VirtualHost directive directly, but 
also inside the <Directory> context inside this VirtualHost. Both to no 
avail. Also have tried using %{REMOTE_USER} instead of %{LA-U:REMOTE_USER}.

I think that maybe this problem is caused by the usage of 
mod_auth_mysql? Does that not allow for look-ahead REMOTE_USER checks?

A somewhat simplified version of the VirtualHost can be found below.

===============================================
<VirtualHost *:443>
         ServerName sub.example.com
         ServerAlias www.sub.example.com

         DocumentRoot /var/www/sub
         <Directory /var/www/sub/>
                 Options -Indexes +FollowSymLinks +MultiViews
                 DirectorySlash On
                 AllowOverride All
                 Order allow,deny
                 Allow from all
                 AuthName "Zope"
                 AuthType Basic
                 AuthUserFile /dev/null
                 AuthBasicAuthoritative Off
                 Require valid-user

                 AuthMYSQL on
                 AuthMySQL_Authoritative on
                 AuthMySQL_Empty_Passwords off
                 AuthMySQL_DB **
                 AuthMySQL_Password_Table **
                 AuthMySQL_Username_Field **
                 AuthMySQL_Password_Field **
                 AuthMySQL_Group_Table **
                 AuthMySQL_Group_Field **
                 AuthMySQL_Encryption_Types **
         </Directory>

         SSLEngine on

         RewriteEngine on

         # download files from apache in the 'docs' directory
         RewriteRule ^/docs/(.*) /var/www/sub/$1 [L]

         # pass requests to Zope
         RewriteRule ^/(.*) 
http://localhost:%{ZOPE_PORT}/VirtualHostBase/https/sub.example.com:443/sub/VirtualHostRoot/$1

[L,P]
</VirtualHost>

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message