httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Frank Gingras <francois.ging...@gmail.com>
Subject Re: [users@httpd] How to check for REMOTE_USER using mod_auth_mysql
Date Tue, 06 Sep 2011 14:12:31 GMT


On 09/06/2011 07:32 AM, Bart Jansen wrote:
> Hi,
>
> I am having some problems with my apache VirtualHost configuration and
> hopefully somebody can help me out.
>
> System:
> - Apache/2.2.9 (Debian)
> - We use mod_auth_mysql for user authentication.
> - most requests are passed to Zope application framework
> - requests to /docs/ are mapped to the file system /var/www/sub (as an
> example)
>
> We serve multiple subdomains using a name based virtual hosting
> configuration. For file uploads I would like to use the PUT request
> method (using javascript XMLHttpRequest) using mod_dav to write directly
> to the file system (no high memory usage when uploading gigabytes). This
> is working OK, no problems there.
>
> However I would like to prevent (as a server administrator) anonymous
> users to be able to upload files this way. Because webmasters of
> subdomains have access to .htaccess files, and they must be allowed to
> override any require valid-user rules, just adding
>  > <Limit PUT>require valid-user</Limit>
> is not enough. I want to prevent local webmasters from accidentally
> creating a security issue.
>
> My approach to limit the access to the PUT request to authenticated
> users was to add the following rewrite rules to the <VirtualHost>:
>  > # set response header for debugging purposes
>  > RewriteRule . - [E=RU:%{REMOTE_USER}]
>  > Header add X_my_userss %{RU}e
>  > # check if user is not authenticated and method == PUT, then forbid
> request
>  > RewriteCond %{LA-U:REMOTE_USER} ^$
>  > RewriteCond %{REQUEST_METHOD} =PUT
>  > RewriteRule ^/(.*) - [F]
>
> But the REMOTE_USER variable seems to be "(null)" at every request (have
> checked this by adding a custom header with this value to the response),
> although HTTP Basic Authentication headers are provided by the browser,
> and the user is granted access to restricted resources. Also for
> anonymous access this variable is "(null)".
>
> I have tried this code inside the VirtualHost directive directly, but
> also inside the <Directory> context inside this VirtualHost. Both to no
> avail. Also have tried using %{REMOTE_USER} instead of %{LA-U:REMOTE_USER}.
>
> I think that maybe this problem is caused by the usage of
> mod_auth_mysql? Does that not allow for look-ahead REMOTE_USER checks?
>
> A somewhat simplified version of the VirtualHost can be found below.
>
> ===============================================
> <VirtualHost *:443>
> ServerName sub.example.com
> ServerAlias www.sub.example.com
>
> DocumentRoot /var/www/sub
> <Directory /var/www/sub/>
> Options -Indexes +FollowSymLinks +MultiViews
> DirectorySlash On
> AllowOverride All
> Order allow,deny
> Allow from all
> AuthName "Zope"
> AuthType Basic
> AuthUserFile /dev/null
> AuthBasicAuthoritative Off
> Require valid-user
>
> AuthMYSQL on
> AuthMySQL_Authoritative on
> AuthMySQL_Empty_Passwords off
> AuthMySQL_DB **
> AuthMySQL_Password_Table **
> AuthMySQL_Username_Field **
> AuthMySQL_Password_Field **
> AuthMySQL_Group_Table **
> AuthMySQL_Group_Field **
> AuthMySQL_Encryption_Types **
> </Directory>
>
> SSLEngine on
>
> RewriteEngine on
>
> # download files from apache in the 'docs' directory
> RewriteRule ^/docs/(.*) /var/www/sub/$1 [L]
>
> # pass requests to Zope
> RewriteRule ^/(.*)
> http://localhost:%{ZOPE_PORT}/VirtualHostBase/https/sub.example.com:443/sub/VirtualHostRoot/$1
> [L,P]
> </VirtualHost>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>

You should use mod_authn_dbd instead:

http://httpd.apache.org/docs/current/mod/mod_authn_dbd.html

mod_auth_mysql has been dead for quite some time.

Frank

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message