httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bart Jansen <bart.jan...@esac.climbing.nl>
Subject Re: [users@httpd] How to check for REMOTE_USER using mod_auth_mysql
Date Tue, 06 Sep 2011 19:40:47 GMT
Frank, thanks for your help. I will look into mod_authn_dbd.

Regards,
Bart

PS. my first mail was a bit blunt (my name wasn't even there), but the 
mail got accidentally send before it was finished but I did not want to 
spam the list again.

On 06-09-11 16:12, Frank Gingras wrote:
>
>
> On 09/06/2011 07:32 AM, Bart Jansen wrote:
>> Hi,
>>
>> I am having some problems with my apache VirtualHost configuration and
>> hopefully somebody can help me out.
>>
>> System:
>> - Apache/2.2.9 (Debian)
>> - We use mod_auth_mysql for user authentication.
>> - most requests are passed to Zope application framework
>> - requests to /docs/ are mapped to the file system /var/www/sub (as an
>> example)
>>
>> We serve multiple subdomains using a name based virtual hosting
>> configuration. For file uploads I would like to use the PUT request
>> method (using javascript XMLHttpRequest) using mod_dav to write directly
>> to the file system (no high memory usage when uploading gigabytes). This
>> is working OK, no problems there.
>>
>> However I would like to prevent (as a server administrator) anonymous
>> users to be able to upload files this way. Because webmasters of
>> subdomains have access to .htaccess files, and they must be allowed to
>> override any require valid-user rules, just adding
>> > <Limit PUT>require valid-user</Limit>
>> is not enough. I want to prevent local webmasters from accidentally
>> creating a security issue.
>>
>> My approach to limit the access to the PUT request to authenticated
>> users was to add the following rewrite rules to the <VirtualHost>:
>> > # set response header for debugging purposes
>> > RewriteRule . - [E=RU:%{REMOTE_USER}]
>> > Header add X_my_userss %{RU}e
>> > # check if user is not authenticated and method == PUT, then forbid
>> request
>> > RewriteCond %{LA-U:REMOTE_USER} ^$
>> > RewriteCond %{REQUEST_METHOD} =PUT
>> > RewriteRule ^/(.*) - [F]
>>
>> But the REMOTE_USER variable seems to be "(null)" at every request (have
>> checked this by adding a custom header with this value to the response),
>> although HTTP Basic Authentication headers are provided by the browser,
>> and the user is granted access to restricted resources. Also for
>> anonymous access this variable is "(null)".
>>
>> I have tried this code inside the VirtualHost directive directly, but
>> also inside the <Directory> context inside this VirtualHost. Both to no
>> avail. Also have tried using %{REMOTE_USER} instead of
>> %{LA-U:REMOTE_USER}.
>>
>> I think that maybe this problem is caused by the usage of
>> mod_auth_mysql? Does that not allow for look-ahead REMOTE_USER checks?
>>
>> A somewhat simplified version of the VirtualHost can be found below.
>>
>> ===============================================
>> <VirtualHost *:443>
>> ServerName sub.example.com
>> ServerAlias www.sub.example.com
>>
>> DocumentRoot /var/www/sub
>> <Directory /var/www/sub/>
>> Options -Indexes +FollowSymLinks +MultiViews
>> DirectorySlash On
>> AllowOverride All
>> Order allow,deny
>> Allow from all
>> AuthName "Zope"
>> AuthType Basic
>> AuthUserFile /dev/null
>> AuthBasicAuthoritative Off
>> Require valid-user
>>
>> AuthMYSQL on
>> AuthMySQL_Authoritative on
>> AuthMySQL_Empty_Passwords off
>> AuthMySQL_DB **
>> AuthMySQL_Password_Table **
>> AuthMySQL_Username_Field **
>> AuthMySQL_Password_Field **
>> AuthMySQL_Group_Table **
>> AuthMySQL_Group_Field **
>> AuthMySQL_Encryption_Types **
>> </Directory>
>>
>> SSLEngine on
>>
>> RewriteEngine on
>>
>> # download files from apache in the 'docs' directory
>> RewriteRule ^/docs/(.*) /var/www/sub/$1 [L]
>>
>> # pass requests to Zope
>> RewriteRule ^/(.*)
>> http://localhost:%{ZOPE_PORT}/VirtualHostBase/https/sub.example.com:443/sub/VirtualHostRoot/$1
>>
>> [L,P]
>> </VirtualHost>
>>
>> ---------------------------------------------------------------------
>> The official User-To-User support forum of the Apache HTTP Server
>> Project.
>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>
> You should use mod_authn_dbd instead:
>
> http://httpd.apache.org/docs/current/mod/mod_authn_dbd.html
>
> mod_auth_mysql has been dead for quite some time.
>
> Frank
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message