httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Montague <m...@catseye.org>
Subject Re: [users@httpd] Configuration issue allowing unauthenticated access from 127.0.0.1 to a single directory within a password-protected directory structure
Date Thu, 06 Oct 2011 00:01:39 GMT
On October 5, 2011 17:44 , Thomas Smith <theitsmith@gmail.com> wrote:
> Can someone help me get my desired configuration to work?

Maybe someone who is not me can :)  I'd be able to help you better if 
you asked your question much more narrowly.  Provide the configuration 
that is NOT working, say what your goal is (desired outcome/behavior), 
and be as specific as possible about the problem you are encountering: 
include what you do to encounter the problem (the specific HTTP 
requests), messages from the Apache HTTP Server error log, observed 
behavior (how what actually happens differs from the desired behavior), 
and so on.


> I created a Directory directive for /opt/rt4 that enables the LDAP
> authentication. This works really well but breaks their mail-gateway
> functionality (because this script is unable to perform
> authenticatation). I used a SetEnvIf parameter to exclude the two
> directories from authentication and it worked well (only the REST
> directory is required for the mail-gateway to work, though). However,
> the RT developers recommend restricting access to mail-gateway to
> 127.0.0.1 as it's used to inject tickets, via email, into RT's
> database--I haven't been able to get this to work.

 From what I can extract from the above, you want to have everything use 
LDAP authentication except for one or more specific resources which you 
want to use host-based access control, correct?

In this case, you need to use the "Satisfy Any" directive since access 
control methods normally supplement, not replace, authentication 
mechanisms.  Here's an example (note that this is not a complete 
example, I've left out most directives for clarity):

<Directory /foo>
   Require valid-user
   Order allow,deny
   Allow from all
</Directory>
<Directory /foo/bar>
   # Require EITHER an authenticated user (the configuration for /foo is 
inherited for /foo/bar)
   # OR allow access from 127.0.0.1
   Allow from 127.0.0.1
   Satisfy Any
</Directory>


I hope this helps.

--
   Mark Montague
   mark@catseye.org


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message