httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Thomas Smith <theitsm...@gmail.com>
Subject [users@httpd] Configuration issue allowing unauthenticated access from 127.0.0.1 to a single directory within a password-protected directory structure
Date Wed, 05 Oct 2011 21:44:42 GMT
Hi,

I'm configuring the Request Tracker to use Apache authentication. I've
had RT running for quite a few years, but (up to this point) only
using its internal database for authentication.

Software:
* CentOS 4.8
* Apache 2.0.63
* RT 4.0.2
* mod_fastcgi 2.4.6

I created a Directory directive for /opt/rt4 that enables the LDAP
authentication. This works really well but breaks their mail-gateway
functionality (because this script is unable to perform
authenticatation). I used a SetEnvIf parameter to exclude the two
directories from authentication and it worked well (only the REST
directory is required for the mail-gateway to work, though). However,
the RT developers recommend restricting access to mail-gateway to
127.0.0.1 as it's used to inject tickets, via email, into RT's
database--I haven't been able to get this to work. I've tried a number
of combinations of Directory, Files, and Location directives without
any success. Here's a sanitized version of my Apache config for this
virtual host (a working configuration without the above mentioned
127.0.0.1 restriction):


<VirtualHost *:80>
        ServerName sub.domain.tld

        RewriteEngine On
        #RewriteLog /var/log/httpd/modrewrite_log
        #RewriteLogLevel 9

        RewriteCond %{HTTP_HOST}    sub.domain.tld [NC]
        RewriteCond %{SERVER_PORT}  80
        RewriteRule ^/(.*)          https://sub.domain.tld:4431/$1
</VirtualHost>

Listen 4431
<VirtualHost *:4431>
        ServerName sub.domain.tld

        SSLEngine On
        SSLCertificateFile /etc/httpd/conf.d/sub.domain.tld-cert.pem
        SSLCertificateKeyFile /etc/httpd/conf.d/sub.domain.tld-key.pem
        SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

        AddDefaultCharset UTF-8

        FastCgiServer /opt/rt4/sbin/rt-server.fcgi -processes 5
-idle-timeout 300

        Alias /NoAuth/images/ /opt/rt4/share/html/NoAuth/images/
        ScriptAlias / /opt/rt4/sbin/rt-server.fcgi/

        DocumentRoot /opt/rt4/share/html
        <Directory /opt/rt4>
                AuthType Basic
                AuthName "Request Tracker Login"

                AuthLDAPEnabled on
                AuthLDAPAuthoritative on

                AuthLDAPUrl
"ldap://host.domain.local/OU=OrgUnit1,OU=OrgUnit2,DC=domain,DC=local?sAMAccountName?sub?(|(objectCategory=Person)(objectClass=*))"
                AuthLDAPBindDN
"CN=commonName,OU=People,OU=OrgUnit1,OU=OrgUnit2,DC=domain,DC=local"
                AuthLDAPBindPassword **********

                Require valid-user

                # Allow anyone access to the "/NoAuth" location.
                SetEnvIf Request_URI "^/(NoAuth|REST/1.0/NoAuth)(.*)$" allow
                Order deny,allow
                Allow from env=allow
                Satisfy Any
        </Directory>
        <Directory /opt/rt4/share/html>
                Order deny,allow
                Deny from all

                Options +ExecCGI
                AddHandler fastcgi-script fcgi
        </Directory>
</VirtualHost>

Can someone help me get my desired configuration to work? I've been
playing around with it for hours and haven't had any success.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message