Return-Path: X-Original-To: apmail-httpd-users-archive@www.apache.org Delivered-To: apmail-httpd-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 21C7B9A79 for ; Wed, 5 Oct 2011 23:18:55 +0000 (UTC) Received: (qmail 79838 invoked by uid 500); 5 Oct 2011 23:18:51 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 79760 invoked by uid 500); 5 Oct 2011 23:18:51 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 79749 invoked by uid 99); 5 Oct 2011 23:18:51 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 05 Oct 2011 23:18:51 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS,WEIRD_PORT X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of theitsmith@gmail.com designates 209.85.210.173 as permitted sender) Received: from [209.85.210.173] (HELO mail-iy0-f173.google.com) (209.85.210.173) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 05 Oct 2011 23:18:43 +0000 Received: by iakc1 with SMTP id c1so1687360iak.18 for ; Wed, 05 Oct 2011 16:18:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=subject:references:from:content-type:x-mailer:message-id:date:to :content-transfer-encoding:mime-version; bh=zPIIep6laVj1DMShXFIoGFE/15M5JbFBwrabJ95YYkg=; b=GA2CqmiLdIqkQ4l/Fh15Vu0wTWCDQ17A4Vq8EKj4PChBlZZkO947tNqbLDD4zD+re7 rgfi45zt9GrSIbIadcgAVcoDMzw/y9P/u0QEwktAVj/gJQy7I3ydiT3SrdwWJYHe39zc Iav/LfVoRgt35I6+Vfc3vC8Qm6hj/wCt22S8w= Received: by 10.231.21.149 with SMTP id j21mr112241ibb.29.1317856703350; Wed, 05 Oct 2011 16:18:23 -0700 (PDT) Received: from [192.168.1.2] (54.sub-75-226-41.myvzw.com. [75.226.41.54]) by mx.google.com with ESMTPS id dv19sm6732132ibb.3.2011.10.05.16.18.20 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 05 Oct 2011 16:18:22 -0700 (PDT) References: From: Thomas Smith Content-Type: multipart/alternative; boundary=Apple-Mail-3-247121596 X-Mailer: iPad Mail (8L1) Message-Id: <37E63BED-BCC6-43A9-AF8D-DAA2E7F49741@gmail.com> Date: Wed, 5 Oct 2011 16:18:55 -0700 To: "users@httpd.apache.org" Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (iPad Mail 8L1) Subject: [users@httpd] Fwd: Configuration issue allowing unauthenticated access from 127.0.0.1 to a single directory within a password-protected directory structure --Apple-Mail-3-247121596 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Apologies, I sent the wrong config. Here is the WORKING config (except for t= he location restriction of 127.0.0.1 for the REST directory). Any help with this would be appreciated! :-) > > ServerName sub.domain.tld >=20 > RewriteEngine On > #RewriteLog /var/log/httpd/modrewrite_log > #RewriteLogLevel 9 >=20 > RewriteCond %{HTTP_HOST} sub.domain.tld [NC] > RewriteCond %{SERVER_PORT} 80 > RewriteRule ^/(.*) https://sub.domain.tld:4431/$1 > >=20 > Listen 4431 > > ServerName sub.domain.tld >=20 > SSLEngine On > SSLCertificateFile /etc/httpd/conf.d/sub.domain.tld-cert.pem > SSLCertificateKeyFile /etc/httpd/conf.d/sub.domain.tld-key.pem > SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown >=20 > AddDefaultCharset UTF-8 >=20 > FastCgiServer /opt/rt4/sbin/rt-server.fcgi -processes 5 > -idle-timeout 300 >=20 > Alias /NoAuth/images/ /opt/rt4/share/html/NoAuth/images/ > ScriptAlias / /opt/rt4/sbin/rt-server.fcgi/ >=20 > DocumentRoot /opt/rt4/share/html > > AuthType Basic > AuthName "Request Tracker Login" >=20 > AuthLDAPEnabled on > AuthLDAPAuthoritative on >=20 > AuthLDAPUrl > "ldap://host.domain.local/OU=3DOrgUnit1,OU=3DOrgUnit2,DC=3Ddomain,DC=3Dloc= al?sAMAccountName?sub?(|(objectCategory=3DPerson)(objectClass=3D*))" > AuthLDAPBindDN > "CN=3DcommonName,OU=3DPeople,OU=3DOrgUnit1,OU=3DOrgUnit2,DC=3Ddomain,DC=3D= local" > AuthLDAPBindPassword ********** >=20 > Require valid-user > > > Order deny,allow > Deny from all > SetEnvIf Request_URI "^/(NoAuth|REST/1.0/NoAuth)(.*)$" allo= w > Allow from env=3Dallow > Satisfy Any > Options +ExecCGI > AddHandler fastcgi-script fcgi > > Sent from my iPad Begin forwarded message: > From: Thomas Smith > Date: October 5, 2011 2:44:42 PM PDT > To: users@httpd.apache.org > Subject: Configuration issue allowing unauthenticated access from 127.0.0.= 1 to a single directory within a password-protected directory structure >=20 > Hi, >=20 > I'm configuring the Request Tracker to use Apache authentication. I've > had RT running for quite a few years, but (up to this point) only > using its internal database for authentication. >=20 > Software: > * CentOS 4.8 > * Apache 2.0.63 > * RT 4.0.2 > * mod_fastcgi 2.4.6 >=20 > I created a Directory directive for /opt/rt4 that enables the LDAP > authentication. This works really well but breaks their mail-gateway > functionality (because this script is unable to perform > authenticatation). I used a SetEnvIf parameter to exclude the two > directories from authentication and it worked well (only the REST > directory is required for the mail-gateway to work, though). However, > the RT developers recommend restricting access to mail-gateway to > 127.0.0.1 as it's used to inject tickets, via email, into RT's > database--I haven't been able to get this to work. I've tried a number > of combinations of Directory, Files, and Location directives without > any success. Here's a sanitized version of my Apache config for this > virtual host (a working configuration without the above mentioned > 127.0.0.1 restriction): >=20 >=20 > > ServerName sub.domain.tld >=20 > RewriteEngine On > #RewriteLog /var/log/httpd/modrewrite_log > #RewriteLogLevel 9 >=20 > RewriteCond %{HTTP_HOST} sub.domain.tld [NC] > RewriteCond %{SERVER_PORT} 80 > RewriteRule ^/(.*) https://sub.domain.tld:4431/$1 > >=20 > Listen 4431 > > ServerName sub.domain.tld >=20 > SSLEngine On > SSLCertificateFile /etc/httpd/conf.d/sub.domain.tld-cert.pem > SSLCertificateKeyFile /etc/httpd/conf.d/sub.domain.tld-key.pem > SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown >=20 > AddDefaultCharset UTF-8 >=20 > FastCgiServer /opt/rt4/sbin/rt-server.fcgi -processes 5 > -idle-timeout 300 >=20 > Alias /NoAuth/images/ /opt/rt4/share/html/NoAuth/images/ > ScriptAlias / /opt/rt4/sbin/rt-server.fcgi/ >=20 > DocumentRoot /opt/rt4/share/html > > AuthType Basic > AuthName "Request Tracker Login" >=20 > AuthLDAPEnabled on > AuthLDAPAuthoritative on >=20 > AuthLDAPUrl > "ldap://host.domain.local/OU=3DOrgUnit1,OU=3DOrgUnit2,DC=3Ddomain,DC=3Dloc= al?sAMAccountName?sub?(|(objectCategory=3DPerson)(objectClass=3D*))" > AuthLDAPBindDN > "CN=3DcommonName,OU=3DPeople,OU=3DOrgUnit1,OU=3DOrgUnit2,DC=3Ddomain,DC=3D= local" > AuthLDAPBindPassword ********** >=20 > Require valid-user >=20 > # Allow anyone access to the "/NoAuth" location. > SetEnvIf Request_URI "^/(NoAuth|REST/1.0/NoAuth)(.*)$" allo= w > Order deny,allow > Allow from env=3Dallow > Satisfy Any > > > Order deny,allow > Deny from all >=20 > Options +ExecCGI > AddHandler fastcgi-script fcgi > > >=20 > Can someone help me get my desired configuration to work? I've been > playing around with it for hours and haven't had any success. --Apple-Mail-3-247121596 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8
Apologies, I sent the wrong config. Her= e is the WORKING config (except for the location restriction of 127.0.0.1 fo= r the REST directory).

Any help with this would be a= ppreciated! :-)

<VirtualHost *:80>
     &nbs= p; ServerName sub.domain.tld

 &nb= sp;     RewriteEngine On
 &nbs= p;     #RewriteLog /var/log/httpd/modrewrite_log
       #RewriteLogLevel 9

       Re= writeCond %{HTTP_HOST}    sub.domain.tld [NC]
       RewriteCond %{SERVER_PORT}  = 80
       RewriteRule ^/(= .*)          https://= sub.domain.tld:4431/$1
</VirtualHost>
Listen 4431
<VirtualHost *:4431&= gt;
       ServerName sub= .domain.tld

     &= nbsp; SSLEngine On
      =  SSLCertificateFile /etc/httpd/conf.d/sub.domain.tld-cert.pem       SSLCertificateKeyFile /etc/= httpd/conf.d/sub.domain.tld-key.pem
    =    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shu= tdown

      &= nbsp;AddDefaultCharset UTF-8

  &n= bsp;    FastCgiServer /opt/rt4/sbin/rt-server.fcgi -proc= esses 5
-idle-timeout 300

&= nbsp;      Alias /NoAuth/images/ /opt/rt4/shar= e/html/NoAuth/images/
      &n= bsp;ScriptAlias / /opt/rt4/sbin/rt-server.fcgi/

<= span>       DocumentRoot /opt/rt4/share/h= tml
       <Directory /= opt/rt4>
        =        AuthType Basic
&nb= sp;            &= nbsp; AuthName "Request Tracker Login"

            &nb= sp;  AuthLDAPEnabled on
    &n= bsp;          AuthLDAPAuth= oritative on

     =           AuthLDAPUrl
"ldap://host.domain.local/OU=3DOrgUnit1,OU=3DOrgUnit2,DC=3Ddomai= n,DC=3Dlocal?sAMAccountName?sub?(|(objectCategory=3DPerson)(objectClass=3D*)= )"
         &nb= sp;     AuthLDAPBindDN
"CN=3Dcommon= Name,OU=3DPeople,OU=3DOrgUnit1,OU=3DOrgUnit2,DC=3Ddomain,DC=3Dlocal"<= br>           &= nbsp;   AuthLDAPBindPassword **********

          &nbs= p;    Require valid-user
  &nb= sp;    </Directory>
  &n= bsp;    <Location />
=
   &= nbsp;           Order deny,allow
<= /blockquote>
     &= nbsp;         Deny from all
         &n= bsp;     SetEnvIf Request_URI "^/(NoAuth|REST/1.0/NoAuth)(.*)$" al= low
     &nb= sp;         Allow from env=3Dallow
           &= nbsp;   Satisfy Any
               Opt= ions +ExecCGI
            = ;   AddHandler fastcgi-script fcgi
   &n= bsp;   </Location>
</VirtualHost>=

Sent from my iPad

Begin f= orwarded message:

From: T= homas Smith <theitsmith@gmail.com= >
Date: October 5, 2011 2:44:42 PM PDT
To: users@httpd.apache.org
Subject: Configuration issue a= llowing unauthenticated access from 127.0.0.1 to a single directory within a= password-protected directory structure

<= /div>
Hi,

I'm configuring the Request Tracker to use Apache authentication. I've
had RT running for quite a few years, but (up to this point) o= nly
using its internal database for authentication.
Software:
* CentOS 4.8
* Apache 2.0.63
* RT 4.0.2
* mod_fastcgi= 2.4.6

I created a Directory directive for /= opt/rt4 that enables the LDAP
authentication. This works rea= lly well but breaks their mail-gateway
functionality (becaus= e this script is unable to perform
authenticatation). I used= a SetEnvIf parameter to exclude the two
directories from au= thentication and it worked well (only the REST
directory is r= equired for the mail-gateway to work, though). However,
the R= T developers recommend restricting access to mail-gateway to
127.0.0.1 as it's used to inject tickets, via email, into RT's
database--I haven't been able to get this to work. I've tried a number
of combinations of Directory, Files, and Location directives w= ithout
any success. Here's a sanitized version of my Apache c= onfig for this
virtual host (a working configuration without= the above mentioned
127.0.0.1 restriction):


<VirtualHost *:80>
=        ServerName sub.domain.tld<= br>
       Rewrite= Engine On
       #Rewrit= eLog /var/log/httpd/modrewrite_log
    =    #RewriteLogLevel 9

 = ;      RewriteCond %{HTTP_HOST}   &n= bsp;sub.domain.tld [NC]
      = ; RewriteCond %{SERVER_PORT}  80
  &nbs= p;    RewriteRule ^/(.*)      &= nbsp;   https://sub.domain.tld:4431/$1
</VirtualHost>

Listen 443= 1
<VirtualHost *:4431>
  &n= bsp;    ServerName sub.domain.tld

       SSLEngine On        SSLCertificateFile /etc/ht= tpd/conf.d/sub.domain.tld-cert.pem
    =    SSLCertificateKeyFile /etc/httpd/conf.d/sub.domain.tld-key= .pem
       SetEnvIf Use= r-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
<= br>        AddDefaultCharset UTF-8<= /span>

       = FastCgiServer /opt/rt4/sbin/rt-server.fcgi -processes 5
-idl= e-timeout 300

    &nbs= p;  Alias /NoAuth/images/ /opt/rt4/share/html/NoAuth/images/
       ScriptAlias / /opt/rt4= /sbin/rt-server.fcgi/

   &n= bsp;   DocumentRoot /opt/rt4/share/html
&nbs= p;      <Directory /opt/rt4>
<= span>            &nbs= p;   AuthType Basic
    =            AuthName "= Request Tracker Login"

   &= nbsp;           AuthL= DAPEnabled on
       &nb= sp;       AuthLDAPAuthoritative on=

        =        AuthLDAPUrl
"ldap:= //host.domain.local/OU=3DOrgUnit1,OU=3DOrgUnit2,DC=3Ddomain,DC=3Dlocal?sAMAc= countName?sub?(|(objectCategory=3DPerson)(objectClass=3D*))"
            &n= bsp;  AuthLDAPBindDN
"CN=3DcommonName,OU=3DPeople,= OU=3DOrgUnit1,OU=3DOrgUnit2,DC=3Ddomain,DC=3Dlocal"
 &= nbsp;            = ; AuthLDAPBindPassword **********

&nb= sp;            &= nbsp; Require valid-user

  =             &nbs= p;# Allow anyone access to the "/NoAuth" location.
 &n= bsp;            =  SetEnvIf Request_URI "^/(NoAuth|REST/1.0/NoAuth)(.*)$" allow            &n= bsp;   Order deny,allow
   &n= bsp;           Allow f= rom env=3Dallow
       &= nbsp;       Satisfy Any
&= nbsp;      </Directory>
=        <Directory /opt/rt4/share/html= >
         =       Order deny,allow
 =             &nbs= p; Deny from all

   &n= bsp;           Option= s +ExecCGI
        =        AddHandler fastcgi-script fcgi
       </Directory>
</VirtualHost>

Can som= eone help me get my desired configuration to work? I've been
playing around with it for hours and haven't had any success.
= --Apple-Mail-3-247121596--