httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Thomas Smith <>
Subject [users@httpd] Configuration issue allowing unauthenticated access from to a single directory within a password-protected directory structure
Date Wed, 05 Oct 2011 21:44:42 GMT

I'm configuring the Request Tracker to use Apache authentication. I've
had RT running for quite a few years, but (up to this point) only
using its internal database for authentication.

* CentOS 4.8
* Apache 2.0.63
* RT 4.0.2
* mod_fastcgi 2.4.6

I created a Directory directive for /opt/rt4 that enables the LDAP
authentication. This works really well but breaks their mail-gateway
functionality (because this script is unable to perform
authenticatation). I used a SetEnvIf parameter to exclude the two
directories from authentication and it worked well (only the REST
directory is required for the mail-gateway to work, though). However,
the RT developers recommend restricting access to mail-gateway to as it's used to inject tickets, via email, into RT's
database--I haven't been able to get this to work. I've tried a number
of combinations of Directory, Files, and Location directives without
any success. Here's a sanitized version of my Apache config for this
virtual host (a working configuration without the above mentioned restriction):

<VirtualHost *:80>
        ServerName sub.domain.tld

        RewriteEngine On
        #RewriteLog /var/log/httpd/modrewrite_log
        #RewriteLogLevel 9

        RewriteCond %{HTTP_HOST}    sub.domain.tld [NC]
        RewriteCond %{SERVER_PORT}  80
        RewriteRule ^/(.*)          https://sub.domain.tld:4431/$1

Listen 4431
<VirtualHost *:4431>
        ServerName sub.domain.tld

        SSLEngine On
        SSLCertificateFile /etc/httpd/conf.d/sub.domain.tld-cert.pem
        SSLCertificateKeyFile /etc/httpd/conf.d/sub.domain.tld-key.pem
        SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

        AddDefaultCharset UTF-8

        FastCgiServer /opt/rt4/sbin/rt-server.fcgi -processes 5
-idle-timeout 300

        Alias /NoAuth/images/ /opt/rt4/share/html/NoAuth/images/
        ScriptAlias / /opt/rt4/sbin/rt-server.fcgi/

        DocumentRoot /opt/rt4/share/html
        <Directory /opt/rt4>
                AuthType Basic
                AuthName "Request Tracker Login"

                AuthLDAPEnabled on
                AuthLDAPAuthoritative on

                AuthLDAPBindPassword **********

                Require valid-user

                # Allow anyone access to the "/NoAuth" location.
                SetEnvIf Request_URI "^/(NoAuth|REST/1.0/NoAuth)(.*)$" allow
                Order deny,allow
                Allow from env=allow
                Satisfy Any
        <Directory /opt/rt4/share/html>
                Order deny,allow
                Deny from all

                Options +ExecCGI
                AddHandler fastcgi-script fcgi

Can someone help me get my desired configuration to work? I've been
playing around with it for hours and haven't had any success.

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message