httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Thomas Smith <theitsm...@gmail.com>
Subject Re: [users@httpd] Configuration issue allowing unauthenticated access from 127.0.0.1 to a single directory within a password-protected directory structure
Date Wed, 12 Oct 2011 21:51:29 GMT
Thanks Mark!

On Wed, Oct 5, 2011 at 5:01 PM, Mark Montague <mark@catseye.org> wrote:
> On October 5, 2011 17:44 , Thomas Smith <theitsmith@gmail.com> wrote:
>>
>> Can someone help me get my desired configuration to work?
>
> Maybe someone who is not me can :)  I'd be able to help you better if you
> asked your question much more narrowly.  Provide the configuration that is
> NOT working, say what your goal is (desired outcome/behavior), and be as
> specific as possible about the problem you are encountering: include what
> you do to encounter the problem (the specific HTTP requests), messages from
> the Apache HTTP Server error log, observed behavior (how what actually
> happens differs from the desired behavior), and so on.

I've attempted MANY different configurations that DIDN'T work. So I
thought it would be best to say "this is what I have that works and
this is what I'd like to do but haven't been able to get working"
rather than post the many, many configuration failures I've attempted.
:-)

>> I created a Directory directive for /opt/rt4 that enables the LDAP
>> authentication. This works really well but breaks their mail-gateway
>> functionality (because this script is unable to perform
>> authenticatation). I used a SetEnvIf parameter to exclude the two
>> directories from authentication and it worked well (only the REST
>> directory is required for the mail-gateway to work, though). However,
>> the RT developers recommend restricting access to mail-gateway to
>> 127.0.0.1 as it's used to inject tickets, via email, into RT's
>> database--I haven't been able to get this to work.
>
> From what I can extract from the above, you want to have everything use LDAP
> authentication except for one or more specific resources which you want to
> use host-based access control, correct?
>
> In this case, you need to use the "Satisfy Any" directive since access
> control methods normally supplement, not replace, authentication mechanisms.
>  Here's an example (note that this is not a complete example, I've left out
> most directives for clarity):
>
> <Directory /foo>
>  Require valid-user
>  Order allow,deny
>  Allow from all
> </Directory>
> <Directory /foo/bar>
>  # Require EITHER an authenticated user (the configuration for /foo is
> inherited for /foo/bar)
>  # OR allow access from 127.0.0.1
>  Allow from 127.0.0.1
>  Satisfy Any
> </Directory>

I tried the Directory directives you mentioned and they didn't work.
However, I finally found a configuration that did work (your post
inspired me to look at this problem in a different way and ultimately
led to the solution):

        <Directory /opt/rt4>
                ..... LDAP authentication stuff goes here .....
        </Directory>
        <Location />
                Order allow,deny
                Allow from all

                Options +ExecCGI
                AddHandler fastcgi-script fcgi
        </Location>
        <Location /NoAuth>
                Order allow,deny
                Allow from all
                Satisfy any
        </Location>
        <Location /REST/1.0/NoAuth>
                Order allow,deny
                Allow from 127.0.0.1
                Satisfy any
        </Location>

If I change the last two Location directives to Directory and point
them to the respective file system locations, things don't work as
expected--that is, when accessing
https://sub.domain.tld/REST/1.0/NoAuth/mail-gateway from localhost, I
still get prompted to authentication. But those directives as they
appear here work as expected (I can access mail-gateway from localhost
and attempts outside of this [i.e. not from localhost] are prompted to
authenticate). Also note that the latter two Location directives WILL
NOT work without listing "Order allow,deny", which seems contrary to
the inheritance you mentioned.

The Apache documentation also mentions that it's more favorable to use
Directory directives over Location directives when the intent is to
secure file system locations (see the "What to use When" section
located here: http://httpd.apache.org/docs/2.0/sections.html).

So given that my intent is to secure file system locations, are there
any inherent security risks associated with doing things the way I
have it configured here? Or any reason I wouldn't want to continue
forward with this configuration?

Thanks again for your help!

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message