[nycphp-talk] apache basic auth
michael
lists at genoverly.net
Tue Jan 24 09:06:17 EST 2006
On Mon, 23 Jan 2006 20:57:06 -0500
michael <lists at genoverly.net> wrote:
> I've read the apache docs and googled for this but I can't seem to
> find a definitive answer. Can you run basic auth in nested
> directories? Or does it inherit auth from above?
>
> Say I have restrictions on the whole site with Tom, Dick, Harry, and
> Jane in the 'normal' group file. I then have a directory (called
> secret) in that site that I only want members of the group 'secret'
> to be allowed: Tom, Dick, and Harry (no Jane).
>
>
> <VirtualHost 10.10.10.03>
> ServerName subdomain.domain.com
> DocumentRoot /path/to/root/directory/
>
> # restrict whole site
> #################################
> <Directory "/path/to/root/directory">
> AuthType Basic
> AuthName "site restricted"
> AuthUserFile /path/to/password/file
> AuthGroupFile /path/to/group/file
> Require group normal
> </Directory>
>
> # restrict super secret directory
> #################################
> Alias /secret/ "/path/to/root/directory/deep/secret/"
> <Directory "/path/to/root/directory/deep/secret">
> AuthType Basic
> AuthName "super secret"
> AuthUserFile /path/to/password/file
> AuthGroupFile /path/to/group/file
> Require group secret
> </Directory>
> </VirtualHost>
>
> I have something similar to this set up. When I point my browser at
> http://subdomain.domain.com I get prompted. I logon as Jane and can
> see the site. I then go into the /secret/ directory and I do NOT get
> prompted again! Unless I'm missing something, it looks like nested
> auth does not work.
>
> I've tried closing the browser and reopening the browser to clear
> authentication remnants. Am I doing something wrong? Is there
> another way to do what I'm trying to do?
>
> I am aware basic auth is not secure, but, I want to get this basic
> concept to work first. Then I will use encryption.
Answering my own question..
File under apache/auth/proxy for the archives.
1. Apache does NOT allow nested auth. Once you auth a directory tree,
everything under it is allowed. So, if separate auth is needed you
have to go up the tree. Edititing the above example, If you changed
the super secret directory to "/path/to/root/deep/secret" it will work
because is does not fall under the original authentication umbrella.
2. If "/secret/" is a reverse proxy to another site it will NOT
authenticate. You *must* create a directory below the auth directory
(actually within the restricted area, thus triggering auth);
Alias /virtualsecret/ "/path/to/root/deep/secret/proxy"
## send requests for /virtualsecret/ to another server
ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass /virtualsecret/ http://otherdomain.com/directory/
ProxyPassReverse /virtualsecret/ http://otherdomain.com/directory/
--
Michael
More information about the talk
mailing list