Mailing List Archive: Apache: Users

Unsecuring a URL

Index | Next | Previous | View Threaded

mmcdonald at staff

May 6, 2008, 12:43 AM

Post #1 of 7 (175 views)
Permalink

Unsecuring a URL

Hey,

I have an apache2 setup running Drupal 4.7 (a CMS). Drupal uses the mod_rewrite options below to run all requests through the top-level index.php file, so that http://server/my/path executes /index.php?q=my/path.

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !.*PubCookie.*
RewriteRule ^(.*)$ index.php?q=$1 [L,QSA]

I'm also using mod_pubcookie to authenticate users.

What I want to do is remove authentication from a specific URL, namely the RSS path: http://server/node/feed (index.php?q=node/feed).

I understand that I can do this on a real file or directory easily enough, but I'm unsure if it's possible to do this on a specific URL.

Any ideas?

Thanks!
Mark

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe[at]httpd.apache.org
" from the digest: users-digest-unsubscribe[at]httpd.apache.org
For additional commands, e-mail: users-help[at]httpd.apache.org

covener at gmail

May 6, 2008, 6:19 AM

Post #2 of 7 (163 views)
Permalink

Re: Unsecuring a URL [In reply to]

On Tue, May 6, 2008 at 3:43 AM, Mark Mcdonald
<mmcdonald[at]staff.iinet.net.au> wrote:
> What I want to do is remove authentication from a specific URL, namely the RSS path: http://server/node/feed (index.php?q=node/feed).

Have you tried <Location /node/feed> and something like the recipe here:

http://wiki.apache.org/httpd/BypassAuthenticationOrAuthorizationRequirements

--
Eric Covener
covener[at]gmail.com

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe[at]httpd.apache.org
" from the digest: users-digest-unsubscribe[at]httpd.apache.org
For additional commands, e-mail: users-help[at]httpd.apache.org

mmcdonald at staff

May 6, 2008, 6:02 PM

Post #3 of 7 (157 views)
Permalink

RE: Unsecuring a URL [In reply to]

I think that's what I'm looking for, although it doesn't seem to work.

There are no errors, the authentication prompt just remains after apache is restarted.

I am testing on a box using Basic auth, with the following file in /etc/apache2/sites-enabled:

<VirtualHost *>
ServerAdmin webmaster[at]localhost
ServerName dev
ErrorLog /var/log/apache2/error.log
LogLevel warn
CustomLog /var/log/apache2/access.log combined
ServerSignature On

DocumentRoot /home/users/mmcdonald/drupal

<Location /node/feed>
Order allow,deny
Allow from any
Satisfy any
</Location>

<Directory /home/users/mmcdonald/drupal/>
AuthType Basic
AuthName "LDAP Authentication Required"
AuthLDAPURL <removed>
AuthLDAPBindDN <removed>
AuthLDAPBindPassword <removed>
require valid-user
Options +FollowSymLinks
AllowOverride All
order allow,deny
allow from all
RewriteBase /
</Directory>

</VirtualHost>

-----Original Message-----
From: Eric Covener [mailto:covener[at]gmail.com]
Sent: Tuesday, 6 May 2008 9:19 PM
To: users[at]httpd.apache.org
Subject: Re: [users[at]httpd] Unsecuring a URL

On Tue, May 6, 2008 at 3:43 AM, Mark Mcdonald
<mmcdonald[at]staff.iinet.net.au> wrote:
> What I want to do is remove authentication from a specific URL, namely the RSS path: http://server/node/feed (index.php?q=node/feed).

Have you tried <Location /node/feed> and something like the recipe here:

http://wiki.apache.org/httpd/BypassAuthenticationOrAuthorizationRequirements

--
Eric Covener
covener[at]gmail.com

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe[at]httpd.apache.org
" from the digest: users-digest-unsubscribe[at]httpd.apache.org
For additional commands, e-mail: users-help[at]httpd.apache.org

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe[at]httpd.apache.org
" from the digest: users-digest-unsubscribe[at]httpd.apache.org
For additional commands, e-mail: users-help[at]httpd.apache.org

covener at gmail

May 6, 2008, 6:13 PM

Post #4 of 7 (158 views)
Permalink

Re: Unsecuring a URL [In reply to]

On Tue, May 6, 2008 at 9:02 PM, Mark Mcdonald
<mmcdonald[at]staff.iinet.net.au> wrote:
> Allow from any

Allow from 'all'? 'any' is probably interpreted as a hostname.

--
Eric Covener
covener[at]gmail.com

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe[at]httpd.apache.org
" from the digest: users-digest-unsubscribe[at]httpd.apache.org
For additional commands, e-mail: users-help[at]httpd.apache.org

mmcdonald at staff

May 6, 2008, 6:50 PM

Post #5 of 7 (158 views)
Permalink

RE: Unsecuring a URL [In reply to]

Woops, sorry that was just me playing around. It still prompts for credentials with 'all' and for a specific IP class.

-----Original Message-----
From: Eric Covener [mailto:covener[at]gmail.com]
Sent: Wednesday, 7 May 2008 9:14 AM
To: users[at]httpd.apache.org
Subject: Re: [users[at]httpd] Unsecuring a URL

On Tue, May 6, 2008 at 9:02 PM, Mark Mcdonald
<mmcdonald[at]staff.iinet.net.au> wrote:
> Allow from any

Allow from 'all'? 'any' is probably interpreted as a hostname.

--
Eric Covener
covener[at]gmail.com

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe[at]httpd.apache.org
" from the digest: users-digest-unsubscribe[at]httpd.apache.org
For additional commands, e-mail: users-help[at]httpd.apache.org

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe[at]httpd.apache.org
" from the digest: users-digest-unsubscribe[at]httpd.apache.org
For additional commands, e-mail: users-help[at]httpd.apache.org

mmcdonald at staff

May 8, 2008, 5:16 PM

Post #6 of 7 (129 views)
Permalink

RE: RE: Unsecuring a URL [In reply to]

I'm still having trouble with this one...

Could it be something outside of my virtualhost config affecting the behaviour of Location?

-----Original Message-----
From: Mark Mcdonald
Sent: Wednesday, 7 May 2008 9:51 AM
To: 'users[at]httpd.apache.org'
Subject: RE: [users[at]httpd] Unsecuring a URL

Woops, sorry that was just me playing around. It still prompts for credentials with 'all' and for a specific IP class.

-----Original Message-----
From: Eric Covener [mailto:covener[at]gmail.com]
Sent: Wednesday, 7 May 2008 9:14 AM
To: users[at]httpd.apache.org
Subject: Re: [users[at]httpd] Unsecuring a URL

On Tue, May 6, 2008 at 9:02 PM, Mark Mcdonald
<mmcdonald[at]staff.iinet.net.au> wrote:
> Allow from any

Allow from 'all'? 'any' is probably interpreted as a hostname.

--
Eric Covener
covener[at]gmail.com

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe[at]httpd.apache.org
" from the digest: users-digest-unsubscribe[at]httpd.apache.org
For additional commands, e-mail: users-help[at]httpd.apache.org

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe[at]httpd.apache.org
" from the digest: users-digest-unsubscribe[at]httpd.apache.org
For additional commands, e-mail: users-help[at]httpd.apache.org

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe[at]httpd.apache.org
" from the digest: users-digest-unsubscribe[at]httpd.apache.org
For additional commands, e-mail: users-help[at]httpd.apache.org

sgifford at suspectclass

May 30, 2008, 7:42 AM

Post #7 of 7 (43 views)
Permalink

Re: Unsecuring a URL [In reply to]

Mark Mcdonald <mmcdonald[at]staff.iinet.net.au> writes:

[...]

> There are no errors, the authentication prompt just remains after apache is restarted.
>
> I am testing on a box using Basic auth, with the following file in /etc/apache2/sites-enabled:
>
> <VirtualHost *>

[...]

> <Location /node/feed>
> Order allow,deny
> Allow from any
> Satisfy any
> </Location>

[...]

The problem may be that Apache is rewriting /node/feed to /index.php?q=node/feed,
so your Location rule above is getting ignored. You could try
"Location /index.php?q=node/feed", but I doubt that will work; I don't
think you can set different rules depending on the query part of a
URL.

A few ideas: mod_rewrite can match these sorts of URLs and set
environment variables. You might be able to trick later parts of
Apache into allowing you in, for example by overriding REMOTE_USER or
AUTH_TYPE. If you allow one host, like 127.0.0.1, maybe you could
override REMOTE_HOST, or REMOTE_ADDR. If 127.0.0.1 is allowed, you
could also try rewriting with the [P] option which will proxy the
request, and simply proxy it back to yourself at localhost. The proxy
request will come from 127.0.0.1, and so should be allowed.

You could write a very simple authentication module that would run
before basic auth, and always authenticate users using this URL.
Otherwise it would decline the auth and let basic auth handle it.

You could write a small proxy or CGI program at a different,
unauthenticated URL to access this page (by running the script
directly, or by accessing it over HTTP in a way that your Web server
will allow).

You could also try asking in a Drupal forum. I suspect their answer
will be to use Drupal's authentication instead of Apache; then you can
simply allow anonymous access to this page with a checkbox.

Good luck!

-----Scott.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe[at]httpd.apache.org
" from the digest: users-digest-unsubscribe[at]httpd.apache.org
For additional commands, e-mail: users-help[at]httpd.apache.org

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact lists@gossamer-threads.com