Apache mod_auth/mod_auth_postgres help

Apache mod_auth/mod_auth_postgres help

Post by Stev » Sat, 05 Jul 1997 04:00:00



I'm looking for a method of ensuring that a username/password pair is
comming from a specific domain/set of IPs (possably more than 2).

I wish to have a single sign-on page where the user would put in
username/password and have the server silently check for the domain from
which the access is coming from and grant/deny on all three critera (it
will be a dynamic set of hosts from which access will be allowed).
I don't care if the sign-on page is a html form or a .htaccess as long as
one can not simply by-pass the sign-on.

I could do the verification through mod_auth_external if it is possable but
my question is this:  when Apache checks .htaccess and grants access does
it then check for every document and directory below the first?  I want
reasonable security but I don't know about running that many queries on the
data-base.

I could modify the source to mod_auth_postgres if I know how to get my
hands on the REMOTE_HOST environment or a pointer to it in some structure
within the mod_auth_postgres module.

Any pointers would be greatly appreciated and will be met with kindness and
cuddles :-)

Steve /..

 
 
 

Apache mod_auth/mod_auth_postgres help

Post by Tyler J. Alliso » Mon, 07 Jul 1997 04:00:00



> I'm looking for a method of ensuring that a username/password pair is
> comming from a specific domain/set of IPs (possably more than 2).

> I wish to have a single sign-on page where the user would put in
> username/password and have the server silently check for the domain from
> which the access is coming from and grant/deny on all three critera (it
> will be a dynamic set of hosts from which access will be allowed).
> I don't care if the sign-on page is a html form or a .htaccess as long as
> one can not simply by-pass the sign-on.

  You can use .htaccess to grant access to your page(s) based on both.
You
should be able to use the 'satisfy' directive in your .htaccess file to
say
"if coming from this address" and "they have a username/password" let
them
in.

Quote:

> I could do the verification through mod_auth_external if it is possable but
> my question is this:  when Apache checks .htaccess and grants access does
> it then check for every document and directory below the first?  I want
> reasonable security but I don't know about running that many queries on the
> data-base.

  Unfortunatly there is no way to get around this. (At least that I know
of)
Because HTTP/WebServers are not built to be serial (ie: you get this
page,
and then the next page, and then the next) but instead are more 'random
access' the server must verify EVERY attempted access. You can reduce
the
amount of 'hits' on your data-base by only protecting the pages/pics
that
really need to be protected.
  If you dont care about people 'possibly' getting access to all your
icons
and pics place them in an unrestricted directory. That way if you .html
file
has 10 small icons your database only gets 'hit' once for the page and
not
11 times (1 for each pic and 1 for the page)
  You could also reduce the 'hits' on your database by refusing access
to
the restricted pages by IP address *BEFORE* you ask for a password. That
way you ONLY have to query the database for those that actually fit your
first requirement (the IP address).

Quote:

> I could modify the source to mod_auth_postgres if I know how to get my
> hands on the REMOTE_HOST environment or a pointer to it in some structure
> within the mod_auth_postgres module.

> Any pointers would be greatly appreciated and will be met with kindness and
> cuddles :-)

> Steve /..

  If you do end up using Mod_Auth_External make sure you get the latest
release
from http://www.nas.nasa.gov/~allison/mod_auth_external and let me know
if you
have any trouble. We already have a few people working on modules for
'Radius'
and 'Sybase' queries, and Id love to include your finished product in
our
'examples' directory.

-Tyler

.--                                                                  
--.
| Tyler Allison      | Sterling Software         | Voice: (415) 604-6629
|
| Network Engineer I | M/S 258-6                 |   Fax: (415) 604-4377
|
| LAN/Security Group | NASA Ames Research Center
+-----------------------+

|
`--                                                                  
--'

 
 
 

1. Help! apache mod_auth problems

Greetings,

I'm having a very strange problem using basic authentication.  My
password protected areas were working fine until today.  I decided to
convert my ssi site to a php site (it's not very big). I first
duplicated all of my shtml files and renamed them to php files.  I
then replaced all of the ssi code with php code and got them working.
Then I changed the directoryindex directive from ".shtml" to ".php".

Everything was hunky-dory until I tried to access the password
authenticated areas of my site.  When I go to those directories, the
server gives a 401 error WITHOUT GIVING A PASSWORD DIALOG.  I haven't
changed any of the auth settings.  There are no "Deny from all" or
similar directives.  My directory areas look like this in my
httpd.conf:
    <Directory "D:/blahblahblah/htdocs/password_protected_folder">
        AuthType Basic
        AuthName "Password Access"
        AuthUserFile "D:/blahblahblah/conf/.htpasswd"
        Require valid-user
    </Directory>

When I comment out the require line i can access pages in the
directory.  This still happens even when I change my directoryindex
back to the way it was.  I know this shouldn't make a difference, but
at this point I'm desperate.  I've tried everything, from moving my
directory directives to .htaccess files and back, to recreating my
.htpasswd file, to reinstalling apache.

I'm running apache 2.0.40 on winXP.  It shouldn't matter, but I also
have php 4.2.3 on the system.

Why wouldn't a password dialog show up?  It's not the browser, because
dialogs show up on other sites.

Can you help me?!?  

2. asroot help

3. mod_auth for apache 1.3.0

4. Lots of Swap = Happiness! -was- Tested SuSE 7.3 RAM requirements, here's results.

5. Problem with including mod_auth.c in Apache 1.2.4

6. <NEWBIE> How to mount HPFS disk?

7. Apache mod_auth mechanism to reduce DB hits?

8. Aarrgghh, I hate/love iptables

9. Apache mod_auth, re-login?

10. PHP and Mod_auth problems in Apache 1.3.2

11. Apache mod_auth Error logging suggestion

12. mod_auth using MySQL w/Apache

13. why mod_access & mod_auth are not used by apache