Page 1 of 2 12 Last
  • Jump to page:
    #1
  1. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2000
    Posts
    10
    Rep Power
    0
    Hi am trying to authenticate with a username database but I also want to allow users from certain domains access with authentication.
    I can do one or the other but I can not figure out both. Here is what I have so far.

    AuthUserFile /www/cgi-bin/.htpasswd
    AuthGroupFile /dev/null
    AuthName "Member's Area"
    AuthType Basic
    require valid-user

    <Limit GET PUT>
    order allow,deny
    deny from all
    allow from website.com
    satisfy any
    </Limit>

    Thanks,
    Mark
  2. #2
  3. No Profile Picture
    freebsd
    Guest
    Devshed Newbie (0 - 499 posts)
    >>I can do one or the other but I can not figure out both

    Because it's impossible with mod_access. Though, it might be possible with the addition of mod_rewrite. For example:

    1) Setting 1st RewriteCond to check for HTTP_REFERER, if it's within your protected dir AND another_dir JUST for "allow host" authentication, then [L] it.
    2) 2nd RewriteCond:
    RewriteCond %{REMOTE_HOST} ^website.com$
    3) Set the RewriteRule to redirect to the /another_dir just for the allow host authentication.

    If you apply to the above logic, a visitor who comes from website.com and access to your private directory will be redirected to http://www.yourdomain.com/another_dir for authentication.
    Next, set an index.cgi or index.php to redirect this visitor to http://www.yourdomain.com/private, this way, the HTTP_REFERER for such visitor matches the 1st RewriteCond, so he won't get authentication again. This only occurs the first time when he is being redirected from /another_dir to /private, once he is in /private, his HTTP_REFERER also matches the 1st RewriteCond and allow in.
    Note, http://www.yourdomain.com/another_dir is also a protected directory, so visitors not coming from website.com won't be able to login.

    I haven't tested this so it may or may not work but it's the logic I can come up with at this moment.

    Anyway, visitors coming from website.com SHOULD ALLOW IN WITHOUT AUTHENTICATION according to "satisfy" directive. If you insist to authenticate them, WHY NOT create a user/pass for them and dropping the "allow from" line and "satisfy" line if you really know what they are for. Or at least require them to sign up for an username from website.com to get in to your /private.

    [This message has been edited by freebsd (edited October 02, 2000).]
  4. #3
  5. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2000
    Posts
    10
    Rep Power
    0
    I am pretty new to the Unix world so this makes some sense but not very much. I am still learning is there anyway to explain this in easier terms?

    Thanks,
    Mark
  6. #4
  7. No Profile Picture
    freebsd
    Guest
    Devshed Newbie (0 - 499 posts)
    >>explain this in easier terms

    Your lines:

    allow from website.com
    satisfy any

    By all means is to Allow in (from website.com) without authentication. Read here -> http://www.apache.org/docs/mod/core.html#satisfy
    Visitors coming from website.com should bypass the login prompt. If they also require to authenticate, give them a user/pass.
  8. #5
  9. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2000
    Posts
    10
    Rep Power
    0
    Hi so is this what I should have? I tried it and it lets everyone in.

    AuthUserFile /www//cgi-bin/globill/passwd
    AuthGroupFile /dev/null
    AuthName "Member's Area"
    AuthType Basic
    require valid-user

    <Limit GET PUT>
    allow from website.com
    satisfy any
    </Limit>
  10. #6
  11. No Profile Picture
    freebsd
    Guest
    Devshed Newbie (0 - 499 posts)
    >>AuthUserFile /www//cgi-bin/globill/passwd

    You should place passwd above your docroot. If you don't have permission to do so, you then need to add the following to your .htaccess:

    <FilesMatch "^passwd$">
    Order deny,allow
    Deny from all
    </FilesMatch>

    You also don't need the <Limit> block.
  12. #7
  13. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2000
    Posts
    10
    Rep Power
    0
    Someone said what I want is not possible unless I make 2 seperate directories. I really need this to work. I really have no idea what I am doing. Is this right? I tried it and it lets everybody in.

    # Access file
    #(makes file invisible)

    <FilesMatch "^passwd$">
    Order deny,allow
    allow from website.com
    </FilesMatch>

    AuthUserFile /www/cgi-bin/globill/passwd
    AuthGroupFile /dev/null
    AuthName "Member's Area"
    AuthType Basic
  14. #8
  15. No Profile Picture
    freebsd
    Guest
    Devshed Newbie (0 - 499 posts)
    >>Someone said what I want is not possible unless I make 2 seperate directories

    Exactly as I mentioned the /another_dir is to authenticate users from website.com and redirect back to /private along with the HTTP_REFERER that matches the 1st RewriteCond to bypass the login prompt in /private.

    >><FilesMatch "^passwd$">
    >>Order deny,allow
    >>allow from website.com
    >></FilesMatch>

    Don't put "allow from website.com". Why you want visitors from website.com to be able to READ your "passwd" file anyway?

    Putting Deny from all prevents people from viewing your passwd file from browsers, it doesn't mean your passwd file will not get read by Apache.

  16. #9
  17. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2000
    Posts
    10
    Rep Power
    0
    Hi I don't want people to read the password file I just want certain sites to have access to the members area without authentication. website.com was just an example. What should I do?
  18. #10
  19. No Profile Picture
    freebsd
    Guest
    Devshed Newbie (0 - 499 posts)
    Regarding to the passwd file, as I said, do this:

    <FilesMatch "^passwd$">
    Order deny,allow
    Deny from all
    </FilesMatch>

    Don't try to invent something on your own. Put this .htaccess in http://yourdomain.com/.htaccess

    #http://yourdomain.com/protect/.htaccess
    AuthUserFile /www/path_other_than_cgi-bin/passwd
    AuthGroupFile /dev/null
    AuthName "Member's Area"
    AuthType Basic
    Allow from website.com
    Satisfy any
  20. #11
  21. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2000
    Posts
    10
    Rep Power
    0
    Ok I created 2 files this one

    <FilesMatch "^passwd$">
    Order deny,allow
    Deny from all
    </FilesMatch>

    and this one

    #http://yourdomain.com/protect/.htaccess
    AuthUserFile /www/path_other_than_cgi-bin/passwd
    AuthGroupFile /dev/null
    AuthName "Member's Area"
    AuthType Basic
    Allow from website.com
    Satisfy any

    I uploaded the 1st one to the members area and the second one to http://yourdomain.com/members/ and made sure the path was not to a cgi-bin. It seems to let everyone in, did I do this right? Thanks so much for helping.
  22. #12
  23. No Profile Picture
    freebsd
    Guest
    Devshed Newbie (0 - 499 posts)
    Are you sure your server has .htaccess enabled? To verify this, simply remove the bottom two lines:
    Allow from website.com
    Satisfy any

    If it doesn't show a login prompt, too bad, htaccesss not enabled at all.

    Also the line -> Allow from website.com
    it's better to put the IP address of website.com or at least put a dot in before website.com as .website.com
  24. #13
  25. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2000
    Posts
    10
    Rep Power
    0
    Hi I know htaccess is active because I can make the login box appear. I did try to erase those 2 lines but it did not pop-up any login box. But I am sure htaccess is working. I also put a dot in front of the website like this .website.com What else should I try?

    Thanks,
    Mark
  26. #14
  27. No Profile Picture
    freebsd
    Guest
    Devshed Newbie (0 - 499 posts)
    >>I did try to erase those 2 lines but it did not pop-up any login box

    Make sure there were NO CONSECUTIVE TRIES. Once you logged in, on 2nd try, you need to close and relaunch your browser.
  28. #15
  29. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2000
    Posts
    10
    Rep Power
    0
    Hi I did close all my browser windows and tried it several times and never got a login box. I tried it in Netscape and Explorer.
Page 1 of 2 12 Last
  • Jump to page:

IMN logo majestic logo threadwatch logo seochat tools logo