Solved

Apache access control .htaccess

Posted on 2000-03-26
30
637 Views
Last Modified: 2013-12-15
Five web pages have been set a access control by using .htacess (they are in different directory). Is there any way to let someone e.g helpdesk, administrator to access this five pages  (They do not need to login)

.htaccess file for each page
AuthUserFile /usr/local/apache/bin/xxx1 (From xxx1 to xxx5)
AuthName "User name:xx1" (From xxx1 to xxx5)
 AuthType Basic
require valid-user




0
Comment
Question by:edmundli
  • 18
  • 11
30 Comments
 
LVL 40

Expert Comment

by:jlevie
Comment Utility
My understanding of the access control mechanism leads me to believe that once you enable htaccess control of a directory each and every user must log in to the web server to access those pages. I don't believe there's a mechanism that allows you to say that everybody but some system(s) is required to authenticate. There's a good article on user authentication in http://www.apacheweek.com/features/userauth

Tho only way that occurs to me to bypass the authentication requirement would be to create a virtual server, restricted to just the machine(s) that the help desk/administator uses, that doesn't apply the .htaccess files.
0
 

Author Comment

by:edmundli
Comment Utility
How can we do this by uing Virtual server ?

Can you use allow ip to pass through instead of user name ?

0
 
LVL 40

Expert Comment

by:jlevie
Comment Utility
I use Apache and all of my web servers are implemented as Named Virtual hosts, so my example will be done with Virtual Hosts. For the example I'll assume that I've got, say, two workstations that need to be able to get to the data without needing to log in (192.168.1.1 & 192.168.1.2). The ordinary server instance that everyone is allowed to access (and is protected by .htaccess files) gets defined like so:

<VirtualHost 192.168.0.3:80>
ServerName protected.domain.net
ServerAdmin admin@domain.net
DocumentRoot "/opt/Apache/htdocs/atd"
<Directory />
    Options Indexes FollowSymLinks
    AllowOverride None
    Order allow,deny
    Allow from all
</Directory>
<Directory "/opt/Apache/htdocs/atd/otr">
    Options Indexes FollowSymLinks
    AllowOverride AuthConfig
    Order allow,deny
    Allow from all
</Directory>
</VirtualHost>

To let the specific administrative workstations access the data without needing to use a password I create another server instance that points to the same htdocs area, but is restricted to just those IP's, like so:

<VirtualHost 192.168.0.3:80>
ServerName admin-only.domain.net
ServerAdmin admin@domain.net
DocumentRoot "/opt/Apache/htdocs/atd"
<Directory />
    Options Indexes FollowSymLinks
    AllowOverride None
    Order deny, allow
    Deny from all
    Allow from 192.168.1.1 192.168.1.2
</Directory>
<Directory "/opt/Apache/htdocs/atd/otr">
    Options Indexes FollowSymLinks
    AllowOverride None
    Order deny, allow
    Deny from all
    Allow from 192.168.1.1 192.168.1.2
</Directory>

Only those two IP are allowed to access that server instance. It simply won't talk to anybody else. Because I don't invoke the AuthConf directive, the server won't use the .htaccess files.

Using Named Virtual hosts I don't have to multi-home the server, which conserves IP address space and is simpler. I do have to add a CNAME record to the DNS for the second server (the first can be the hostname of the system or it can be a CNAME record also). If you read the Apache docs you'll notice that just about anything you can do in a real server you can also do in a Virtual Host.

Hope this helps...
0
 
LVL 2

Expert Comment

by:bernardh
Comment Utility
on your .htaccess file, try to use the "Satisfy Any" directive

deny from all
allow from .yourdomain.com
AuthType Basic
AuthUserFile /usr/local/apache/conf/htpasswd.users
AuthName "special directory"
require valid-user
satisfy any
0
 

Author Comment

by:edmundli
Comment Utility
Dear Jlevie,

I have tried your method, however it has this error

[Tue Mar 28 11:37:26 2000] [warn] VirtualHost 202.65.1.140:80 overlaps with Virt
ualHost 202.65.1.140:80, the first has precedence, perhaps you need a NameVirtua
lHost directive


My virtual conf is


<VirtualHost 202.65.1.140>
 DocumentRoot /usr/local/mrtg/mrtg-2.8.12/stats/mrtg
 ServerName neth17.net.alcatel.com.hk
<Directory />
   Options Indexes FollowSymLinks
   AllowOverride AuthConfig
   Order allow,deny
   Allow from all
</Directory>
 <Directory "/usr/local/mrtg/mrtg-2.8.12/stats/mrtg">
   Options Indexes FollowSymLinks
   AllowOverride AuthConfig
   Order allow,deny
   Allow from all
 </Directory>
</VirtualHost>


<VirtualHost 202.65.1.140>
 DocumentRoot /usr/local/mrtg/mrtg-2.8.12/stats/mrtg
 ServerName netadmin.net.alcatel.com.hk
 <Directory />
   Options Indexes FollowSymLinks
   AllowOverride None
   Order deny,allow
   Deny from all
   Allow from 202.65.1.238
 </Directory>
 <Directory "/usr/local/mrtg/mrtg-2.8.12/stats/mrtg">
   Options Indexes FollowSymLinks
   AllowOverride None
   Order deny,allow
   Deny from all
   Allow from 202.65.1.238
 </Directory>
 </VirtualHost>
0
 
LVL 40

Expert Comment

by:jlevie
Comment Utility
It's telling you what the problem is in the warning.

I just showed the virtual hosts definitions. you must have a "NameVirtualHost 202.65.1.140"  directive in the config file to tell Apache that you aren't using IP aliases. This whole subject is covered in the Apache docs which you ought to already have, but they are also on line at http://www.apache.org/docs/ (see the section on Virtual Hosts).
0
 

Author Comment

by:edmundli
Comment Utility
Hi Jlevie,

There is no error now, but it still ask me to login
When I link to addtional directory.

Remark: I have 5 directory under
/usr/local/mrtg/mrtg-2.8.12/stats/mrtg/syndey
/usr/local/mrtg/mrtg-2.8.12/stats/mrtg/Australia
/usr/local/mrtg/mrtg-2.8.12/stats/mrtg/Hongkong
/usr/local/mrtg/mrtg-2.8.12/stats/mrtg/china
/usr/local/mrtg/mrtg-2.8.12/stats/mrtg/japan

All of this directories have .htaccess

Is there any thing wrong

My lates files
NameVirtualHost 202.65.1.140

<VirtualHost 202.65.1.140>
 DocumentRoot /usr/local/mrtg/mrtg-2.8.12/stats/mrtg
 ServerName neth17.net.alcatel.com.hk
<Directory />
   Options Indexes FollowSymLinks
   AllowOverride AuthConfig
   Order allow,deny
   Allow from all
</Directory>
 <Directory "/usr/local/mrtg/mrtg-2.8.12/stats/mrtg">
   Options Indexes FollowSymLinks
   AllowOverride AuthConfig
   Order allow,deny
   Allow from all
 </Directory>
</VirtualHost>


 DocumentRoot /usr/local/mrtg/mrtg-2.8.12/stats/mrtg
 ServerName netadmin.net.alcatel.com.hk
 <Directory />
   Options Indexes FollowSymLinks
  AllowOverride None
   Order deny,allow
   Deny from all
   Allow from 202.65.1.238
 </Directory>
 <Directory "/usr/local/mrtg/mrtg-2.8.12/stats/mrtg">
   Options Indexes FollowSymLinks
   AllowOverride None
   Order deny,allow
   Deny from all
   Allow from 202.65.1.238
 </Directory>
 </VirtualHost>

0
 
LVL 40

Expert Comment

by:jlevie
Comment Utility
Are you saying that http://netadmin.net.alcatel.com.hk allows you in okay, but a followed link to some other area of the htdocs tree requires a password? What does the link look like? Is the link of the form HREF="http://neth17.net.alcatel.com.hk/some-html-file"? For something like this to work, all links within the htdocs tree must be relative to the htdocs root (e.g. HREF="some-html" or HREF="subdir/some-html")
0
 

Author Comment

by:edmundli
Comment Utility
Yes, I can get to http://netadmin.net.alcatel.com.hk.

There are five links to five areas in this webpage. When I click one of the e.g. japan, then it will show the auth windows.

This is the same as the http://neth17.net.alcatel.com.hk

The Root directory is

/usr/local/mrtg/mrtg-2.8.12/stats/mrtg

Index.html is located there and

All the web pages info were location

in

usr/local/mrtg/mrtg-2.8.12/stats/mrtg/syndey
/usr/local/mrtg/mrtg-2.8.12/stats/mrtg/Australia
/usr/local/mrtg/mrtg-2.8.12/stats/mrtg/Hongkong
/usr/local/mrtg/mrtg-2.8.12/stats/mrtg/china
/usr/local/mrtg/mrtg-2.8.12/stats/mrtg/japan

So when I click link e.g. japan
It point to

http://neth17.net.alcatel.com.hk/japan/japan.html e.g

e.g. hongkong link

it will point
http://neth17.net.alcatel.com.hk/hongkong/hongkong.html

(Remark: In this five directories under mrtg/ .... have five .htaccess which have set own password for users.

Thank You very very much

0
 

Author Comment

by:edmundli
Comment Utility
Adjusted points from 40 to 70
0
 
LVL 40

Expert Comment

by:jlevie
Comment Utility
That's the problem. By using the server name in the link, you go through the "password protected" server, and it quite correctly requests a password.

What I do with mrtg is to tell it to use a "stats" directory within my htdocs area so that I can use relative links amoung those pages. A typical mrtg installation looks like:

/opt/Apache/htdocs/netmon        <common data & index.html here
/opt/Apache/htdocs/netmon/run    <mrtg scripts  & config file here
/opt/Apache/htdocs/netmon/images <mrtg bitmaps here
/opt/Apache/htdocs/netmon/dc     <generated stats for DC office
/opt/Apache/htdocs/netmon/servers     <generated stats for local servers

Now I can use HREF's relative to the htdocs root for links. The index.html file at the top level has HREF's line

HREF="dc/gateway.html"
HREF="servers/email.html"

And inside one of the subdirs (dc for instance)I can refer back to the top level like:

HREF="../network-layout.html"

Okay so now all the links are relative to the root of the htdocs tree for what ever servername that I use to get to the data.

Does that help?
0
 

Author Comment

by:edmundli
Comment Utility
Dear Jlevie,

I did the root directory of mrtg

/usr/local/mrtg/mrtg-2.8.12/stats/mrtg

This is my neth137.net,alcatel.com.hk web site.

Since I also do set mrtg will put all the html files under this directory.

Furthermore, I have five connections
Hongkong, japan, korea, france, china

And they are
For Hongkong:  /usr/local/mrtg/mrtg-2.8.12/stats/mrtg/hongkong

For China: /usr/local/mrtg/mrtg-2.8.12/stats/mrtg/china

For Korea: /usr/local/mrtg/mrtg-2.8.12/stats/mrtg/korea

For France: /usr/local/mrtg/mrtg-2.8.12/stats/mrtg/france

For Japan : /usr/local/mrtg/mrtg-2.8.12/stats/mrtg/japan

One the link to  http://neth137.net.alcatel.com.hk/hongkong, it will ask for user name and password etc.


I do mak a virtual host with ip allows
which is
http://netadmin.net.alcatel.com.hk
(Same root directory as above)

Once I go
http://netadmin.net.alcatel.com.hk

It is the root page and when I click the hongkong link, it requires user and password ....

I can I do ? We would like to allow helpdesk to access directly without entering password...

Edmund







0
 

Author Comment

by:edmundli
Comment Utility
here is my last part of httpd.conf

NameVirtualHost 202.65.7.140

<VirtualHost 202.65.7.140>
 DocumentRoot /usr/local/mrtg/mrtg-2.8.12/stats/mrtg
 ServerName neth17.net.alcatel.com.hk
<Directory />
   Options Indexes FollowSymLinks
   AllowOverride AuthConfig
   Order allow,deny
   Allow from all
</Directory>
 <Directory "/usr/local/mrtg/mrtg-2.8.12/stats/mrtg">
   Options Indexes FollowSymLinks
   AllowOverride AuthConfig
   Order allow,deny
   Allow from all
 </Directory>
</VirtualHost>

<VirtualHost 202.65.7.140>
 DocumentRoot /usr/local/mrtg/mrtg-2.8.12/stats/mrtg
 ServerName netadmin.net.alcatel.com.hk
 <Directory />
   Options Indexes FollowSymLinks
  AllowOverride None
   Order deny,allow
   Deny from all
   Allow from 202.65.1.238
 </Directory>
 <Directory "/usr/local/mrtg/mrtg-2.8.12/stats/mrtg">
   Options Indexes FollowSymLinks
   AllowOverride None
   Order deny,allow
   Deny from all
   Allow from 202.65.1.238
 </Directory>
 </VirtualHost>

0
 
LVL 40

Expert Comment

by:jlevie
Comment Utility
Well, naturally if you use the link " http://neth137.net.alcatel.com.hk/hongkong" it should ask for a password. That say to use the server instance "neth137.net.alcatel.com.hk" which is password protected. That's what I've been trying to say about re-arrainging the html pages and their HREF's so that there won't be any of those kinds of links. Could I see the link definitions on the "root page"?
0
 

Author Comment

by:edmundli
Comment Utility
root page of http://neth137.net.alcatel.com.hk/hongkong is

/usr/local/mrtg/mrtg-2.8.12/stats/mrtg/hongkong

It has .htaccess

also it apples to the rest of the case.

e.g japan

/usr/local/mrtg/mrtg-2.8.12/stats/mrtg/japan

it also has .htaccess

I try your virtualhost method, it seems that it is the same, although it use      "  AllowOverride None" function, I do not understand as i have limited skill on apache



VirtualHost 202.65.7.140>
                    DocumentRoot /usr/local/mrtg/mrtg-2.8.12/stats/mrtg
                    ServerName netadmin.net.alcatel.com.hk
                    <Directory />
                      Options Indexes FollowSymLinks
                     AllowOverride None
                      Order deny,allow
                      Deny from all
                      Allow from 202.65.1.238
                    </Directory>
                    <Directory "/usr/local/mrtg/mrtg-2.8.12/stats/mrtg">
                      Options Indexes FollowSymLinks
                      AllowOverride None
                      Order deny,allow
                      Deny from all
                      Allow from 202.65.1.238
                    </Directory>
                    </VirtualHost>

Edmund
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 40

Expert Comment

by:jlevie
Comment Utility
The difference between the two virtual hosts is in the "AllowOverride" directives. They both use the same htdocs definitions, so the both see the same data.

The one that you reach by the link "http://neth137.net.alcatel.com.hk/hongkong" has "AllowOverride Authconfig". That's what causes that server to request a username/passord for any directories protected by an .htaccess file. The "AuthConfig" option enables the use of .htaccess files.

The other server instance "netadmin.net.alcatel.com.hk " has "AllowOverride None" which disables the use of .htaccess files.  Since the htdocs definitions are the same for both servers, if you go to the link "http://netadmin.net.alcatel.com.hk/hongkong" you'll find that it doesn't require authentication.
0
 

Author Comment

by:edmundli
Comment Utility
No, it does require username and password
0
 

Author Comment

by:edmundli
Comment Utility
If this is the thing that we discuss, i think we have the solution .. but it still ask for password, ... any idea ?
0
 
LVL 40

Expert Comment

by:jlevie
Comment Utility
I want to make sure that we are on the same track. If you enter http://netadmin.net.alcatel.com.hk/hongkong into your browser as the URL you are getting a prompt for the password?

If that's what's happening, are you sure that your DNS is correct? I can successfully find the nameservers for alcatel.com.hk, but attempting to resolve either of the two virtual hosts (neth137.net.alcatel.com.hk or netadmin.net.alcatel.com.hk) results in a "Non-existent host/domain" error. My guess is that neth137.net.alcatel.com.hk should be an "A" record in the DNS as the hostname of the system. And netadmin.net.alcatel.com.hk should be a CNAME record pointing to neth137.net.alcatel.com.hk.

Check the dns by doing "nslookup neth137.net.alcatel.com.hk" and "nslookup netadmin.net.alcatel.com.hk" on a Unix system. Both should return 202.65.7.140 as the IP address.
0
 

Author Comment

by:edmundli
Comment Utility
Yes they are return the as ip address, otherwise it will not show the webpage at all.

Both of them are internal machine.

0
 

Author Comment

by:edmundli
Comment Utility

Does it relate to my vitrual host config ?

or .htaccess

AuthUserFile /usr/local/apache/bin/hongkong
  AuthName "Alcanet User name:hongkong"
 AuthType Basic
   require valid-user
0
 

Author Comment

by:edmundli
Comment Utility
Hi Jlevie

I found something, when I disable the first set of virual host, and use

http://netadmin.net.alcatel.com.hk

It works without having username and password

###############Remark the following#########

<VirtualHost 202.65.7.140>
                       DocumentRoot /usr/local/mrtg/mrtg-2.8.12/stats/mrtg
                       ServerName neth137.net.alcatel.com.hk
                      <Directory />
                         Options Indexes FollowSymLinks
                         AllowOverride AuthConfig
                         Order allow,deny
                         Allow from all
                      </Directory>
                       <Directory "/usr/local/mrtg/mrtg-2.8.12/stats/mrtg">
                         Options Indexes FollowSymLinks
                         AllowOverride AuthConfig
                         Order allow,deny
                         Allow from all
                       </Directory>
                      </VirtualHost>
############end #############

                      <VirtualHost 202.65.7.140>
                       DocumentRoot /usr/local/mrtg/mrtg-2.8.12/stats/mrtg
                       ServerName netadmin.net.alcatel.com.hk
                       <Directory />
                         Options Indexes FollowSymLinks
                        AllowOverride None
                         Order deny,allow
                         Deny from all
                         Allow from 202.65.1.238
                       </Directory>
                       <Directory "/usr/local/mrtg/mrtg-2.8.12/stats/mrtg">
                         Options Indexes FollowSymLinks
                         AllowOverride None
                         Order deny,allow
                         Deny from all
                         Allow from 202.65.1.238
                       </Directory>
                       </VirtualHost>

One more thing that I do not understand is :

when I clieck http://neth137.net.alcatel.com.hk

I still work without having username and password

Edmund
0
 

Author Comment

by:edmundli
Comment Utility
I do check with dns, they can show the same ip address and when I nslookup, it shows they are A type
0
 
LVL 40

Expert Comment

by:jlevie
Comment Utility
Uh, are you sure that they are both A records in the DNS? That will appear to work, but it's actually illegal. There can only be one A record for a hostname/IP address. DNS aliases, which is what you need in this case, are created by a CNAME record. Typically the DNS zone file would contain a pair of records something like:

$ORIGIN net.alcatel.com.hk.
....
neth137     IN A     202.65.7.140
netadmin    IN CNAME neth137.net.alcatel.com.hk.

That assumes that the "official name" of the machine is neth137.net.alcatel.com.hk.
0
 

Author Comment

by:edmundli
Comment Utility
Dear jlevie,

I found the error now.

It is because of the webpage, My index page was pointing to neth137.net.alcatel.com.hk, so I did modify to point to netadmin.......

it works now,

But One more thing

How can I set two range of ip in the allow list ?

allow 202.65.7.2 /255.255.255.0 202.65.9.3 /255.255.255.0

I am correct, it looks the first set is working but the second is not

0
 
LVL 40

Expert Comment

by:jlevie
Comment Utility
The index page problem is what I've been trying to get across in my discussions about making the  HREF's (links) within a page be relative to the htdocs root rather than relative to the network. My guess is that you had something like:

<A HREF="neth137.net.alcatel.com.hk/usr/local/mrtg/stats/honkong.html">Honkong</A>

in one of the pages. That naturally takes you to the password protected server. Now you don't want to change the link to netadmin.net.alcatel.com.hk because that will let those who should get a password prompt get to the page without authenticating.

The solution is to make all of the data and mrtg stats areas as sub-dirs of the htdocs directory. Then the link would look like:

<A HREF="stats/honkong.html">Honkong</A>

Note that there's no server name in the link. What happens in this case is that a user that gets to the site via neth137 will be prompted for a password, but a user who goes to the site via netadmin won't be asked for a password. It works that way because the browser actually asks for the page with the site name as a part of the URL, so Apache sees either neth137.net.alcatel.com.hk/stats/honkong.html or netadmin.net.alcatel.com.hk/stats/honkong.html, depending on which site they first went to.

If you want to allow two IP's access the netadmin site use:

AllowFrom 202.65.7.2 202.65.9.3

If you wanted anyone in each of those networks to access the site you'd use:

AllowFrom 202.65.7 202.65.9
  --or--
AllowFrom 202.65.7.0/255.255.255.0 202.65.9.0/255.255.255.0
0
 

Author Comment

by:edmundli
Comment Utility
Yes it works this way,

but one thing that I do not understand is :

when I click

http://neth37.net.alcatel.com.hk

I will show me the web. ( It is with proxy setting under ie/ netscape)

However, when I click

http://netadmin.net.alcatel.com.hk/netadmin.html
(With proxy setting under ie/netscape)

It will show
You don't have permission to access /netadmin.html on this server.


Apache/1.3.9 Server at netadmin.net.alcatel.com.hk Port 80


However if I disable the proxy, it works again !!!!!

How come ?

neth137.net.alcatel.com.hk is ok for prxoy/without proxy. but netadmin does not ....


0
 
LVL 40

Accepted Solution

by:
jlevie earned 70 total points
Comment Utility
If you use a proxy, all of the actual requests to a web server appear to come from the proxy, not from the machine the browser is running on. Since we've restricted the netadmin web server to the administrative machines by IP address, it will refuse access to any other machine (like the IP of theproxy server).
0
 

Author Comment

by:edmundli
Comment Utility
I got it ..

Thank you very very much

May be we can keep in touch each other..

my email is : edmund.li@alcatel.com.hk

Edmund
0
 

Author Comment

by:edmundli
Comment Utility
A lot of afford has been put in from Jlevie

Thanks
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Setting up Secure Ubuntu server on VMware 1.      Insert the Ubuntu Server distribution CD or attach the ISO of the CD which is in the “Datastore”. Note that it is important to install the x64 edition on servers, not the X86 editions. 2.      Power on th…
Linux users are sometimes dumbfounded by the severe lack of documentation on a topic. Sometimes, the documentation is copious, but other times, you end up with some obscure "it varies depending on your distribution" over and over when searching for …
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now