Apache access control .htaccess

Five web pages have been set a access control by using .htacess (they are in different directory). Is there any way to let someone e.g helpdesk, administrator to access this five pages  (They do not need to login)

.htaccess file for each page
AuthUserFile /usr/local/apache/bin/xxx1 (From xxx1 to xxx5)
AuthName "User name:xx1" (From xxx1 to xxx5)
 AuthType Basic
require valid-user




edmundliAsked:
Who is Participating?
 
jlevieConnect With a Mentor Commented:
If you use a proxy, all of the actual requests to a web server appear to come from the proxy, not from the machine the browser is running on. Since we've restricted the netadmin web server to the administrative machines by IP address, it will refuse access to any other machine (like the IP of theproxy server).
0
 
jlevieCommented:
My understanding of the access control mechanism leads me to believe that once you enable htaccess control of a directory each and every user must log in to the web server to access those pages. I don't believe there's a mechanism that allows you to say that everybody but some system(s) is required to authenticate. There's a good article on user authentication in http://www.apacheweek.com/features/userauth

Tho only way that occurs to me to bypass the authentication requirement would be to create a virtual server, restricted to just the machine(s) that the help desk/administator uses, that doesn't apply the .htaccess files.
0
 
edmundliAuthor Commented:
How can we do this by uing Virtual server ?

Can you use allow ip to pass through instead of user name ?

0
Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

 
jlevieCommented:
I use Apache and all of my web servers are implemented as Named Virtual hosts, so my example will be done with Virtual Hosts. For the example I'll assume that I've got, say, two workstations that need to be able to get to the data without needing to log in (192.168.1.1 & 192.168.1.2). The ordinary server instance that everyone is allowed to access (and is protected by .htaccess files) gets defined like so:

<VirtualHost 192.168.0.3:80>
ServerName protected.domain.net
ServerAdmin admin@domain.net
DocumentRoot "/opt/Apache/htdocs/atd"
<Directory />
    Options Indexes FollowSymLinks
    AllowOverride None
    Order allow,deny
    Allow from all
</Directory>
<Directory "/opt/Apache/htdocs/atd/otr">
    Options Indexes FollowSymLinks
    AllowOverride AuthConfig
    Order allow,deny
    Allow from all
</Directory>
</VirtualHost>

To let the specific administrative workstations access the data without needing to use a password I create another server instance that points to the same htdocs area, but is restricted to just those IP's, like so:

<VirtualHost 192.168.0.3:80>
ServerName admin-only.domain.net
ServerAdmin admin@domain.net
DocumentRoot "/opt/Apache/htdocs/atd"
<Directory />
    Options Indexes FollowSymLinks
    AllowOverride None
    Order deny, allow
    Deny from all
    Allow from 192.168.1.1 192.168.1.2
</Directory>
<Directory "/opt/Apache/htdocs/atd/otr">
    Options Indexes FollowSymLinks
    AllowOverride None
    Order deny, allow
    Deny from all
    Allow from 192.168.1.1 192.168.1.2
</Directory>

Only those two IP are allowed to access that server instance. It simply won't talk to anybody else. Because I don't invoke the AuthConf directive, the server won't use the .htaccess files.

Using Named Virtual hosts I don't have to multi-home the server, which conserves IP address space and is simpler. I do have to add a CNAME record to the DNS for the second server (the first can be the hostname of the system or it can be a CNAME record also). If you read the Apache docs you'll notice that just about anything you can do in a real server you can also do in a Virtual Host.

Hope this helps...
0
 
bernardhCommented:
on your .htaccess file, try to use the "Satisfy Any" directive

deny from all
allow from .yourdomain.com
AuthType Basic
AuthUserFile /usr/local/apache/conf/htpasswd.users
AuthName "special directory"
require valid-user
satisfy any
0
 
edmundliAuthor Commented:
Dear Jlevie,

I have tried your method, however it has this error

[Tue Mar 28 11:37:26 2000] [warn] VirtualHost 202.65.1.140:80 overlaps with Virt
ualHost 202.65.1.140:80, the first has precedence, perhaps you need a NameVirtua
lHost directive


My virtual conf is


<VirtualHost 202.65.1.140>
 DocumentRoot /usr/local/mrtg/mrtg-2.8.12/stats/mrtg
 ServerName neth17.net.alcatel.com.hk
<Directory />
   Options Indexes FollowSymLinks
   AllowOverride AuthConfig
   Order allow,deny
   Allow from all
</Directory>
 <Directory "/usr/local/mrtg/mrtg-2.8.12/stats/mrtg">
   Options Indexes FollowSymLinks
   AllowOverride AuthConfig
   Order allow,deny
   Allow from all
 </Directory>
</VirtualHost>


<VirtualHost 202.65.1.140>
 DocumentRoot /usr/local/mrtg/mrtg-2.8.12/stats/mrtg
 ServerName netadmin.net.alcatel.com.hk
 <Directory />
   Options Indexes FollowSymLinks
   AllowOverride None
   Order deny,allow
   Deny from all
   Allow from 202.65.1.238
 </Directory>
 <Directory "/usr/local/mrtg/mrtg-2.8.12/stats/mrtg">
   Options Indexes FollowSymLinks
   AllowOverride None
   Order deny,allow
   Deny from all
   Allow from 202.65.1.238
 </Directory>
 </VirtualHost>
0
 
jlevieCommented:
It's telling you what the problem is in the warning.

I just showed the virtual hosts definitions. you must have a "NameVirtualHost 202.65.1.140"  directive in the config file to tell Apache that you aren't using IP aliases. This whole subject is covered in the Apache docs which you ought to already have, but they are also on line at http://www.apache.org/docs/ (see the section on Virtual Hosts).
0
 
edmundliAuthor Commented:
Hi Jlevie,

There is no error now, but it still ask me to login
When I link to addtional directory.

Remark: I have 5 directory under
/usr/local/mrtg/mrtg-2.8.12/stats/mrtg/syndey
/usr/local/mrtg/mrtg-2.8.12/stats/mrtg/Australia
/usr/local/mrtg/mrtg-2.8.12/stats/mrtg/Hongkong
/usr/local/mrtg/mrtg-2.8.12/stats/mrtg/china
/usr/local/mrtg/mrtg-2.8.12/stats/mrtg/japan

All of this directories have .htaccess

Is there any thing wrong

My lates files
NameVirtualHost 202.65.1.140

<VirtualHost 202.65.1.140>
 DocumentRoot /usr/local/mrtg/mrtg-2.8.12/stats/mrtg
 ServerName neth17.net.alcatel.com.hk
<Directory />
   Options Indexes FollowSymLinks
   AllowOverride AuthConfig
   Order allow,deny
   Allow from all
</Directory>
 <Directory "/usr/local/mrtg/mrtg-2.8.12/stats/mrtg">
   Options Indexes FollowSymLinks
   AllowOverride AuthConfig
   Order allow,deny
   Allow from all
 </Directory>
</VirtualHost>


 DocumentRoot /usr/local/mrtg/mrtg-2.8.12/stats/mrtg
 ServerName netadmin.net.alcatel.com.hk
 <Directory />
   Options Indexes FollowSymLinks
  AllowOverride None
   Order deny,allow
   Deny from all
   Allow from 202.65.1.238
 </Directory>
 <Directory "/usr/local/mrtg/mrtg-2.8.12/stats/mrtg">
   Options Indexes FollowSymLinks
   AllowOverride None
   Order deny,allow
   Deny from all
   Allow from 202.65.1.238
 </Directory>
 </VirtualHost>

0
 
jlevieCommented:
Are you saying that http://netadmin.net.alcatel.com.hk allows you in okay, but a followed link to some other area of the htdocs tree requires a password? What does the link look like? Is the link of the form HREF="http://neth17.net.alcatel.com.hk/some-html-file"? For something like this to work, all links within the htdocs tree must be relative to the htdocs root (e.g. HREF="some-html" or HREF="subdir/some-html")
0
 
edmundliAuthor Commented:
Yes, I can get to http://netadmin.net.alcatel.com.hk.

There are five links to five areas in this webpage. When I click one of the e.g. japan, then it will show the auth windows.

This is the same as the http://neth17.net.alcatel.com.hk

The Root directory is

/usr/local/mrtg/mrtg-2.8.12/stats/mrtg

Index.html is located there and

All the web pages info were location

in

usr/local/mrtg/mrtg-2.8.12/stats/mrtg/syndey
/usr/local/mrtg/mrtg-2.8.12/stats/mrtg/Australia
/usr/local/mrtg/mrtg-2.8.12/stats/mrtg/Hongkong
/usr/local/mrtg/mrtg-2.8.12/stats/mrtg/china
/usr/local/mrtg/mrtg-2.8.12/stats/mrtg/japan

So when I click link e.g. japan
It point to

http://neth17.net.alcatel.com.hk/japan/japan.html e.g

e.g. hongkong link

it will point
http://neth17.net.alcatel.com.hk/hongkong/hongkong.html 

(Remark: In this five directories under mrtg/ .... have five .htaccess which have set own password for users.

Thank You very very much

0
 
edmundliAuthor Commented:
Adjusted points from 40 to 70
0
 
jlevieCommented:
That's the problem. By using the server name in the link, you go through the "password protected" server, and it quite correctly requests a password.

What I do with mrtg is to tell it to use a "stats" directory within my htdocs area so that I can use relative links amoung those pages. A typical mrtg installation looks like:

/opt/Apache/htdocs/netmon        <common data & index.html here
/opt/Apache/htdocs/netmon/run    <mrtg scripts  & config file here
/opt/Apache/htdocs/netmon/images <mrtg bitmaps here
/opt/Apache/htdocs/netmon/dc     <generated stats for DC office
/opt/Apache/htdocs/netmon/servers     <generated stats for local servers

Now I can use HREF's relative to the htdocs root for links. The index.html file at the top level has HREF's line

HREF="dc/gateway.html"
HREF="servers/email.html"

And inside one of the subdirs (dc for instance)I can refer back to the top level like:

HREF="../network-layout.html"

Okay so now all the links are relative to the root of the htdocs tree for what ever servername that I use to get to the data.

Does that help?
0
 
edmundliAuthor Commented:
Dear Jlevie,

I did the root directory of mrtg

/usr/local/mrtg/mrtg-2.8.12/stats/mrtg

This is my neth137.net,alcatel.com.hk web site.

Since I also do set mrtg will put all the html files under this directory.

Furthermore, I have five connections
Hongkong, japan, korea, france, china

And they are
For Hongkong:  /usr/local/mrtg/mrtg-2.8.12/stats/mrtg/hongkong

For China: /usr/local/mrtg/mrtg-2.8.12/stats/mrtg/china

For Korea: /usr/local/mrtg/mrtg-2.8.12/stats/mrtg/korea

For France: /usr/local/mrtg/mrtg-2.8.12/stats/mrtg/france

For Japan : /usr/local/mrtg/mrtg-2.8.12/stats/mrtg/japan

One the link to  http://neth137.net.alcatel.com.hk/hongkong, it will ask for user name and password etc.


I do mak a virtual host with ip allows
which is
http://netadmin.net.alcatel.com.hk 
(Same root directory as above)

Once I go
http://netadmin.net.alcatel.com.hk

It is the root page and when I click the hongkong link, it requires user and password ....

I can I do ? We would like to allow helpdesk to access directly without entering password...

Edmund







0
 
edmundliAuthor Commented:
here is my last part of httpd.conf

NameVirtualHost 202.65.7.140

<VirtualHost 202.65.7.140>
 DocumentRoot /usr/local/mrtg/mrtg-2.8.12/stats/mrtg
 ServerName neth17.net.alcatel.com.hk
<Directory />
   Options Indexes FollowSymLinks
   AllowOverride AuthConfig
   Order allow,deny
   Allow from all
</Directory>
 <Directory "/usr/local/mrtg/mrtg-2.8.12/stats/mrtg">
   Options Indexes FollowSymLinks
   AllowOverride AuthConfig
   Order allow,deny
   Allow from all
 </Directory>
</VirtualHost>

<VirtualHost 202.65.7.140>
 DocumentRoot /usr/local/mrtg/mrtg-2.8.12/stats/mrtg
 ServerName netadmin.net.alcatel.com.hk
 <Directory />
   Options Indexes FollowSymLinks
  AllowOverride None
   Order deny,allow
   Deny from all
   Allow from 202.65.1.238
 </Directory>
 <Directory "/usr/local/mrtg/mrtg-2.8.12/stats/mrtg">
   Options Indexes FollowSymLinks
   AllowOverride None
   Order deny,allow
   Deny from all
   Allow from 202.65.1.238
 </Directory>
 </VirtualHost>

0
 
jlevieCommented:
Well, naturally if you use the link " http://neth137.net.alcatel.com.hk/hongkong" it should ask for a password. That say to use the server instance "neth137.net.alcatel.com.hk" which is password protected. That's what I've been trying to say about re-arrainging the html pages and their HREF's so that there won't be any of those kinds of links. Could I see the link definitions on the "root page"?
0
 
edmundliAuthor Commented:
root page of http://neth137.net.alcatel.com.hk/hongkong is

/usr/local/mrtg/mrtg-2.8.12/stats/mrtg/hongkong

It has .htaccess

also it apples to the rest of the case.

e.g japan

/usr/local/mrtg/mrtg-2.8.12/stats/mrtg/japan

it also has .htaccess

I try your virtualhost method, it seems that it is the same, although it use      "  AllowOverride None" function, I do not understand as i have limited skill on apache



VirtualHost 202.65.7.140>
                    DocumentRoot /usr/local/mrtg/mrtg-2.8.12/stats/mrtg
                    ServerName netadmin.net.alcatel.com.hk
                    <Directory />
                      Options Indexes FollowSymLinks
                     AllowOverride None
                      Order deny,allow
                      Deny from all
                      Allow from 202.65.1.238
                    </Directory>
                    <Directory "/usr/local/mrtg/mrtg-2.8.12/stats/mrtg">
                      Options Indexes FollowSymLinks
                      AllowOverride None
                      Order deny,allow
                      Deny from all
                      Allow from 202.65.1.238
                    </Directory>
                    </VirtualHost>

Edmund
0
 
jlevieCommented:
The difference between the two virtual hosts is in the "AllowOverride" directives. They both use the same htdocs definitions, so the both see the same data.

The one that you reach by the link "http://neth137.net.alcatel.com.hk/hongkong" has "AllowOverride Authconfig". That's what causes that server to request a username/passord for any directories protected by an .htaccess file. The "AuthConfig" option enables the use of .htaccess files.

The other server instance "netadmin.net.alcatel.com.hk " has "AllowOverride None" which disables the use of .htaccess files.  Since the htdocs definitions are the same for both servers, if you go to the link "http://netadmin.net.alcatel.com.hk/hongkong" you'll find that it doesn't require authentication.
0
 
edmundliAuthor Commented:
No, it does require username and password
0
 
edmundliAuthor Commented:
If this is the thing that we discuss, i think we have the solution .. but it still ask for password, ... any idea ?
0
 
jlevieCommented:
I want to make sure that we are on the same track. If you enter http://netadmin.net.alcatel.com.hk/hongkong into your browser as the URL you are getting a prompt for the password?

If that's what's happening, are you sure that your DNS is correct? I can successfully find the nameservers for alcatel.com.hk, but attempting to resolve either of the two virtual hosts (neth137.net.alcatel.com.hk or netadmin.net.alcatel.com.hk) results in a "Non-existent host/domain" error. My guess is that neth137.net.alcatel.com.hk should be an "A" record in the DNS as the hostname of the system. And netadmin.net.alcatel.com.hk should be a CNAME record pointing to neth137.net.alcatel.com.hk.

Check the dns by doing "nslookup neth137.net.alcatel.com.hk" and "nslookup netadmin.net.alcatel.com.hk" on a Unix system. Both should return 202.65.7.140 as the IP address.
0
 
edmundliAuthor Commented:
Yes they are return the as ip address, otherwise it will not show the webpage at all.

Both of them are internal machine.

0
 
edmundliAuthor Commented:

Does it relate to my vitrual host config ?

or .htaccess

AuthUserFile /usr/local/apache/bin/hongkong
  AuthName "Alcanet User name:hongkong"
 AuthType Basic
   require valid-user
0
 
edmundliAuthor Commented:
Hi Jlevie

I found something, when I disable the first set of virual host, and use

http://netadmin.net.alcatel.com.hk

It works without having username and password

###############Remark the following#########

<VirtualHost 202.65.7.140>
                       DocumentRoot /usr/local/mrtg/mrtg-2.8.12/stats/mrtg
                       ServerName neth137.net.alcatel.com.hk
                      <Directory />
                         Options Indexes FollowSymLinks
                         AllowOverride AuthConfig
                         Order allow,deny
                         Allow from all
                      </Directory>
                       <Directory "/usr/local/mrtg/mrtg-2.8.12/stats/mrtg">
                         Options Indexes FollowSymLinks
                         AllowOverride AuthConfig
                         Order allow,deny
                         Allow from all
                       </Directory>
                      </VirtualHost>
############end #############

                      <VirtualHost 202.65.7.140>
                       DocumentRoot /usr/local/mrtg/mrtg-2.8.12/stats/mrtg
                       ServerName netadmin.net.alcatel.com.hk
                       <Directory />
                         Options Indexes FollowSymLinks
                        AllowOverride None
                         Order deny,allow
                         Deny from all
                         Allow from 202.65.1.238
                       </Directory>
                       <Directory "/usr/local/mrtg/mrtg-2.8.12/stats/mrtg">
                         Options Indexes FollowSymLinks
                         AllowOverride None
                         Order deny,allow
                         Deny from all
                         Allow from 202.65.1.238
                       </Directory>
                       </VirtualHost>

One more thing that I do not understand is :

when I clieck http://neth137.net.alcatel.com.hk

I still work without having username and password

Edmund
0
 
edmundliAuthor Commented:
I do check with dns, they can show the same ip address and when I nslookup, it shows they are A type
0
 
jlevieCommented:
Uh, are you sure that they are both A records in the DNS? That will appear to work, but it's actually illegal. There can only be one A record for a hostname/IP address. DNS aliases, which is what you need in this case, are created by a CNAME record. Typically the DNS zone file would contain a pair of records something like:

$ORIGIN net.alcatel.com.hk.
....
neth137     IN A     202.65.7.140
netadmin    IN CNAME neth137.net.alcatel.com.hk.

That assumes that the "official name" of the machine is neth137.net.alcatel.com.hk.
0
 
edmundliAuthor Commented:
Dear jlevie,

I found the error now.

It is because of the webpage, My index page was pointing to neth137.net.alcatel.com.hk, so I did modify to point to netadmin.......

it works now,

But One more thing

How can I set two range of ip in the allow list ?

allow 202.65.7.2 /255.255.255.0 202.65.9.3 /255.255.255.0

I am correct, it looks the first set is working but the second is not

0
 
jlevieCommented:
The index page problem is what I've been trying to get across in my discussions about making the  HREF's (links) within a page be relative to the htdocs root rather than relative to the network. My guess is that you had something like:

<A HREF="neth137.net.alcatel.com.hk/usr/local/mrtg/stats/honkong.html">Honkong</A>

in one of the pages. That naturally takes you to the password protected server. Now you don't want to change the link to netadmin.net.alcatel.com.hk because that will let those who should get a password prompt get to the page without authenticating.

The solution is to make all of the data and mrtg stats areas as sub-dirs of the htdocs directory. Then the link would look like:

<A HREF="stats/honkong.html">Honkong</A>

Note that there's no server name in the link. What happens in this case is that a user that gets to the site via neth137 will be prompted for a password, but a user who goes to the site via netadmin won't be asked for a password. It works that way because the browser actually asks for the page with the site name as a part of the URL, so Apache sees either neth137.net.alcatel.com.hk/stats/honkong.html or netadmin.net.alcatel.com.hk/stats/honkong.html, depending on which site they first went to.

If you want to allow two IP's access the netadmin site use:

AllowFrom 202.65.7.2 202.65.9.3

If you wanted anyone in each of those networks to access the site you'd use:

AllowFrom 202.65.7 202.65.9
  --or--
AllowFrom 202.65.7.0/255.255.255.0 202.65.9.0/255.255.255.0
0
 
edmundliAuthor Commented:
Yes it works this way,

but one thing that I do not understand is :

when I click

http://neth37.net.alcatel.com.hk

I will show me the web. ( It is with proxy setting under ie/ netscape)

However, when I click

http://netadmin.net.alcatel.com.hk/netadmin.html 
(With proxy setting under ie/netscape)

It will show
You don't have permission to access /netadmin.html on this server.


Apache/1.3.9 Server at netadmin.net.alcatel.com.hk Port 80


However if I disable the proxy, it works again !!!!!

How come ?

neth137.net.alcatel.com.hk is ok for prxoy/without proxy. but netadmin does not ....


0
 
edmundliAuthor Commented:
I got it ..

Thank you very very much

May be we can keep in touch each other..

my email is : edmund.li@alcatel.com.hk

Edmund
0
 
edmundliAuthor Commented:
A lot of afford has been put in from Jlevie

Thanks
0
All Courses

From novice to tech pro — start learning today.