Start Free Trial

asked on

Apache access control .htaccess

Five web pages have been set a access control by using .htacess (they are in different directory). Is there any way to let someone e.g helpdesk, administrator to access this five pages (They do not need to login)

.htaccess file for each page
AuthUserFile /usr/local/apache/bin/xxx1 (From xxx1 to xxx5)
AuthName "User name:xx1" (From xxx1 to xxx5)
AuthType Basic
require valid-user

My understanding of the access control mechanism leads me to believe that once you enable htaccess control of a directory each and every user must log in to the web server to access those pages. I don't believe there's a mechanism that allows you to say that everybody but some system(s) is required to authenticate. There's a good article on user authentication in http://www.apacheweek.com/features/userauth

Tho only way that occurs to me to bypass the authentication requirement would be to create a virtual server, restricted to just the machine(s) that the help desk/administator uses, that doesn't apply the .htaccess files.

ASKER

How can we do this by uing Virtual server ?

Can you use allow ip to pass through instead of user name ?

I use Apache and all of my web servers are implemented as Named Virtual hosts, so my example will be done with Virtual Hosts. For the example I'll assume that I've got, say, two workstations that need to be able to get to the data without needing to log in (192.168.1.1 & 192.168.1.2). The ordinary server instance that everyone is allowed to access (and is protected by .htaccess files) gets defined like so:

<VirtualHost 192.168.0.3:80>
ServerName protected.domain.net
ServerAdmin admin@domain.net
DocumentRoot "/opt/Apache/htdocs/atd"
<Directory />
Options Indexes FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>
<Directory "/opt/Apache/htdocs/atd/otr">
Options Indexes FollowSymLinks
AllowOverride AuthConfig
Order allow,deny
Allow from all
</Directory>
</VirtualHost>

To let the specific administrative workstations access the data without needing to use a password I create another server instance that points to the same htdocs area, but is restricted to just those IP's, like so:

<VirtualHost 192.168.0.3:80>
ServerName admin-only.domain.net
ServerAdmin admin@domain.net
DocumentRoot "/opt/Apache/htdocs/atd"
<Directory />
Options Indexes FollowSymLinks
AllowOverride None
Order deny, allow
Deny from all
Allow from 192.168.1.1 192.168.1.2
</Directory>
<Directory "/opt/Apache/htdocs/atd/otr">
Options Indexes FollowSymLinks
AllowOverride None
Order deny, allow
Deny from all
Allow from 192.168.1.1 192.168.1.2
</Directory>

Only those two IP are allowed to access that server instance. It simply won't talk to anybody else. Because I don't invoke the AuthConf directive, the server won't use the .htaccess files.

Using Named Virtual hosts I don't have to multi-home the server, which conserves IP address space and is simpler. I do have to add a CNAME record to the DNS for the second server (the first can be the hostname of the system or it can be a CNAME record also). If you read the Apache docs you'll notice that just about anything you can do in a real server you can also do in a Virtual Host.

Hope this helps...

on your .htaccess file, try to use the "Satisfy Any" directive

deny from all
allow from .yourdomain.com
AuthType Basic
AuthUserFile /usr/local/apache/conf/htpasswd.users
AuthName "special directory"
require valid-user
satisfy any

ASKER

Dear Jlevie,

I have tried your method, however it has this error

[Tue Mar 28 11:37:26 2000] [warn] VirtualHost 202.65.1.140:80 overlaps with Virt
ualHost 202.65.1.140:80, the first has precedence, perhaps you need a NameVirtua
lHost directive

My virtual conf is

<VirtualHost 202.65.1.140>
DocumentRoot /usr/local/mrtg/mrtg-2.8.12/stats/mrtg
ServerName neth17.net.alcatel.com.hk
<Directory />
Options Indexes FollowSymLinks
AllowOverride AuthConfig
Order allow,deny
Allow from all
</Directory>
<Directory "/usr/local/mrtg/mrtg-2.8.12/stats/mrtg">
Options Indexes FollowSymLinks
AllowOverride AuthConfig
Order allow,deny
Allow from all
</Directory>
</VirtualHost>

<VirtualHost 202.65.1.140>
DocumentRoot /usr/local/mrtg/mrtg-2.8.12/stats/mrtg
ServerName netadmin.net.alcatel.com.hk
<Directory />
Options Indexes FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 202.65.1.238
</Directory>
<Directory "/usr/local/mrtg/mrtg-2.8.12/stats/mrtg">
Options Indexes FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 202.65.1.238
</Directory>
</VirtualHost>

It's telling you what the problem is in the warning.

I just showed the virtual hosts definitions. you must have a "NameVirtualHost 202.65.1.140" directive in the config file to tell Apache that you aren't using IP aliases. This whole subject is covered in the Apache docs which you ought to already have, but they are also on line at http://www.apache.org/docs/ (see the section on Virtual Hosts).

ASKER

Hi Jlevie,

There is no error now, but it still ask me to login
When I link to addtional directory.

Remark: I have 5 directory under
/usr/local/mrtg/mrtg-2.8.12/stats/mrtg/syndey
/usr/local/mrtg/mrtg-2.8.12/stats/mrtg/Australia
/usr/local/mrtg/mrtg-2.8.12/stats/mrtg/Hongkong
/usr/local/mrtg/mrtg-2.8.12/stats/mrtg/china
/usr/local/mrtg/mrtg-2.8.12/stats/mrtg/japan

All of this directories have .htaccess

Is there any thing wrong

My lates files
NameVirtualHost 202.65.1.140

<VirtualHost 202.65.1.140>
DocumentRoot /usr/local/mrtg/mrtg-2.8.12/stats/mrtg
ServerName neth17.net.alcatel.com.hk
<Directory />
Options Indexes FollowSymLinks
AllowOverride AuthConfig
Order allow,deny
Allow from all
</Directory>
<Directory "/usr/local/mrtg/mrtg-2.8.12/stats/mrtg">
Options Indexes FollowSymLinks
AllowOverride AuthConfig
Order allow,deny
Allow from all
</Directory>
</VirtualHost>

DocumentRoot /usr/local/mrtg/mrtg-2.8.12/stats/mrtg
ServerName netadmin.net.alcatel.com.hk
<Directory />
Options Indexes FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 202.65.1.238
</Directory>
<Directory "/usr/local/mrtg/mrtg-2.8.12/stats/mrtg">
Options Indexes FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 202.65.1.238
</Directory>
</VirtualHost>

Are you saying that http://netadmin.net.alcatel.com.hk allows you in okay, but a followed link to some other area of the htdocs tree requires a password? What does the link look like? Is the link of the form HREF="http://neth17.net.alcatel.com.hk/some-html-file"? For something like this to work, all links within the htdocs tree must be relative to the htdocs root (e.g. HREF="some-html" or HREF="subdir/some-html")

ASKER

Yes, I can get to http://netadmin.net.alcatel.com.hk.

There are five links to five areas in this webpage. When I click one of the e.g. japan, then it will show the auth windows.

This is the same as the http://neth17.net.alcatel.com.hk

The Root directory is

/usr/local/mrtg/mrtg-2.8.12/stats/mrtg

Index.html is located there and

All the web pages info were location

in

usr/local/mrtg/mrtg-2.8.12/stats/mrtg/syndey
/usr/local/mrtg/mrtg-2.8.12/stats/mrtg/Australia
/usr/local/mrtg/mrtg-2.8.12/stats/mrtg/Hongkong
/usr/local/mrtg/mrtg-2.8.12/stats/mrtg/china
/usr/local/mrtg/mrtg-2.8.12/stats/mrtg/japan

So when I click link e.g. japan
It point to

http://neth17.net.alcatel.com.hk/japan/japan.html e.g

e.g. hongkong link

it will point
http://neth17.net.alcatel.com.hk/hongkong/hongkong.html

(Remark: In this five directories under mrtg/ .... have five .htaccess which have set own password for users.

Thank You very very much

ASKER

Adjusted points from 40 to 70

That's the problem. By using the server name in the link, you go through the "password protected" server, and it quite correctly requests a password.

What I do with mrtg is to tell it to use a "stats" directory within my htdocs area so that I can use relative links amoung those pages. A typical mrtg installation looks like:

/opt/Apache/htdocs/netmon <common data & index.html here
/opt/Apache/htdocs/netmon/run <mrtg scripts & config file here
/opt/Apache/htdocs/netmon/images <mrtg bitmaps here
/opt/Apache/htdocs/netmon/dc <generated stats for DC office
/opt/Apache/htdocs/netmon/servers <generated stats for local servers

Now I can use HREF's relative to the htdocs root for links. The index.html file at the top level has HREF's line

HREF="dc/gateway.html"
HREF="servers/email.html"

And inside one of the subdirs (dc for instance)I can refer back to the top level like:

HREF="../network-layout.html"

Okay so now all the links are relative to the root of the htdocs tree for what ever servername that I use to get to the data.

Does that help?

ASKER

Dear Jlevie,

I did the root directory of mrtg

/usr/local/mrtg/mrtg-2.8.12/stats/mrtg

This is my neth137.net,alcatel.com.hk web site.

Since I also do set mrtg will put all the html files under this directory.

Furthermore, I have five connections
Hongkong, japan, korea, france, china

And they are
For Hongkong: /usr/local/mrtg/mrtg-2.8.12/stats/mrtg/hongkong

For China: /usr/local/mrtg/mrtg-2.8.12/stats/mrtg/china

For Korea: /usr/local/mrtg/mrtg-2.8.12/stats/mrtg/korea

For France: /usr/local/mrtg/mrtg-2.8.12/stats/mrtg/france

For Japan : /usr/local/mrtg/mrtg-2.8.12/stats/mrtg/japan

One the link to http://neth137.net.alcatel.com.hk/hongkong, it will ask for user name and password etc.

I do mak a virtual host with ip allows
which is
http://netadmin.net.alcatel.com.hk
(Same root directory as above)

Once I go
http://netadmin.net.alcatel.com.hk

It is the root page and when I click the hongkong link, it requires user and password ....

I can I do ? We would like to allow helpdesk to access directly without entering password...

Edmund

ASKER

here is my last part of httpd.conf

NameVirtualHost 202.65.7.140

<VirtualHost 202.65.7.140>
DocumentRoot /usr/local/mrtg/mrtg-2.8.12/stats/mrtg
ServerName neth17.net.alcatel.com.hk
<Directory />
Options Indexes FollowSymLinks
AllowOverride AuthConfig
Order allow,deny
Allow from all
</Directory>
<Directory "/usr/local/mrtg/mrtg-2.8.12/stats/mrtg">
Options Indexes FollowSymLinks
AllowOverride AuthConfig
Order allow,deny
Allow from all
</Directory>
</VirtualHost>

<VirtualHost 202.65.7.140>
DocumentRoot /usr/local/mrtg/mrtg-2.8.12/stats/mrtg
ServerName netadmin.net.alcatel.com.hk
<Directory />
Options Indexes FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 202.65.1.238
</Directory>
<Directory "/usr/local/mrtg/mrtg-2.8.12/stats/mrtg">
Options Indexes FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 202.65.1.238
</Directory>
</VirtualHost>

Well, naturally if you use the link " http://neth137.net.alcatel.com.hk/hongkong" it should ask for a password. That say to use the server instance "neth137.net.alcatel.com.hk" which is password protected. That's what I've been trying to say about re-arrainging the html pages and their HREF's so that there won't be any of those kinds of links. Could I see the link definitions on the "root page"?

ASKER

root page of http://neth137.net.alcatel.com.hk/hongkong is

/usr/local/mrtg/mrtg-2.8.12/stats/mrtg/hongkong

It has .htaccess

also it apples to the rest of the case.

e.g japan

/usr/local/mrtg/mrtg-2.8.12/stats/mrtg/japan

it also has .htaccess

I try your virtualhost method, it seems that it is the same, although it use "  AllowOverride None" function, I do not understand as i have limited skill on apache

VirtualHost 202.65.7.140>
  DocumentRoot /usr/local/mrtg/mrtg-2.8.12/stats/mrtg
  ServerName netadmin.net.alcatel.com.hk
  <Directory />
    Options Indexes FollowSymLinks
   AllowOverride None
    Order deny,allow
    Deny from all
    Allow from 202.65.1.238
  </Directory>
  <Directory "/usr/local/mrtg/mrtg-2.8.12/stats/mrtg">
    Options Indexes FollowSymLinks
    AllowOverride None
    Order deny,allow
    Deny from all
    Allow from 202.65.1.238
  </Directory>
  </VirtualHost>

Edmund

The difference between the two virtual hosts is in the "AllowOverride" directives. They both use the same htdocs definitions, so the both see the same data.

The one that you reach by the link "http://neth137.net.alcatel.com.hk/hongkong" has "AllowOverride Authconfig". That's what causes that server to request a username/passord for any directories protected by an .htaccess file. The "AuthConfig" option enables the use of .htaccess files.

The other server instance "netadmin.net.alcatel.com.hk " has "AllowOverride None" which disables the use of .htaccess files. Since the htdocs definitions are the same for both servers, if you go to the link "http://netadmin.net.alcatel.com.hk/hongkong" you'll find that it doesn't require authentication.

ASKER

No, it does require username and password

ASKER

If this is the thing that we discuss, i think we have the solution .. but it still ask for password, ... any idea ?

I want to make sure that we are on the same track. If you enter http://netadmin.net.alcatel.com.hk/hongkong into your browser as the URL you are getting a prompt for the password?

If that's what's happening, are you sure that your DNS is correct? I can successfully find the nameservers for alcatel.com.hk, but attempting to resolve either of the two virtual hosts (neth137.net.alcatel.com.hk or netadmin.net.alcatel.com.hk) results in a "Non-existent host/domain" error. My guess is that neth137.net.alcatel.com.hk should be an "A" record in the DNS as the hostname of the system. And netadmin.net.alcatel.com.hk should be a CNAME record pointing to neth137.net.alcatel.com.hk.

Check the dns by doing "nslookup neth137.net.alcatel.com.hk" and "nslookup netadmin.net.alcatel.com.hk" on a Unix system. Both should return 202.65.7.140 as the IP address.

ASKER

Yes they are return the as ip address, otherwise it will not show the webpage at all.

Both of them are internal machine.

ASKER

Does it relate to my vitrual host config ?

or .htaccess

AuthUserFile /usr/local/apache/bin/hongkong
AuthName "Alcanet User name:hongkong"
AuthType Basic
require valid-user

ASKER

Hi Jlevie

I found something, when I disable the first set of virual host, and use

http://netadmin.net.alcatel.com.hk

It works without having username and password

###############Remark the following#########

<VirtualHost 202.65.7.140>
DocumentRoot /usr/local/mrtg/mrtg-2.8.12/stats/mrtg
ServerName neth137.net.alcatel.com.hk
<Directory />
   Options Indexes FollowSymLinks
   AllowOverride AuthConfig
   Order allow,deny
   Allow from all
</Directory>
<Directory "/usr/local/mrtg/mrtg-2.8.12/stats/mrtg">
   Options Indexes FollowSymLinks
   AllowOverride AuthConfig
   Order allow,deny
   Allow from all
</Directory>
</VirtualHost>
############end #############

<VirtualHost 202.65.7.140>
DocumentRoot /usr/local/mrtg/mrtg-2.8.12/stats/mrtg
ServerName netadmin.net.alcatel.com.hk
<Directory />
   Options Indexes FollowSymLinks
  AllowOverride None
   Order deny,allow
   Deny from all
   Allow from 202.65.1.238
</Directory>
<Directory "/usr/local/mrtg/mrtg-2.8.12/stats/mrtg">
   Options Indexes FollowSymLinks
   AllowOverride None
   Order deny,allow
   Deny from all
   Allow from 202.65.1.238
</Directory>
</VirtualHost>

One more thing that I do not understand is :

when I clieck http://neth137.net.alcatel.com.hk

I still work without having username and password

Edmund

ASKER

I do check with dns, they can show the same ip address and when I nslookup, it shows they are A type

Uh, are you sure that they are both A records in the DNS? That will appear to work, but it's actually illegal. There can only be one A record for a hostname/IP address. DNS aliases, which is what you need in this case, are created by a CNAME record. Typically the DNS zone file would contain a pair of records something like:

$ORIGIN net.alcatel.com.hk.
....
neth137 IN A 202.65.7.140
netadmin IN CNAME neth137.net.alcatel.com.hk.

That assumes that the "official name" of the machine is neth137.net.alcatel.com.hk.

ASKER

Dear jlevie,

I found the error now.

It is because of the webpage, My index page was pointing to neth137.net.alcatel.com.hk, so I did modify to point to netadmin.......

it works now,

But One more thing

How can I set two range of ip in the allow list ?

allow 202.65.7.2 /255.255.255.0 202.65.9.3 /255.255.255.0

I am correct, it looks the first set is working but the second is not

The index page problem is what I've been trying to get across in my discussions about making the HREF's (links) within a page be relative to the htdocs root rather than relative to the network. My guess is that you had something like:

<A HREF="neth137.net.alcatel.com.hk/usr/local/mrtg/stats/honkong.html">Honkong</A>

in one of the pages. That naturally takes you to the password protected server. Now you don't want to change the link to netadmin.net.alcatel.com.hk because that will let those who should get a password prompt get to the page without authenticating.

The solution is to make all of the data and mrtg stats areas as sub-dirs of the htdocs directory. Then the link would look like:

<A HREF="stats/honkong.html">Honkong</A>

Note that there's no server name in the link. What happens in this case is that a user that gets to the site via neth137 will be prompted for a password, but a user who goes to the site via netadmin won't be asked for a password. It works that way because the browser actually asks for the page with the site name as a part of the URL, so Apache sees either neth137.net.alcatel.com.hk/stats/honkong.html or netadmin.net.alcatel.com.hk/stats/honkong.html, depending on which site they first went to.

If you want to allow two IP's access the netadmin site use:

AllowFrom 202.65.7.2 202.65.9.3

If you wanted anyone in each of those networks to access the site you'd use:

AllowFrom 202.65.7 202.65.9
--or--
AllowFrom 202.65.7.0/255.255.255.0 202.65.9.0/255.255.255.0

ASKER

Yes it works this way,

but one thing that I do not understand is :

when I click

http://neth37.net.alcatel.com.hk

I will show me the web. ( It is with proxy setting under ie/ netscape)

However, when I click

http://netadmin.net.alcatel.com.hk/netadmin.html
(With proxy setting under ie/netscape)

It will show
You don't have permission to access /netadmin.html on this server.

Apache/1.3.9 Server at netadmin.net.alcatel.com.hk Port 80

However if I disable the proxy, it works again !!!!!

How come ?

neth137.net.alcatel.com.hk is ok for prxoy/without proxy. but netadmin does not ....

ASKER CERTIFIED SOLUTION

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

ASKER

I got it ..

Thank you very very much

May be we can keep in touch each other..

my email is : edmund.li@alcatel.com.hk

Edmund

ASKER

A lot of afford has been put in from Jlevie

Thanks