.htaccess for script aliased directoriesþ

--_b1047eb8-d0d1-416a-8db6-9db813fd7318_
Content-Type: text/plain; charset="windows-1256"
Content-Transfer-Encoding: 8bit


I am trying to password protect a sub directory within the web space of a domain that is serving site statistics of awstats generated pages. The path to the dir is /home/user1/www/awstats. When testing, I am able to get a username and password prompt for the front page of the site, i.e. for www.mydomain.com, when I place the .htaccess file in www. But I can’t get a functional prompt for www.mydomain.com/awstats when I place the .htaccess in the awstats dir. The login box comes up but it won't accept my username password combo, even though it will accept it when I have the same .htaccess file in the www dir.

I am using the below script alias in the virtual domain conf.d file for this site the awstats directory is located in, so that awstats can generate the log file stats and alias them to the awstats dir which is empty:
ScriptAlias /awstats/ "/usr/local/awstats/wwwroot/cgi-bin/

I’m assuming that’s why I can’t get a functional login prompt.

Any suggestions as to how to protect the awstats dir with .htaccess for a script alias’ed directory?
The .htaccess file which I was using and works fine for the main www dir is:

AuthName “/www”
AuthType Basic
AuthUserFile /home/user1/.htpasswd
Require user guest

____________________________________________________________ _____
In a rush? Get real-time answers with Windows Live Messenger.
http://www.windowslive.com/messenger/overview.html?ocid=TXT_ TAGLM_WL_Refresh_realtime_042008
--_b1047eb8-d0d1-416a-8db6-9db813fd7318_
Content-Type: text/html; charset="windows-1256"
Content-Transfer-Encoding: 8bit

I am trying to password protect a sub directory within the web space of a domain that is serving site statistics of awstats generated pages.  The path to the dir is /home/user1/www/awstats.  When testing, I am able to get a username and password prompt for the front page of the site, i.e. for when I place the .htaccess in the awstats dir.  The
login box comes up but it won't accept my username password combo, even though it will accept it when I have the same .htaccess file in the www dir.

I am using the below script alias in the virtual domain conf.d file for this site the awstats directory is located in, so that awstats can generate the log file stats and alias them to the awstats dir which is empty:

ScriptAlias /awstats/ "/usr/local/awstats/wwwroot/cgi-bin/

I’m assuming that’s why I can’t get a functional login prompt.

Any suggestions as to how to protect the awstats dir with .htaccess for a script alias’ed directory?

The .htaccess file which I was using and works fine for the main www dir is:

AuthName “/www”

AuthType Basic

AuthUserFile /home/user1/.htpasswd

Require user guest

Re: .htaccess for script aliased directoriesþ

2008/4/24 Pam Astor :
>
>
>
> I am trying to password protect a sub directory within the web space of a
> domain that is serving site statistics of awstats generated pages. The path
> to the dir is /home/user1/www/awstats. When testing, I am able to get a
> username and password prompt for the front page of the site, i.e. for
> www.mydomain.com, when I place the .htaccess file in www. But I can't get a
> functional prompt for www.mydomain.com/awstats when I place the .htaccess in
> the awstats dir. The login box comes up but it won't accept my username
> password combo, even though it will accept it when I have the same .htaccess
> file in the www dir.

See:
http://httpd.apache.org/docs/2.2/howto/htaccess.html

Your problem is that you don't have AllowOverride set correctly for
the relevant directory. But beyond that, you probably don't want to be
using .htaccess at all. Just put the directives in the relevant
section in httpd.conf.

Joshua.

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: .htaccess for script aliased directoriesþ

--_e928febc-5b32-44ea-be05-b39b17be10f3_
Content-Type: text/plain; charset="windows-1256"
Content-Transfer-Encoding: 8bit


> > I am trying to password protect a sub directory within the web space of a> > domain that is serving site statistics of awstats generated pages. The path> > to the dir is /home/user1/www/awstats. When testing, I am able to get a> > username and password prompt for the front page of the site, i.e. for> > www.mydomain.com, when I place the .htaccess file in www. But I can't get a> > functional prompt for www.mydomain.com/awstats when I place the .htaccess in> > the awstats dir. The login box comes up but it won't accept my username> > password combo, even though it will accept it when I have the same .htaccess> > file in the www dir.> > See:> http://httpd.apache.org/docs/2.2/howto/htaccess.html> > Your problem is that you don't have AllowOverride set correctly for> the relevant directory.
But beyond that, you probably don't want to be> using .htaccess at all. Just put the directives in the relevant> section in httpd.conf.> > Joshua.
Thanks Joshua,

I read the above DOC you posted thanks. Just to clarify, do you
reccomend that I use the method in the main httpd.conf file
as described in the above, instead ot .htaccess?
____________________________________________________________ _____
Express yourself wherever you are. Mobilize!
http://www.gowindowslive.com/Mobile/Landing/Messenger/Defaul t.aspx?Locale=en-US?ocid=TAG_APRIL
--_e928febc-5b32-44ea-be05-b39b17be10f3_
Content-Type: text/html; charset="windows-1256"
Content-Transfer-Encoding: 8bit






> > I am trying to password protect a sub directory within the web space of a
> > domain that is serving site statistics of awstats generated pages. The path
> > to the dir is /home/user1/www/awstats. When testing, I am able to get a
> > username and password prompt for the front page of the site, i.e. for
> > www.mydomain.com, when I place the .htaccess file in www. But I can't get a
> > functional prompt for www.mydomain.com/awstats when I place the .htaccess in
> > the awstats dir. The login box comes up but it won't accept my username
> > password combo, even though it will accept it when I have the same .htaccess
> > file in the www dir.
>
> See:
> http://httpd.apache.org/docs/2.2/howto/ht
access.html
>
> Your problem is that you don't have AllowOverride set correctly for
> the relevant directory. But beyond that, you probably don't want to be
> using
.htaccess at all. Just put the directives in the relevant
> <Directory> section in httpd.conf.
>
> Joshua.


Thanks Joshua,

 

I read the above DOC you posted thanks.  Just to clarify, do you

reccomend that I use the  method in the main httpd.conf file

as described in the above, instead ot .htaccess?

RE: .htaccess for script aliased directoriesþ

--_ee6ed711-0de6-469a-99fb-6f93f9273e76_
Content-Type: text/plain; charset="windows-1256"
Content-Transfer-Encoding: 8bit






>>> I am trying to password protect a sub directory within the web space of a>>> domain that is serving site statistics of awstats generated pages. The path>> > to the dir is /home/user1/www/awstats. When testing, I am able to get a>> > username and password prompt for the front page of the site, i.e. for>> > www.mydomain.com, when I place the .htaccess file in www. But I can't get a>> > functional prompt for www.mydomain.com/awstats when I place the .htaccess in>> > the awstats dir. The login box comes up but it won't accept my username>> > password combo, even though it will accept it when I have the same .htaccess>> > file in the www dir.>> >> See:>> http://httpd.apache.org/docs/2.2/howto/htaccess.html>> >> Your problem is that you don't have AllowOverride set correctly for>> the releva
nt directory. But beyond that, you probably don't want to be>> using .htaccess at all. Just put the directives in the relevant>> section in httpd.conf.>> >> Joshua.>>Thanks Joshu
a,> >I read the above DOC you posted thanks. Just to clarify, do you>reccomend that I use the method in the main httpd.conf file>as described in the above, instead ot .htaccess?

Oops, just re read your post :) appears that's what you meant.

____________________________________________________________ _____
In a rush? Get real-time answers with Windows Live Messenger.
http://www.windowslive.com/messenger/overview.html?ocid=TXT_ TAGLM_WL_Refresh_realtime_042008
--_ee6ed711-0de6-469a-99fb-6f93f9273e76_
Content-Type: text/html; charset="windows-1256"
Content-Transfer-Encoding: 8bit

>>> I am trying to password protect a sub directory within the web space of a
>>> domain that is serving site statistics of awstats generated pages. The path
>> > to the dir is /home/user1/www/awstats. When testing, I am able to get a
>> > username and password prompt for the front page of the site, i.e. for
>> > www.mydomain.com, when I place the .htaccess file in www. But I can't get a
>> > functional prompt for www.mydomain.com/awstats when I place the .htaccess in
>> > the awstats dir. The login box comes up but it won't accept my username
>> > password combo, even though it will accept it when I have the same .htaccess
>> > file in the www dir.
>>
>> See:
>
> http://httpd.apache.org/docs/2.2/howto/htaccess.html
>>
>> Your problem is that you don't have AllowOverride set correctly for
>> the relevant directory. But
beyond that, you probably don't want to be
>> using .htaccess at all. Just put the directives in the relevant
>> <Directory> section in httpd.conf.
>>
>> Joshua.
>
>Thanks Joshua,
> 
>I read the above DOC you posted thanks.  Just to clarify, do you
>reccomend that I use the  method in the main httpd.conf file
>as described in the above, instead ot .htaccess?

 

Oops, just re read your post :) appears that's what you meant.

 

RE: .htaccess for script aliased directoriesþ

--_01a35848-e73b-41ff-8448-5b597ccf0483_
Content-Type: text/plain; charset="windows-1256"
Content-Transfer-Encoding: 8bit









>>>> I am trying to password protect a sub directory within the web space of a>>>> domain that is serving site statistics of awstats generated pages. The path>>> > to the dir is /home/user1/www/awstats. When testing, I am able to get a>>> > username and password prompt for the front page of the site, i.e. for>>> > www.mydomain.com, when I place the .htaccess file in www. But I can't get a>>> > functional prompt for www.mydomain.com/awstats when I place the .htaccess in>>> > the awstats dir. The login box comes up but it won't accept my username>>> > password combo, even though it will accept it when I have the same .htaccess>>> > file in the www dir.>>> >>> See:>>> http://httpd.apache.org/docs/2.2/howto/htaccess.html>>> >>> Your problem is that you don't have AllowOverride set correctly fo
r>>> the relevant directory. But beyond that, you probably don't want to be>>> using .htaccess at all. Just put the directives in the relevant>>> section in httpd.conf.>>> >>> Jo
shua.>>>>Thanks Joshua,>> >>I read the above DOC you posted thanks. Just to clarify, do you>>reccomend that I use the method in the main httpd.conf file>>as described in the above, instead ot .htaccess?> >Oops, just re read your post :) appears that's what you meant.

OK I took the advice and have been trying to set up http username and password logins without using .htaccess files inside the web accessible directory I am trying to password protect. I checked my AllowOverride settings in httpd.conf and they appear to be set correctly and I’m still not getting a login prompt which accepts the correct username and password I type in for the script aliased directory. I posted all of my AllowOverride settings in the main httpd.conf file at the end of this post.

I am trying to use the tag instead of the tag within individual virtual domain httpd.conf files – files which were enabled by the main httpd.conf file’s “Include conf.d/*.conf” directive. In other words, I have virtual domain files - www.domain1.con.conf , www.domain2.com.conf , and so on in the /etc/httpd/conf.d directory which all contain (so far only) my virtual host tags for those domains.

Is using the tag advisable (or possible), instead of using the tag in my virtual host .conf files to enable username password logins?

I read this as a good method in my Apache 2.0 Wrox book, it’s a bit out dated though, and I’m using Apache 2.2 on a Centos 5.1 box.

The tag I just added to one of my test virtual domain files is this:


AuthName "MembersOnly"
AuthType Basic
AuthUserFile /home/mydirectory/.htpasswd
Require user testuser


The above virtual domain file includes the tag:


ServerAdmin help@blabla.com
DocumentRoot /home/mydirectory/www
ServerName www.blabla.com
ServerAlias blabla.com
ErrorLog logs/blabla.com-error_log
CustomLog logs/blabla.com-access_log combined
ScriptAlias /awstats/ "/usr/local/awstats/wwwroot/cgi-bin/"


After reloading apache and going to http.www.blabla.com, I did get a popup login box, but when I type in my username and password it won’t take it, even though I’m sure it’s the correct combo created by htpasswd –c .htpasswd testuser.

Any hints or suggestions as to what I am doing wrong?

Below are the AllowOverride settings in httpd.conf:


Options FollowSymLinks
AllowOverride AuthConfig



Options Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all




Options Indexes MultiViews
AllowOverride None
Order allow,deny
Allow from all



AllowOverride None
Options None
Order allow,deny
Allow from all



AllowOverride None
Options IncludesNoExec
AddOutputFilter Includes html
AddHandler type-map var
Order allow,deny
Allow from all
LanguagePriority en es de fr
ForceLanguagePriority Prefer Fallback




AllowOverride None
Options IncludesNoExec
AddOutputFilter Includes html
AddHandler type-map var
Order allow,deny
Allow from all
LanguagePriority en es de fr
ForceLanguagePriority Prefer Fallback





In a rush? Get real-time answers with Windows Live Messenger.
____________________________________________________________ _____
Express yourself wherever you are. Mobilize!
http://www.gowindowslive.com/Mobile/Landing/Messenger/Defaul t.aspx?Locale=en-US?ocid=TAG_APRIL
--_01a35848-e73b-41ff-8448-5b597ccf0483_
Content-Type: text/html; charset="windows-1256"
Content-Transfer-Encoding: 8bit

>>>> I am trying to password protect a sub directory within the web space of a
>>>> domain that is serving site statistics of awstats generated pages. The path
>>> > to the dir is /home/user1/www/awstats. When testing, I am able to get a
>>> > username and password prompt for the front page of the site, i.e. for
>>> > www.mydomain.com, when I place the .htaccess file in www. But I can't get a
>>> > functional prompt for www.mydomain.com/awstats when I place the .htaccess in
>>> > the awstats dir. The login box comes up but it won't accept my username
>>> > password combo, even though it will accept it when I have the same .htaccess
>>> > file in the www dir. R>>>>
>>> See:
>>> http://httpd.apache.org/docs/2.2/howto/htaccess.html
>>>
>>> Your problem is that you don't have AllowOverride s
et correctly for
>>> the relevant directory. But beyond that, you probably don't want to be
>>> using .htaccess at all. Just put the directives in the relevant
>>> <Directory> section in httpd.conf.
>>>
>>> Joshua.
>>
>>Thanks Joshua,
>> 
>>I read the above DOC you posted thanks.  Just to clarify, do you
>>reccomend that I use the  method in the main httpd.conf file
>>as described in the above, instead ot .htaccess?
> 
>Oops, just re read your post :) appears that's
what you meant.

 

OK I took the advice and have been trying to set up http username and password logins without using .htaccess files inside the web accessible directory I am trying to password protect.  I checked my AllowOverride settings in httpd.conf and they appear to be set correctly and I’m still not getting a login prompt which accepts the correct username and password I type in for the script aliased directory.  I posted all of my AllowOverride settings in
the main httpd.conf file at the end of this post.  <
/FONT>

 

I am trying to use the <Location> tag instead of the <Directory> tag within individual virtual domain httpd.conf files – files which were enabled by the main httpd.conf file’s “Include conf.d/*.conf” directive.  In other words, I have virtual domain files -   , and so on in the /etc/httpd/conf.
d directory which all contain (so far only) my virtual host tags for those domains.

 

Is using the <Location> tag advisable (or possible), instead of using the <directory> tag in my virtual host .conf files to enable username password logins? 

 

I read this as a good method in my Apache 2.0 Wrox book, it’s a bit out dated though, and I’m using Apache 2.2 on a Centos 5.1 box.

 

The tag I just added to one of my test virtual domain files is this:

 

<Location /home/mydirectory/www/awstats>

AuthName "MembersOnly"

AuthType Basic

AuthUserFile /home/mydirectory/.htpasswd

Require user testuser

</Location>

 

The above  virtual domain file includes the tag:

 

<VirtualHost 12.345.678.910:80>

   ServerAdmin help@blabla.com

    DocumentRoot /home/mydirectory/www

    ServerName www.blabla.com

    ServerAlias blabla.com

    ErrorLog logs/blabla.com-error_log

   CustomLog logs/blabla.com-access_log combined

ScriptAlias /awstats/ "/usr/local/awstats/wwwroot/cgi-bin/"

</VirtualHost>

 

After reloading apache and going to http.www.blabla.com, I did get a popup login box, but when I type in my username and password it won’t take it, even though I’m sure it’s the correct combo created by htpasswd –c .htpasswd testuser.

 

Any hints or suggestions as to what I am doing wrong?

 

Below are the AllowOverride settings in httpd.conf:

 

<Directory />

    Options FollowSymLinks

    AllowOverride AuthConfig

</Directory>

 

<Directory "/var/www/html">

    Options Indexes FollowSymLinks

    AllowOverride All

    Order allow,deny

    Allow from all

</Directory>

 

 

<Directory "/var/www/icons">

    Options Indexes MultiViews

    AllowOverride None

    Order allow,deny

    Allow from all

</Directory>

 

<Directory "/var/www/cgi-bin">

    AllowOverride None

    Options None

    Order allow,deny

    Allow from all

</Directory>

 

    <Directory "/var/www/error">

        AllowOverride None

        Options IncludesNoExec

        AddOutputFilter Includes html

        AddHandler type-map var

        Order allow,deny

        Allow from all

        LanguagePriority en es de fr

        ForceLanguagePriority Prefer Fallback

    </Directory>

 

<IfModule mod_include.c>

    <Directory "/var/www/error">

        AllowOverride None

        Options IncludesNoExec

        AddOutputFilter Includes html

        AddHandler type-map var

        Order allow,deny

        Allow from all

        LanguagePriority en es de fr

        ForceLanguagePriority Prefer Fallback

    </Directory>

 

 

---

In a rush?

--_01a35848-e73b-41ff-8448-5b597ccf0483_--

size=3D3> color=3D#000000>[Fri Apr 25 15:20:20 =
2008] [error]=20
[client 12.34.678.91] access to /awstats/ failed, reason: verification =
of user=20
id 'coder' not configured

size=3D3> color=3D#000000>[Fri Apr 25 15:20:23 =
2008] [error]=20
[client 12.34.678.91] (2)No such file or directory: Could not open =
password=20
file: /home/userdir/htpasswd

size=3D3> color=3D#000000>[Fri Apr 25 15:20:23 =
2008] [error]=20
[client 12.34.678.91] access to /awstats/ failed, reason: verification =
of user=20
id 'coder' not configured

size=3D3> color=3D#000000>[Fri Apr 25 15:30:10 =
2008] [error]=20
[client 12.34.678.91] (2)No such file or directory: Could not open =
password=20
file: /home/userdir/htpasswd

size=3D3> color=3D#000000>[Fri Apr 25 15:30:10 =
2008] [error]=20
[client 12.34.678.91] access to /awstats/ failed, reason: verification =
of user=20
id 'coder' not configured

size=3D3> color=3D#000000>[Fri Apr 25 15:30:18 =
2008] [error]=20
[client 12.34.678.91] (2)No such file or directory: Could not open =
password=20
file: /home/userdir/htpasswd

size=3D3> color=3D#000000>[Fri Apr 25 15:30:18 =
2008] [error]=20
[client 12.34.678.91] access to /awstats/ failed, reason: verification =
of user=20
id 'coder' not configured

size=3D3> color=3D#000000>[Fri Apr 25 15:31:12 =
2008] [error]=20
[client 12.34.678.91] (2)No such file or directory: Could not open =
password=20
file: /home/userdir/htpasswd

size=3D3> color=3D#000000>[Fri Apr 25 15:31:12 =
2008] [error]=20
[client 12.34.678.91] access to /awstats/ failed, reason: verification =
of user=20
id 'coder' not configured

size=3D3> color=3D#000000>[Fri Apr 25 15:31:27 =
2008] [error]=20
[client 12.34.678.91] (2)No such file or directory: Could not open =
password=20
file: /home/userdir/htpasswd

size=3D3> color=3D#000000>[Fri Apr 25 15:31:27 =
2008] [error]=20
[client 12.34.678.91] access to /awstats/ failed, reason: verification =
of user=20
id 'coder' not configured

size=3D3> color=3D#000000>[Fri Apr 25 15:35:05 =
2008] [error]=20
[client 12.34.678.91] (2)No such file or directory: Could not open =
password=20
file: /home/userdir/htpasswd

size=3D3> color=3D#000000>[Fri Apr 25 15:35:05 =
2008] [error]=20
[client 12.34.678.91] access to /awstats/ failed, reason: verification =
of user=20
id 'coder' not configured

size=3D3> color=3D#000000>[Fri Apr 25 15:35:10 =
2008] [error]=20
[client 12.34.678.91] (2)No such file or directory: Could not open =
password=20
file: /home/userdir/htpasswd

size=3D3> color=3D#000000>[Fri Apr 25 15:35:10 =
2008] [error]=20
[client 12.34.678.91] access to /awstats/ failed, reason: verification =
of user=20
id 'coder' not configured

size=3D3> color=3D#000000>[Fri Apr 25 15:35:18 =
2008] [error]=20
[client 12.34.678.91] (2)No such file or directory: Could not open =
password=20
file: /home/userdir/htpasswd

size=3D3> color=3D#000000>[Fri Apr 25 15:35:18 =
2008] [error]=20
[client 12.34.678.91] access to /awstats/ failed, reason: verification =
of user=20
id 'coder' not configured

New Roman"=20
color=3D#000000 size=3D3>[Fri Apr 25 15:37:58 2008] [error] [client=20
66.103.234.199] File does not exist: =
/home/userdir/www/_vti_bin

Re: .htaccess for script aliased directoriesþ

2008/4/25 Pam Astor :
>
> > I gave you two very specific tasks to do to isolate the problem. Do them.
> >
> > Joshua.
>
> OK, for 1, I requested a non existant test file and this is the result from
> the error log:
>
> [Fri Apr 25 15:38:14 2008] [error] [client 12.345.678.91] File does not
> exist: /home/userdir/www/test

You need to request a non-existent file under awstats to make this meaningful.

> [Fri Apr 25 15:35:18 2008] [error] [client 12.34.678.91] (2)No such file or
> directory: Could not open password file: /home/userdir/htpasswd

That seems pretty clear. Your AuthUserFile directive is configured
incorrectly. It isn't pointing to an actual user file. You've obscured
the configuration in different ways pretty-much every time you've
posted it, which makes it impossible for me to tell you exactly what
it should be.

Joshua.

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: .htaccess for script aliased directories

----- Original Message -----
From: "Joshua Slive"
To: ; "Danie Qian"
Sent: Friday, April 25, 2008 3:39 PM
Subject: Re: [users@httpd] .htaccess for script aliased directories


> On Fri, Apr 25, 2008 at 3:32 PM, Danie Qian
> wrote:
>
>>
>> require valid-user
>>
>
> Remove the and lines. They are dangerous. See:
> http://httpd.apache.org/docs/2.2/mod/core.html#limit
>
> Joshua.
>

From the above link I cant find anything dangerous except for the fact that
it limits requests to GET,POST methods, about which my users never
complained. Or, did I miss out anything here?


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: .htaccess for script aliased directories

TGltaXRzIHRoZSByZXF1aXJlIGRpcmVjdGl2ZSB0byB0aG9zZSB2ZXJicyAt IHdoYXQgYWJvdXQg
dGhlIG90aGVycz8gDQpTZW50IGZyb20gbXkgQmxhY2tCZXJyecKuIHdpcmVs ZXNzIGRldmljZQ0K
DQotLS0tLU9yaWdpbmFsIE1lc3NhZ2UtLS0tLQ0KRnJvbTogIkRhbmllIFFp YW4iIDxkYW5pZWxA
YmVzdG5pbmduaW5nLmNvbT4NCg0KRGF0ZTogRnJpLCAyNSBBcHIgMjAwOCAx NTo1Mzo1OSANClRv
Ojx1c2Vyc0BodHRwZC5hcGFjaGUub3JnPg0KU3ViamVjdDogUmU6IFt1c2Vy c0BodHRwZF0gLmh0
YWNjZXNzIGZvciBzY3JpcHQgYWxpYXNlZCBkaXJlY3Rvcmllcw0KDQoNCi0t LS0tIE9yaWdpbmFs
IE1lc3NhZ2UgLS0tLS0gDQpGcm9tOiAiSm9zaHVhIFNsaXZlIiA8am9zaHVh QHNsaXZlLmNhPg0K
VG86IDx1c2Vyc0BodHRwZC5hcGFjaGUub3JnPjsgIkRhbmllIFFpYW4iIDxk YW5pZWxAYmVzdG5p
bmduaW5nLmNvbT4NClNlbnQ6IEZyaWRheSwgQXByaWwgMjUsIDIwMDggMzoz OSBQTQ0KU3ViamVj
dDogUmU6IFt1c2Vyc0BodHRwZF0gLmh0YWNjZXNzIGZvciBzY3JpcHQgYWxp YXNlZCBkaXJlY3Rv
cmllcw0KDQoNCj4gT24gRnJpLCBBcHIgMjUsIDIwMDggYXQgMzozMiBQTSwg RGFuaWUgUWlhbiA8
ZGFuaWVsQGJlc3RuaW5nbmluZy5jb20+IA0KPiB3cm90ZToNCj4NCj4+ICAg ICAgICAgPExpbWl0
IEdFVCBQT1NUPg0KPj4gICAgICAgICAgICAgICAgIHJlcXVpcmUgdmFsaWQt dXNlcg0KPj4gICAg
ICAgICA8L0xpbWl0Pg0KPg0KPiBSZW1vdmUgdGhlIDxMaW1pdCBHRVQgUE9T VD4gYW5kIDwvTGlt
aXQ+IGxpbmVzLiBUaGV5IGFyZSBkYW5nZXJvdXMuIFNlZToNCj4gaHR0cDov L2h0dHBkLmFwYWNo
ZS5vcmcvZG9jcy8yLjIvbW9kL2NvcmUuaHRtbCNsaW1pdA0KPg0KPiBKb3No dWEuDQo+DQoNCkZy
b20gdGhlIGFib3ZlIGxpbmsgSSBjYW50IGZpbmQgYW55dGhpbmcgZGFuZ2Vy b3VzIGV4Y2VwdCBm
b3IgdGhlIGZhY3QgdGhhdCANCml0IGxpbWl0cyByZXF1ZXN0cyB0byBHRVQs UE9TVCBtZXRob2Rz
LCBhYm91dCB3aGljaCBteSB1c2VycyBuZXZlciANCmNvbXBsYWluZWQuIE9y LCBkaWQgSSBtaXNz
IG91dCBhbnl0aGluZyBoZXJlPyANCg0KDQotLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0NClRoZSBv ZmZpY2lhbCBVc2Vy
LVRvLVVzZXIgc3VwcG9ydCBmb3J1bSBvZiB0aGUgQXBhY2hlIEhUVFAgU2Vy dmVyIFByb2plY3Qu
DQpTZWUgPFVSTDpodHRwOi8vaHR0cGQuYXBhY2hlLm9yZy91c2Vyc2xpc3Qu aHRtbD4gZm9yIG1v
cmUgaW5mby4NClRvIHVuc3Vic2NyaWJlLCBlLW1haWw6IHVzZXJzLXVuc3Vi c2NyaWJlQGh0dHBk
LmFwYWNoZS5vcmcNCiAgICIgICBmcm9tIHRoZSBkaWdlc3Q6IHVzZXJzLWRp Z2VzdC11bnN1YnNj
cmliZUBodHRwZC5hcGFjaGUub3JnDQpGb3IgYWRkaXRpb25hbCBjb21tYW5k cywgZS1tYWlsOiB1
c2Vycy1oZWxwQGh0dHBkLmFwYWNoZS5vcmcNCg0K

Re: .htaccess for script aliased directories

Danie Qian wrote:

>----- Original Message ----- From: "Joshua Slive"
>To: ; "Danie Qian"
>Sent: Friday, April 25, 2008 3:39 PM
>Subject: Re: [users@httpd] .htaccess for script aliased directories
>
>
>>On Fri, Apr 25, 2008 at 3:32 PM, Danie Qian wrote:
>>
>>>
>>> require valid-user
>>>
>>
>>Remove the and lines. They are dangerous. See:
>>http://httpd.apache.org/docs/2.2/mod/core.html#limit
>>
>>Joshua.
>
> From the above link I cant find anything dangerous except for the
> fact that it limits requests to GET,POST methods, about which my
> users never complained. Or, did I miss out anything here?
---------------- End original message. ---------------------


No, it does not do what you think.

As you have it in your config, it requires a valid user for only the
GET and POST methods. It ALLOWS all other methods without a valid user.


This opens you up to potential attacks. You want to remove the Limit
directives so ALL methods will require a valid user.


Dragon

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~
Venimus, Saltavimus, Bibimus (et naribus canium capti sumus)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: .htaccess for script aliased directories

----- Original Message -----
From: "Dragon"
To:
Sent: Friday, April 25, 2008 3:56 PM
Subject: Re: [users@httpd] .htaccess for script aliased directories


> Danie Qian wrote:
>
>>----- Original Message ----- From: "Joshua Slive"
>>To: ; "Danie Qian"
>>Sent: Friday, April 25, 2008 3:39 PM
>>Subject: Re: [users@httpd] .htaccess for script aliased directories
>>
>>
>>>On Fri, Apr 25, 2008 at 3:32 PM, Danie Qian
>>>wrote:
>>>
>>>>
>>>> require valid-user
>>>>
>>>
>>>Remove the and lines. They are dangerous. See:
>>>http://httpd.apache.org/docs/2.2/mod/core.html#limit
>>>
>>>Joshua.
>>
>> From the above link I cant find anything dangerous except for the fact
>> that it limits requests to GET,POST methods, about which my users never
>> complained. Or, did I miss out anything here?
> ---------------- End original message. ---------------------
>
>
> No, it does not do what you think.
>
> As you have it in your config, it requires a valid user for only the GET
> and POST methods. It ALLOWS all other methods without a valid user.
>
>
> This opens you up to potential attacks. You want to remove the Limit
> directives so ALL methods will require a valid user.
>
>
> Dragon
>

I copied the lines from another server and never thought about it in this
way :)
Thanks everyone for pointing it out for me to eliminate a potential security
problem.


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: .htaccess for script aliased directoriesþ

--_c7d72824-7e0d-4d0d-9294-d80a17e5b18e_
Content-Type: text/plain; charset="windows-1256"
Content-Transfer-Encoding: 8bit


> > OK, for 1, I requested a non existant test file and this is the result from> > the error log:> >> > [Fri Apr 25 15:38:14 2008] [error] [client 12.345.678.91] File does not> > exist: /home/userdir/www/test> > You need to request a non-existent file under awstats to make this meaningful.

That's what I did. I pointed browser to http://www.mydomain.com/awstats/afasfsafdsafsa and got:

[Fri Apr 25 16:14:12 2008] [error] [client 12.34.567.12] script not found or unable to stat: /usr/local/awstats/wwwroot/cgi-bin/afasfsafdsafsa
Unless I am not understanding you? OK I also pointed my browser to http://www.mydomain.com/fasfdasdfsafda and got:

[Fri Apr 25 16:16:52 2008] [error] [client 12.34.567.12] File does not exist: /home/userdir/www/fasfdasdfsafda

> > [Fri Apr 25 15:35:18 2008] [error] [client 12.34.678.91] (2)No such file or> > directory: Could not open password file: /home/userdir/htpasswd> > That seems pretty clear. Your AuthUserFile directive is configured> incorrectly. It isn't pointing to an actual user file. You've obscured> the configuration in different ways pretty-much every time you've> posted it, which makes it impossible for me to tell you exactly what> it should be.

I checked the AuthUserFile directive, and it's the correct name and location of the htpasswd file.
I even tried changing permissions and ownership on the htpasswd file to apache,
then to the owner of the account,
then back to root, nothing worked.

Unless, am I not supposed to point AuthUserFile to the password file for the user
trying to log in and point it to something else?

> > Joshua.

____________________________________________________________ _____
Spell a grand slam in this game where word skill meets World Series. Get in the game.
http://club.live.com/word_slugger.aspx?icid=word_slugger_wlh m_admod_april08
--_c7d72824-7e0d-4d0d-9294-d80a17e5b18e_
Content-Type: text/html; charset="windows-1256"
Content-Transfer-Encoding: 8bit

> > OK, for 1, I requested a non existant test file and this is the result from
> > the error log:
> >
> > [Fri Apr 25 15:38:14 2008] [error] [client 12.345.678.91] File does not
> > exist: /home/userdir/www/test
>
> You need to request a non-existent file under awstats to make this meaningful.

 That's what I did.  I pointed browser to  and got:

[Fri Apr 25 16:14:12 2008] [error] [client 12.34.567.12] script not found or unable to stat: /usr/local/awstats/wwwroot/cgi-bin/afasfsafdsafsa

Unless I am not understanding you?  OK I also pointed my browser to  and got:

[Fri Apr 25 16:16:52 2008] [error] [client 12.34.567.12] File does not exist: /home/userdir/www/fasfdasdfsafda

> > [Fri Apr 25 15:35:18 2008] [error] [client 12.34.678.91] (2)No such file or
> > directory: Could not open password file: /home/userdir/htpasswd
>
> That seems pretty clear. Your AuthUserFile directive is configured
> incorrectly. It isn't pointing to an actual user file. You've obscured
> the configuration in different ways pretty-much every time you've
> posted it, which makes it impossible for me to tell you exactly what
> it should be.

I checked the AuthUserFile directive, and it's the correct name and location of the htpasswd file.

I even tried changing permissions and ownership on the htpasswd file to apache,

then to the owner of the account,

then back to root, nothing worked.

Unless, am I not supposed to point AuthUserFile to the password file for the user

trying to log in and point it to something else?

>
> Joshua.

Re: .htaccess for script aliased directories

----- Original Message -----
From: "Danie Qian"
To:
Sent: Friday, April 25, 2008 4:16 PM
Subject: Re: [users@httpd] .htaccess for script aliased directories


>
> ----- Original Message -----
> From: "Dragon"
> To:
> Sent: Friday, April 25, 2008 3:56 PM
> Subject: Re: [users@httpd] .htaccess for script aliased directories
>
>
>> Danie Qian wrote:
>>
>>>----- Original Message ----- From: "Joshua Slive"
>>>To: ; "Danie Qian"
>>>Sent: Friday, April 25, 2008 3:39 PM
>>>Subject: Re: [users@httpd] .htaccess for script aliased directories
>>>
>>>
>>>>On Fri, Apr 25, 2008 at 3:32 PM, Danie Qian
>>>>wrote:
>>>>
>>>>>
>>>>> require valid-user
>>>>>
>>>>
>>>>Remove the and lines. They are dangerous. See:
>>>>http://httpd.apache.org/docs/2.2/mod/core.html#limit
>>>>
>>>>Joshua.
>>>
>>> From the above link I cant find anything dangerous except for the fact
>>> that it limits requests to GET,POST methods, about which my users never
>>> complained. Or, did I miss out anything here?
>> ---------------- End original message. ---------------------
>>
>>
>> No, it does not do what you think.
>>
>> As you have it in your config, it requires a valid user for only the GET
>> and POST methods. It ALLOWS all other methods without a valid user.
>>
>>
>> This opens you up to potential attacks. You want to remove the Limit
>> directives so ALL methods will require a valid user.
>>
>>
>> Dragon
>>
>
> I copied the lines from another server and never thought about it in this
> way :)
> Thanks everyone for pointing it out for me to eliminate a potential
> security problem.
>

On second thought, I tested the setting by commentting out the 'require
valid-user' line completely to see what the browsor gets for other methods,
it is actually a 403 forbidden error instead of a open 200. So i guess I was
fine with the GET POST lines - it only triggers a login
prompt for GET & POST while leaving the others forbidden. Am I wrong?


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: .htaccess for script aliased directories

------=_NextPart_000_0EC1_01C8A6F2.D1CA6D60
Content-Type: text/plain;
charset="gb2312"
Content-Transfer-Encoding: quoted-printable

what OS is it you are running?
----- Original Message -----=20
From: Pam Astor=20
To: users@httpd.apache.org=20
Sent: Friday, April 25, 2008 4:25 PM
Subject: RE: [users@httpd] .htaccess for script aliased directories


> > OK, for 1, I requested a non existant test file and this is the =
result from
> > the error log:
> >
> > [Fri Apr 25 15:38:14 2008] [error] [client 12.345.678.91] File =
does not
> > exist: /home/userdir/www/test
>=20
> You need to request a non-existent file under awstats to make this =
meaningful.



That's what I did. I pointed browser to =
http://www.mydomain.com/awstats/afasfsafdsafsa and got:

=20

[Fri Apr 25 16:14:12 2008] [error] [client 12.34.567.12] script not =
found or unable to stat: =
/usr/local/awstats/wwwroot/cgi-bin/afasfsafdsafsa


Unless I am not understanding you? OK I also pointed my browser to =
http://www.mydomain.com/fasfdasdfsafda and got:

=20

[Fri Apr 25 16:16:52 2008] [error] [client 12.34.567.12] File does not =
exist: /home/userdir/www/fasfdasdfsafda

=20

> > [Fri Apr 25 15:35:18 2008] [error] [client 12.34.678.91] (2)No =
such file or
> > directory: Could not open password file: /home/userdir/htpasswd
>=20
> That seems pretty clear. Your AuthUserFile directive is configured
> incorrectly. It isn't pointing to an actual user file. You've =
obscured
> the configuration in different ways pretty-much every time you've
> posted it, which makes it impossible for me to tell you exactly what
> it should be.

=20

I checked the AuthUserFile directive, and it's the correct name and =
location of the htpasswd file.

I even tried changing permissions and ownership on the htpasswd file =
to apache,=20

then to the owner of the account,

then back to root, nothing worked.



Unless, am I not supposed to point AuthUserFile to the password file =
for the user

trying to log in and point it to something else?

=20

>=20
> Joshua.

=20


------------------------------------------------------------ -------------=
-----
Spell a grand slam in this game where word skill meets World Series. =
Get in the game.
------=_NextPart_000_0EC1_01C8A6F2.D1CA6D60
Content-Type: text/html;
charset="gb2312"
Content-Transfer-Encoding: quoted-printable

RE: .htaccess for script aliased directories SOLVED!

--_dd73a611-23b3-428a-808d-89253f700316_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable





Thanks so much Danie!=20
=20
I think the problem was the fact that I was not using double quotes=20
for my path in the Tag. I saw your earlier post - noticed you =
had them,
added them in, and set the path again to the script aliased path and it wor=
ked fine. =20
=20
I was able to get it working with this simple tag:
=20
AuthName "MembersOnly"AuthTy=
pe BasicAuthUserFile "/home/userdir/htpasswd"Require user coderAllowOverrid=
e AuthConfig
=20
I had a hunch it was something simple. Thanks so much!
=20
=20
=20
I just setup awstats a few weeks ago and this setting works for me in the <=
VirtualHost>:
=20
Alias /awstatsclasses "/usr/local/awstats/wwwroot/classes/" =
Alias /awstatscss "/usr/local/awstats/wwwroot/css/" Alias /icon "/us=
r/local/awstats/wwwroot/icon/" ScriptAlias /awstats/ "/usr/local/aws=
tats/wwwroot/cgi-bin/" # # This is to permit URL access to sc=
ripts/files in AWStats directory. # stats/wwwroot"> Options None AllowOverride None Order =
allow,deny Allow from all
=20
AuthUserFil=
e "/usr/local/awstats/wwwroot/mypasswordfile" AuthName "Awstats" =
AuthType Basic require valid-use=
r Options None AllowOverride AuthConfig =
Order deny,allow deny from all allow from 216.130.212 =
allow from 216.130.209 allow from 216.130.213 Satisfy any =
skill meets World Series. Get in the game.=20
____________________________________________________________ _____
Express yourself wherever you are. Mobilize!
http://www.gowindowslive.com/Mobile/Landing/Messenger/Defaul t.aspx?Locale=
=3Den-US?ocid=3DTAG_APRIL=

--_dd73a611-23b3-428a-808d-89253f700316_
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Thanks so much Danie! 

 

I think the problem was the fact that I was not usi=
ng double quotes

for my path in the <Directory> Tag.  I s=
aw your earlier post - noticed you had them,

added them in, and set the path again to the >script aliased path and it worked fine.  DIV>

 

I was able to get it working with this simple tag:<=
/FONT>

 

<Directory "usr/local/awstats/wwwroot/cgi-bin">
AuthName "Mem=
bersOnly"
AuthType Basic
AuthUserFile "/home/userdir/htpasswd"
Req=
uire user coder
AllowOverride AuthConfig
</Directory>

 

I had a hunch it was something simple.  T T>hanks so much!

 

 

 

I just setup awstats a few weeks ago and this setti=
ng works for me in the <VirtualHost>:

 

        Alias /awstatsclasses "=
/usr/local/awstats/wwwroot/classes/"
      =
;  Alias /awstatscss "/usr/local/awstats/wwwroot/css/"
  =
      Alias /icon "/usr/local/awstats/wwwroot/icon=
/"
        ScriptAlias /awstats/ "/us=
r/local/awstats/wwwroot/cgi-bin/"
      &n=
bsp; #
        # This is to permit UR=
L access to scripts/files in AWStats directory.
    =
    #
        <Dire=
ctory "/usr/local/awstats/wwwroot">
     &nb=
sp;  Options None
        AllowO=
verride None
        Order allow,deny=

        Allow from all
 &nbs=
p;      </Directory>

 

        <Directory "/usr/local/a=
wstats/wwwroot/cgi-bin">
        A=
uthUserFile "/usr/local/awstats/wwwroot/mypasswordfile"
  &nbs=
p;     AuthName "Awstats"
    &n=
bsp;   AuthType Basic
      &nbs=
p; <Limit GET POST>
       &nbs=
p;        require valid-user
 &n=
bsp;      </Limit>
   &nbs=
p;    Options None
      &n=
bsp; AllowOverride AuthConfig
       =
Order deny,allow
        deny from a=
ll
        allow from 216.130.212
=
        allow from 216.130.209
 =
       allow from 216.130.213
  =
      Satisfy any
     =
;   </Directory>skill meets World Series. =3D"http://club.live.com/word_slugger.aspx?icid=3Dword_slugg er_wlhm_admod_a=
pril08" target=3D_blank>Get in the game.