20b2d47ed762ca2c009aa37e360af6f223ac71bdTimo Sirainen <!--#set var="STANDALONE" value="" -->

20b2d47ed762ca2c009aa37e360af6f223ac71bdTimo Sirainen <!--#set var="INCLUDED" value="YES" -->

20b2d47ed762ca2c009aa37e360af6f223ac71bdTimo Sirainen <!--#if expr="$QUERY_STRING = TOC" -->

20b2d47ed762ca2c009aa37e360af6f223ac71bdTimo Sirainen <!--#set var="TOC" value="YES" -->

20b2d47ed762ca2c009aa37e360af6f223ac71bdTimo Sirainen <!--#set var="CONTENT" value="" -->

20b2d47ed762ca2c009aa37e360af6f223ac71bdTimo Sirainen <!--#else -->

20b2d47ed762ca2c009aa37e360af6f223ac71bdTimo Sirainen <!--#set var="TOC" value="" -->

4ee00532a265bdfb38539d811fcd12d51210ac35Timo Sirainen <!--#set var="CONTENT" value="YES" -->

20b2d47ed762ca2c009aa37e360af6f223ac71bdTimo Sirainen <!--#endif -->

0dffa25d211be541ee3c953b23566a1a990789dfTimo Sirainen <!--#set var="STANDALONE" value="YES" -->

20b2d47ed762ca2c009aa37e360af6f223ac71bdTimo Sirainen <!--#set var="INCLUDED" value="" -->

20b2d47ed762ca2c009aa37e360af6f223ac71bdTimo Sirainen <!--#set var="TOC" value="" -->

20b2d47ed762ca2c009aa37e360af6f223ac71bdTimo Sirainen <!--#set var="CONTENT" value="" -->

20b2d47ed762ca2c009aa37e360af6f223ac71bdTimo Sirainen<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">

20b2d47ed762ca2c009aa37e360af6f223ac71bdTimo Sirainen<HTML>

20b2d47ed762ca2c009aa37e360af6f223ac71bdTimo Sirainen <HEAD>

20b2d47ed762ca2c009aa37e360af6f223ac71bdTimo Sirainen <TITLE>Apache Server Frequently Asked Questions</TITLE>

20b2d47ed762ca2c009aa37e360af6f223ac71bdTimo Sirainen </HEAD>

20b2d47ed762ca2c009aa37e360af6f223ac71bdTimo Sirainen <BODY

20b2d47ed762ca2c009aa37e360af6f223ac71bdTimo Sirainen BGCOLOR="#FFFFFF"

20b2d47ed762ca2c009aa37e360af6f223ac71bdTimo Sirainen TEXT="#000000"

20b2d47ed762ca2c009aa37e360af6f223ac71bdTimo Sirainen LINK="#0000FF"

20b2d47ed762ca2c009aa37e360af6f223ac71bdTimo Sirainen VLINK="#000080"

20b2d47ed762ca2c009aa37e360af6f223ac71bdTimo Sirainen ALINK="#FF0000"

20b2d47ed762ca2c009aa37e360af6f223ac71bdTimo Sirainen >

20b2d47ed762ca2c009aa37e360af6f223ac71bdTimo Sirainen <!--#include virtual="header.html" -->

20b2d47ed762ca2c009aa37e360af6f223ac71bdTimo Sirainen <H1 ALIGN="CENTER">Apache Server Frequently Asked Questions</H1>

20b2d47ed762ca2c009aa37e360af6f223ac71bdTimo Sirainen <P>

20b2d47ed762ca2c009aa37e360af6f223ac71bdTimo Sirainen $Revision: 1.4 $ ($Date: 2000/09/12 15:16:45 $)

20b2d47ed762ca2c009aa37e360af6f223ac71bdTimo Sirainen </P>

20b2d47ed762ca2c009aa37e360af6f223ac71bdTimo Sirainen <P>

20b2d47ed762ca2c009aa37e360af6f223ac71bdTimo Sirainen The latest version of this FAQ is always available from the main

20b2d47ed762ca2c009aa37e360af6f223ac71bdTimo Sirainen Apache web site, at

464bb87a4678ef3f37a15d14621e6b4a427b14d2Timo Sirainen &lt;<A

20b2d47ed762ca2c009aa37e360af6f223ac71bdTimo Sirainen HREF="http://www.apache.org/docs/misc/FAQ.html"

20b2d47ed762ca2c009aa37e360af6f223ac71bdTimo Sirainen REL="Help"

20b2d47ed762ca2c009aa37e360af6f223ac71bdTimo Sirainen ><SAMP>http://www.apache.org/docs/misc/FAQ.html</SAMP></A>&gt;.

20b2d47ed762ca2c009aa37e360af6f223ac71bdTimo Sirainen </P>

4fc52b7b25c3d3f42348903e0154840f8761f306Timo Sirainen <P>

4fc52b7b25c3d3f42348903e0154840f8761f306Timo Sirainen If you are reading a text-only version of this FAQ, you may find numbers

4fc52b7b25c3d3f42348903e0154840f8761f306Timo Sirainen enclosed in brackets (such as &quot;[12]&quot;). These refer to the list of

4fc52b7b25c3d3f42348903e0154840f8761f306Timo Sirainen reference URLs to be found at the end of the document. These references

4fc52b7b25c3d3f42348903e0154840f8761f306Timo Sirainen do not appear, and are not needed, for the hypertext version.

4fc52b7b25c3d3f42348903e0154840f8761f306Timo Sirainen </P>

4fc52b7b25c3d3f42348903e0154840f8761f306Timo Sirainen <H2>The Questions</H2>

4fc52b7b25c3d3f42348903e0154840f8761f306Timo Sirainen<OL TYPE="A">

20b2d47ed762ca2c009aa37e360af6f223ac71bdTimo Sirainen <LI VALUE="7"><STRONG>Authentication and Access Restrictions</STRONG>

20b2d47ed762ca2c009aa37e360af6f223ac71bdTimo Sirainen <OL>

20b2d47ed762ca2c009aa37e360af6f223ac71bdTimo Sirainen <LI><A HREF="#dnsauth">Why isn't restricting access by host or domain name

464bb87a4678ef3f37a15d14621e6b4a427b14d2Timo Sirainen working correctly?</A>

464bb87a4678ef3f37a15d14621e6b4a427b14d2Timo Sirainen </LI>

464bb87a4678ef3f37a15d14621e6b4a427b14d2Timo Sirainen <LI><A HREF="#user-authentication">How do I set up Apache to require

464bb87a4678ef3f37a15d14621e6b4a427b14d2Timo Sirainen a username and password to access certain documents?</A>

464bb87a4678ef3f37a15d14621e6b4a427b14d2Timo Sirainen </LI>

20b2d47ed762ca2c009aa37e360af6f223ac71bdTimo Sirainen <LI><A HREF="#remote-auth-only">How do I set up Apache to allow access

20b2d47ed762ca2c009aa37e360af6f223ac71bdTimo Sirainen to certain documents only if a site is either a local site

20b2d47ed762ca2c009aa37e360af6f223ac71bdTimo Sirainen <EM>or</EM> the user supplies a password and username?</A>

20b2d47ed762ca2c009aa37e360af6f223ac71bdTimo Sirainen </LI>

20b2d47ed762ca2c009aa37e360af6f223ac71bdTimo Sirainen <LI><A HREF="#authauthoritative">Why does my authentication give

20b2d47ed762ca2c009aa37e360af6f223ac71bdTimo Sirainen me a server error?</A>

20b2d47ed762ca2c009aa37e360af6f223ac71bdTimo Sirainen </LI>

20b2d47ed762ca2c009aa37e360af6f223ac71bdTimo Sirainen <LI><A HREF="#auth-on-same-machine">Do I have to keep the (mSQL)

20b2d47ed762ca2c009aa37e360af6f223ac71bdTimo Sirainen authentication information on the same machine?</A>

20b2d47ed762ca2c009aa37e360af6f223ac71bdTimo Sirainen </LI>

20b2d47ed762ca2c009aa37e360af6f223ac71bdTimo Sirainen <LI><A HREF="#msql-slow">Why is my mSQL authentication terribly slow?</A>

20b2d47ed762ca2c009aa37e360af6f223ac71bdTimo Sirainen </LI>

20b2d47ed762ca2c009aa37e360af6f223ac71bdTimo Sirainen <LI><A HREF="#passwdauth">Can I use my <SAMP>/etc/passwd</SAMP> file

for Web page authentication?</A>

</LI>

<LI><A HREF="#prompted-twice">Why does Apache ask for my password

twice before serving a file?</a>

</LI>

</OL>

</LI>

</OL>

<HR>

<H2>The Answers</H2>

<H3>G. Authentication and Access Restrictions</H3>

<OL>

<LI><A NAME="dnsauth">

<STRONG>Why isn't restricting access by host or domain name

working correctly?</STRONG>

</A>

<P>

Two of the most common causes of this are:

</P>

<OL>

<LI><STRONG>An error, inconsistency, or unexpected mapping in the DNS

registration</STRONG>

<BR>

This happens frequently: your configuration restricts access to

<SAMP>Host.FooBar.Com</SAMP>, but you can't get in from that host.

The usual reason for this is that <SAMP>Host.FooBar.Com</SAMP> is

actually an alias for another name, and when Apache performs the

address-to-name lookup it's getting the <EM>real</EM> name, not

<SAMP>Host.FooBar.Com</SAMP>. You can verify this by checking the

reverse lookup yourself. The easiest way to work around it is to

specify the correct host name in your configuration.

</LI>

<LI><STRONG>Inadequate checking and verification in your

configuration of Apache</STRONG>

<BR>

If you intend to perform access checking and restriction based upon

the client's host or domain name, you really need to configure

Apache to double-check the origin information it's supplied. You do

this by adding the <SAMP>-DMAXIMUM_DNS</SAMP> clause to the

<SAMP>EXTRA_CFLAGS</SAMP> definition in your

<SAMP>Configuration</SAMP> file. For example:

<P>

<DL>

<DD><CODE>EXTRA_CFLAGS=-DMAXIMUM_DNS</CODE>

</DD>

</DL>

<P></P>

<P>

This will cause Apache to be very paranoid about making sure a

particular host address is <EM>really</EM> assigned to the name it

claims to be. Note that this <EM>can</EM> incur a significant

performance penalty, however, because of all the name resolution

requests being sent to a nameserver.

</P>

</LI>

</OL>

<HR>

</LI>

<LI><A NAME="user-authentication">

<STRONG>How do I set up Apache to require a username and

password to access certain documents?</STRONG>

</A>

<P>

There are several ways to do this; some of the more popular

ones are to use the <A HREF="/mod/mod_auth.html">mod_auth</A>,

<A HREF="/mod/mod_auth_db.html">mod_auth_db</A>, or

<A HREF="/mod/mod_auth_dbm.html">mod_auth_dbm</A> modules.

</P>

<P>

For an explanation on how to implement these restrictions, see

<A HREF="http://www.apacheweek.com/"><CITE>Apache Week</CITE></A>'s

articles on

<A HREF="http://www.apacheweek.com/features/userauth"

><CITE>Using User Authentication</CITE></A>

or

<A HREF="http://www.apacheweek.com/features/dbmauth"

><CITE>DBM User Authentication</CITE></A>.

</P>

<HR>

</LI>

<LI><A NAME="remote-auth-only">

<STRONG>How do I set up Apache to allow access to certain

documents only if a site is either a local site <EM>or</EM>

the user supplies a password and username?</STRONG>

</A>

<P>

Use the <A HREF="/mod/core.html#satisfy">Satisfy</A> directive,

in particular the <CODE>Satisfy Any</CODE> directive, to require

that only one of the access restrictions be met. For example,

adding the following configuration to a <SAMP>.htaccess</SAMP>

or server configuration file would restrict access to people who

either are accessing the site from a host under domain.com or

who can supply a valid username and password:

</P>

<P>

<DL>

<DD><CODE>Deny from all

<BR>

Allow from .domain.com

<BR>

AuthType Basic

<BR>

AuthUserFile /usr/local/apache/conf/htpasswd.users

<BR>

AuthName "special directory"

<BR>

Require valid-user

<BR>

Satisfy any</CODE>

</DD>

</DL>

<P></P>

<P>

See the <A HREF="#user-authentication">user authentication</A>

question and the <A HREF="/mod/mod_access.html">mod_access</A>

module for details on how the above directives work.

</P>

<HR>

</LI>

<LI><A NAME="authauthoritative">

<STRONG>Why does my authentication give me a server error?</STRONG>

</A>

<P>

Under normal circumstances, the Apache access control modules will

pass unrecognized user IDs on to the next access control module in

line. Only if the user ID is recognized and the password is validated

(or not) will it give the usual success or &quot;authentication

failed&quot; messages.

</P>

<P>

However, if the last access module in line 'declines' the validation

request (because it has never heard of the user ID or because it is not

configured), the <SAMP>http_request</SAMP> handler will give one of

the following, confusing, errors:

</P>

<UL>

<LI><SAMP>check access</SAMP>

</LI>

<LI><SAMP>check user. No user file?</SAMP>

</LI>

<LI><SAMP>check access. No groups file?</SAMP>

</LI>

</UL>

<P>

This does <EM>not</EM> mean that you have to add an

'<SAMP>AuthUserFile&nbsp;/dev/null</SAMP>' line as some magazines suggest!

</P>

<P>

The solution is to ensure that at least the last module is authoritative

and <STRONG>CONFIGURED</STRONG>. By default, <SAMP>mod_auth</SAMP> is

authoritative and will give an OK/Denied, but only if it is configured

with the proper <SAMP>AuthUserFile</SAMP>. Likewise, if a valid group

is required. (Remember that the modules are processed in the reverse

order from that in which they appear in your compile-time

<SAMP>Configuration</SAMP> file.)

</P>

<P>

A typical situation for this error is when you are using the

<SAMP>mod_auth_dbm</SAMP>, <SAMP>mod_auth_msql</SAMP>,

<SAMP>mod_auth_mysql</SAMP>, <SAMP>mod_auth_anon</SAMP> or

<SAMP>mod_auth_cookie</SAMP> modules on their own. These are by

default <STRONG>not</STRONG> authoritative, and this will pass the

buck on to the (non-existent) next authentication module when the

user ID is not in their respective database. Just add the appropriate

'<SAMP><EM>XXX</EM>Authoritative yes</SAMP>' line to the configuration.

</P>

<P>

In general it is a good idea (though not terribly efficient) to have the

file-based <SAMP>mod_auth</SAMP> a module of last resort. This allows

you to access the web server with a few special passwords even if the

databases are down or corrupted. This does cost a

file open/seek/close for each request in a protected area.

</P>

<HR>

</LI>

<LI><A NAME="auth-on-same-machine">

<STRONG>Do I have to keep the (mSQL) authentication information

on the same machine?</STRONG>

</A>

<P>

Some organizations feel very strongly about keeping the authentication

information on a different machine than the webserver. With the

<SAMP>mod_auth_msql</SAMP>, <SAMP>mod_auth_mysql</SAMP>, and other SQL

modules connecting to (R)DBMses this is quite possible. Just configure

an explicit host to contact.

</P>

<P>

Be aware that with mSQL and Oracle, opening and closing these database

connections is very expensive and time consuming. You might want to

look at the code in the <SAMP>auth_*</SAMP> modules and play with the

compile time flags to alleviate this somewhat, if your RDBMS licences

allow for it.

</P>

<HR>

</LI>

<LI><A NAME="msql-slow">

<STRONG>Why is my mSQL authentication terribly slow?</STRONG>

</A>

<P>

You have probably configured the Host by specifying a FQHN,

and thus the <SAMP>libmsql</SAMP> will use a full blown TCP/IP socket

to talk to the database, rather than a fast internal device. The

<SAMP>libmsql</SAMP>, the mSQL FAQ, and the <SAMP>mod_auth_msql</SAMP>

documentation warn you about this. If you have to use different

hosts, check out the <SAMP>mod_auth_msql</SAMP> code for

some compile time flags which might - or might not - suit you.

</P>

<HR>

</LI>

<LI><A NAME="passwdauth">

<STRONG>Can I use my <SAMP>/etc/passwd</SAMP> file

for Web page authentication?</STRONG>

</A>

<P>

Yes, you can - but it's a <STRONG>very bad idea</STRONG>. Here are

some of the reasons:

</P>

<UL>

<LI>The Web technology provides no governors on how often or how

rapidly password (authentication failure) retries can be made. That

means that someone can hammer away at your system's

<SAMP>root</SAMP> password using the Web, using a dictionary or

similar mass attack, just as fast as the wire and your server can

handle the requests. Most operating systems these days include

attack detection (such as <EM>n</EM> failed passwords for the same

account within <EM>m</EM> seconds) and evasion (breaking the

connection, disabling the account under attack, disabling

<EM>all</EM> logins from that source, <EM>et cetera</EM>), but the

Web does not.

</LI>

<LI>An account under attack isn't notified (unless the server is

heavily modified); there's no &quot;You have 19483 login

failures&quot; message when the legitimate owner logs in.

</LI>

<LI>Without an exhaustive and error-prone examination of the server

logs, you can't tell whether an account has been compromised.

Detecting that an attack has occurred, or is in progress, is fairly

obvious, though - <EM>if</EM> you look at the logs.

</LI>

<LI>Web authentication passwords (at least for Basic authentication)

generally fly across the wire, and through intermediate proxy

systems, in what amounts to plain text. &quot;O'er the net we

go/Caching all the way;/O what fun it is to surf/Giving my password

away!&quot;

</LI>

<LI>Since HTTP is stateless, information about the authentication is

transmitted <EM>each and every time</EM> a request is made to the

server. Essentially, the client caches it after the first

successful access, and transmits it without asking for all

subsequent requests to the same server.

</LI>

<LI>It's relatively trivial for someone on your system to put up a

page that will steal the cached password from a client's cache

without them knowing. Can you say &quot;password grabber&quot;?

</LI>

</UL>

<P>

If you still want to do this in light of the above disadvantages, the

method is left as an exercise for the reader. It'll void your Apache

warranty, though, and you'll lose all accumulated UNIX guru points.

</P>

<HR>

</LI>

<LI><A NAME="prompted-twice"><STRONG>Why does Apache ask for my password

twice before serving a file?</STRONG></a>

<P>

If the hostname under which you are accessing the server is

different than the hostname specified in the

<A HREF="/mod/core.html#servername"><CODE>ServerName</CODE></A>

directive, then depending on the setting of the

<A HREF="/mod/core.html#usecanonicalname"><CODE>UseCanonicalName</CODE></A>

directive, Apache will redirect you to a new hostname when

constructing self-referential URLs. This happens, for example, in

the case where you request a directory without including the

trailing slash.

</P>

<P>

When this happens, Apache will ask for authentication once under the

original hostname, perform the redirect, and then ask again under the

new hostname. For security reasons, the browser must prompt again

for the password when the host name changes.

</P>

<P>

To eliminate this problem you should

<OL>

<LI>Always use the trailing slash when requesting directories;

<LI>Change the <CODE>ServerName</CODE> to match the name you are

using in the URL; and/or

<LI>Set <CODE>UseCanonicalName off</CODE>.

</OL>

</P>

<HR>

</LI>

</OL>

<!-- Don't forget to add HR tags at the end of each list item.. -->

</BODY>

</HTML>