FAQ-G.html revision ffeb75f44c82228ec2b18b47722f428b91b191e5
87d944bf70927764edf8ef69e46d3b4b8fa09131pquerna<!--#if expr="$FAQMASTER" -->
c30ef289fe64ac7fedc44cfcc6b439f0f8458b4cgregames <!--#set var="STANDALONE" value="" -->
82d2a5debc5a6ed2118ac5916d9ba36ad0b5d78btrawick <!--#set var="INCLUDED" value="YES" -->
4d3ee33c1047b89e2860fbf095c77ad245910983wrowe <!--#if expr="$QUERY_STRING = TOC" -->
4d3ee33c1047b89e2860fbf095c77ad245910983wrowe <!--#set var="TOC" value="YES" -->
4ec8ec67d57d820b15807fa4a23ddd0c351fa9efwrowe <!--#set var="CONTENT" value="" -->
4d3ee33c1047b89e2860fbf095c77ad245910983wrowe <!--#else -->
4ec8ec67d57d820b15807fa4a23ddd0c351fa9efwrowe <!--#set var="TOC" value="" -->
4ec8ec67d57d820b15807fa4a23ddd0c351fa9efwrowe <!--#set var="CONTENT" value="YES" -->
4d3ee33c1047b89e2860fbf095c77ad245910983wrowe <!--#endif -->
b59ae7ab0c7b5c37f145e416d61add8fd433be04wrowe<!--#else -->
b59ae7ab0c7b5c37f145e416d61add8fd433be04wrowe <!--#set var="STANDALONE" value="YES" -->
b59ae7ab0c7b5c37f145e416d61add8fd433be04wrowe <!--#set var="INCLUDED" value="" -->
b59ae7ab0c7b5c37f145e416d61add8fd433be04wrowe <!--#set var="TOC" value="" -->
4d3ee33c1047b89e2860fbf095c77ad245910983wrowe <!--#set var="CONTENT" value="" -->
b59ae7ab0c7b5c37f145e416d61add8fd433be04wrowe<!--#endif -->
42167da203d969a1402cf7ce09c14586c04af1dfjim<!--#if expr="$STANDALONE" -->
42167da203d969a1402cf7ce09c14586c04af1dfjim<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
42167da203d969a1402cf7ce09c14586c04af1dfjim<HTML>
81ebf4d4f943d1ec988dd10105354e510c2da1d8jim <HEAD>
e62b34b26eb8e82bf6f06ff99a08e304b48792ecpquerna <TITLE>Apache Server Frequently Asked Questions</TITLE>
e62b34b26eb8e82bf6f06ff99a08e304b48792ecpquerna </HEAD>
e62b34b26eb8e82bf6f06ff99a08e304b48792ecpquerna<!-- Background white, links blue (unvisited), navy (visited), red (active) -->
27420b7ba57bf78f7a85b19fb0155053a3aff80dwrowe <BODY
27420b7ba57bf78f7a85b19fb0155053a3aff80dwrowe BGCOLOR="#FFFFFF"
27420b7ba57bf78f7a85b19fb0155053a3aff80dwrowe TEXT="#000000"
ceeb4b77f172b9d0125f1b4b323675d700b2c43bminfrin LINK="#0000FF"
ceeb4b77f172b9d0125f1b4b323675d700b2c43bminfrin VLINK="#000080"
ceeb4b77f172b9d0125f1b4b323675d700b2c43bminfrin ALINK="#FF0000"
9152b0c4366af633c4b7982af01bd9a821f410d5pquerna >
9152b0c4366af633c4b7982af01bd9a821f410d5pquerna <!--#include virtual="header.html" -->
9152b0c4366af633c4b7982af01bd9a821f410d5pquerna <H1 ALIGN="CENTER">Apache Server Frequently Asked Questions</H1>
9152b0c4366af633c4b7982af01bd9a821f410d5pquerna <P>
87d944bf70927764edf8ef69e46d3b4b8fa09131pquerna $Revision: 1.4 $ ($Date: 2000/09/12 15:16:45 $)
87d944bf70927764edf8ef69e46d3b4b8fa09131pquerna </P>
424c1a743525e9c5008e29b39a99363723409a1dtrawick <P>
424c1a743525e9c5008e29b39a99363723409a1dtrawick The latest version of this FAQ is always available from the main
424c1a743525e9c5008e29b39a99363723409a1dtrawick Apache web site, at
4375cabac8fc22b3717687ffdbce9bbdf095f255trawick &lt;<A
4375cabac8fc22b3717687ffdbce9bbdf095f255trawick HREF="http://www.apache.org/docs/misc/FAQ.html"
4375cabac8fc22b3717687ffdbce9bbdf095f255trawick REL="Help"
39dbd3f60b93f5e0fbf46d9ae237f6742e113442pquerna ><SAMP>http://www.apache.org/docs/misc/FAQ.html</SAMP></A>&gt;.
39dbd3f60b93f5e0fbf46d9ae237f6742e113442pquerna </P>
89211a3153be8b03353c3bfbca45fed67cb80f0bpquerna<!-- Notes about changes: -->
89211a3153be8b03353c3bfbca45fed67cb80f0bpquerna<!-- - If adding a relative link to another part of the -->
89211a3153be8b03353c3bfbca45fed67cb80f0bpquerna<!-- documentation, *do* include the ".html" portion. There's a -->
89211a3153be8b03353c3bfbca45fed67cb80f0bpquerna<!-- good chance that the user will be reading the documentation -->
89211a3153be8b03353c3bfbca45fed67cb80f0bpquerna<!-- on his own system, which may not be configured for -->
89211a3153be8b03353c3bfbca45fed67cb80f0bpquerna<!-- multiviews. -->
89211a3153be8b03353c3bfbca45fed67cb80f0bpquerna<!-- - When adding items, make sure they're put in the right place -->
89211a3153be8b03353c3bfbca45fed67cb80f0bpquerna<!-- - verify that the numbering matches up. -->
a14ccf0f7e9b44c6848334823542a1799577f669pquerna<!-- - *Don't* use <PRE></PRE> blocks - they don't appear -->
a14ccf0f7e9b44c6848334823542a1799577f669pquerna<!-- correctly in a reliable way when this is converted to text -->
a14ccf0f7e9b44c6848334823542a1799577f669pquerna<!-- with Lynx. Use <DL><DD><CODE>xxx<BR>xx</CODE></DD></DL> -->
43c24b7301a9df7014ce54c0bc55ac4754cf5b0dpquerna<!-- blocks inside a <P></P> instead. This is necessary to get -->
43c24b7301a9df7014ce54c0bc55ac4754cf5b0dpquerna<!-- the horizontal and vertical indenting right. -->
a2e37e48efb113e8e4f9d9ca9c8286aaac6c936cpquerna<!-- - Don't forget to include an HR tag after the last /P tag -->
a2e37e48efb113e8e4f9d9ca9c8286aaac6c936cpquerna<!-- but before the /LI in an item. -->
a2e37e48efb113e8e4f9d9ca9c8286aaac6c936cpquerna <P>
007ba11dc68651df7f872f35947ae82a595d9e02pquerna If you are reading a text-only version of this FAQ, you may find numbers
007ba11dc68651df7f872f35947ae82a595d9e02pquerna enclosed in brackets (such as &quot;[12]&quot;). These refer to the list of
007ba11dc68651df7f872f35947ae82a595d9e02pquerna reference URLs to be found at the end of the document. These references
25059ddf3044ffa8dd3432ab8e2f941023054407trawick do not appear, and are not needed, for the hypertext version.
25059ddf3044ffa8dd3432ab8e2f941023054407trawick </P>
25059ddf3044ffa8dd3432ab8e2f941023054407trawick <H2>The Questions</H2>
25059ddf3044ffa8dd3432ab8e2f941023054407trawick<OL TYPE="A">
44ca834b970b454b844efb96f219bdf49fee71e5trawick<!--#endif -->
44ca834b970b454b844efb96f219bdf49fee71e5trawick<!--#if expr="$TOC || $STANDALONE" -->
44ca834b970b454b844efb96f219bdf49fee71e5trawick <LI VALUE="7"><STRONG>Authentication and Access Restrictions</STRONG>
eb8430fd3bc941c0b3ba8bba3884b7fc464bf458pquerna <OL>
eb8430fd3bc941c0b3ba8bba3884b7fc464bf458pquerna <LI><A HREF="#dnsauth">Why isn't restricting access by host or domain name
eb8430fd3bc941c0b3ba8bba3884b7fc464bf458pquerna working correctly?</A>
1f9e65264b1ff249fa071e6aae32c0bb52f9c634trawick </LI>
1f9e65264b1ff249fa071e6aae32c0bb52f9c634trawick <LI><A HREF="#user-authentication">How do I set up Apache to require
1f9e65264b1ff249fa071e6aae32c0bb52f9c634trawick a username and password to access certain documents?</A>
fde88bb682426885c679198ee130d2d5a29e8c0fbnicholes </LI>
fde88bb682426885c679198ee130d2d5a29e8c0fbnicholes <LI><A HREF="#remote-auth-only">How do I set up Apache to allow access
fde88bb682426885c679198ee130d2d5a29e8c0fbnicholes to certain documents only if a site is either a local site
fde88bb682426885c679198ee130d2d5a29e8c0fbnicholes <EM>or</EM> the user supplies a password and username?</A>
fde88bb682426885c679198ee130d2d5a29e8c0fbnicholes </LI>
fde88bb682426885c679198ee130d2d5a29e8c0fbnicholes <LI><A HREF="#authauthoritative">Why does my authentication give
fde88bb682426885c679198ee130d2d5a29e8c0fbnicholes me a server error?</A>
fde88bb682426885c679198ee130d2d5a29e8c0fbnicholes </LI>
60e385aa992e11a6cb0504e8d4fc35186e8d848bpquerna <LI><A HREF="#auth-on-same-machine">Do I have to keep the (mSQL)
60e385aa992e11a6cb0504e8d4fc35186e8d848bpquerna authentication information on the same machine?</A>
60e385aa992e11a6cb0504e8d4fc35186e8d848bpquerna </LI>
d66ac514cc15e99228d72c56c6c3daf25da8d360niq <LI><A HREF="#msql-slow">Why is my mSQL authentication terribly slow?</A>
d66ac514cc15e99228d72c56c6c3daf25da8d360niq </LI>
d66ac514cc15e99228d72c56c6c3daf25da8d360niq <LI><A HREF="#passwdauth">Can I use my <SAMP>/etc/passwd</SAMP> file
d66ac514cc15e99228d72c56c6c3daf25da8d360niq for Web page authentication?</A>
e23b77006a8b079c0ad52e42ba2029e759455b8fjorton </LI>
e23b77006a8b079c0ad52e42ba2029e759455b8fjorton <LI><A HREF="#prompted-twice">Why does Apache ask for my password
e23b77006a8b079c0ad52e42ba2029e759455b8fjorton twice before serving a file?</a>
e23b77006a8b079c0ad52e42ba2029e759455b8fjorton </LI>
b597281295360dba8ac57b7606c5f5c1ef2b69b0trawick </OL>
b597281295360dba8ac57b7606c5f5c1ef2b69b0trawick </LI>
b597281295360dba8ac57b7606c5f5c1ef2b69b0trawick<!--#endif -->
82d2a5debc5a6ed2118ac5916d9ba36ad0b5d78btrawick<!--#if expr="$STANDALONE" -->
82d2a5debc5a6ed2118ac5916d9ba36ad0b5d78btrawick</OL>
22c347c08cd77d5e2c32536b467b389fd33d631fpquerna
22c347c08cd77d5e2c32536b467b389fd33d631fpquerna<HR>
8c46f9f81ae6357dc97560d6d85154f19cf251aejim
b6e2b36d6972a0e243368eb567e91d511fb40b1bbnicholes <H2>The Answers</H2>
b6e2b36d6972a0e243368eb567e91d511fb40b1bbnicholes<!--#endif -->
b6e2b36d6972a0e243368eb567e91d511fb40b1bbnicholes<!--#if expr="! $TOC" -->
b6e2b36d6972a0e243368eb567e91d511fb40b1bbnicholes <H3>G. Authentication and Access Restrictions</H3>
b6e2b36d6972a0e243368eb567e91d511fb40b1bbnicholes<OL>
ad4a5834dfdf9488af4ac3238ea4d8b18dce49acpquerna
e5882a36d7756850cc829f5f2286120b877458b1pquerna <LI><A NAME="dnsauth">
e5882a36d7756850cc829f5f2286120b877458b1pquerna <STRONG>Why isn't restricting access by host or domain name
8b7594c66e764f5cd3506b6f2459497ab65a8b03pquerna working correctly?</STRONG>
8b7594c66e764f5cd3506b6f2459497ab65a8b03pquerna </A>
8b7594c66e764f5cd3506b6f2459497ab65a8b03pquerna <P>
8c46f9f81ae6357dc97560d6d85154f19cf251aejim Two of the most common causes of this are:
8c46f9f81ae6357dc97560d6d85154f19cf251aejim </P>
20f1b1a67eef5ab0f3295608c89964a7dca4fdd1pquerna <OL>
20f1b1a67eef5ab0f3295608c89964a7dca4fdd1pquerna <LI><STRONG>An error, inconsistency, or unexpected mapping in the DNS
20f1b1a67eef5ab0f3295608c89964a7dca4fdd1pquerna registration</STRONG>
20f1b1a67eef5ab0f3295608c89964a7dca4fdd1pquerna <BR>
599c5abcc7fec60611956f56b732eca033c287d2pquerna This happens frequently: your configuration restricts access to
599c5abcc7fec60611956f56b732eca033c287d2pquerna <SAMP>Host.FooBar.Com</SAMP>, but you can't get in from that host.
599c5abcc7fec60611956f56b732eca033c287d2pquerna The usual reason for this is that <SAMP>Host.FooBar.Com</SAMP> is
e76fdcdfb8994ad70776526f50fa013b3e9a6033bnicholes actually an alias for another name, and when Apache performs the
e76fdcdfb8994ad70776526f50fa013b3e9a6033bnicholes address-to-name lookup it's getting the <EM>real</EM> name, not
e76fdcdfb8994ad70776526f50fa013b3e9a6033bnicholes <SAMP>Host.FooBar.Com</SAMP>. You can verify this by checking the
eb9b491d7b262dad572ec2f1f75eea592283f81apquerna reverse lookup yourself. The easiest way to work around it is to
eb9b491d7b262dad572ec2f1f75eea592283f81apquerna specify the correct host name in your configuration.
1ef90d1763e489969ec7a01c77bcb158ece5ae83jorton </LI>
c5cb4c9e7c8696907ddebab2a0037717c710b0f6jorton <LI><STRONG>Inadequate checking and verification in your
6d00a5e2c08ddbff9614ecc17a1c085462811f89slive configuration of Apache</STRONG>
6d00a5e2c08ddbff9614ecc17a1c085462811f89slive <BR>
6d00a5e2c08ddbff9614ecc17a1c085462811f89slive If you intend to perform access checking and restriction based upon
6d00a5e2c08ddbff9614ecc17a1c085462811f89slive the client's host or domain name, you really need to configure
6d00a5e2c08ddbff9614ecc17a1c085462811f89slive Apache to double-check the origin information it's supplied. You do
6d00a5e2c08ddbff9614ecc17a1c085462811f89slive this by adding the <SAMP>-DMAXIMUM_DNS</SAMP> clause to the
6d00a5e2c08ddbff9614ecc17a1c085462811f89slive <SAMP>EXTRA_CFLAGS</SAMP> definition in your
6d00a5e2c08ddbff9614ecc17a1c085462811f89slive <SAMP>Configuration</SAMP> file. For example:
6d00a5e2c08ddbff9614ecc17a1c085462811f89slive <P>
6d00a5e2c08ddbff9614ecc17a1c085462811f89slive <DL>
6d00a5e2c08ddbff9614ecc17a1c085462811f89slive <DD><CODE>EXTRA_CFLAGS=-DMAXIMUM_DNS</CODE>
6d00a5e2c08ddbff9614ecc17a1c085462811f89slive </DD>
6d00a5e2c08ddbff9614ecc17a1c085462811f89slive </DL>
6d00a5e2c08ddbff9614ecc17a1c085462811f89slive <P></P>
6d00a5e2c08ddbff9614ecc17a1c085462811f89slive <P>
6d00a5e2c08ddbff9614ecc17a1c085462811f89slive This will cause Apache to be very paranoid about making sure a
4f6e78091b3f45a5782389ae25b62516a7a0c842bnicholes particular host address is <EM>really</EM> assigned to the name it
4f6e78091b3f45a5782389ae25b62516a7a0c842bnicholes claims to be. Note that this <EM>can</EM> incur a significant
4f6e78091b3f45a5782389ae25b62516a7a0c842bnicholes performance penalty, however, because of all the name resolution
4f6e78091b3f45a5782389ae25b62516a7a0c842bnicholes requests being sent to a nameserver.
4f6e78091b3f45a5782389ae25b62516a7a0c842bnicholes </P>
7d15331eeb5429d7148d13d6fd914a641bf1c000pquerna </LI>
7d15331eeb5429d7148d13d6fd914a641bf1c000pquerna </OL>
7d15331eeb5429d7148d13d6fd914a641bf1c000pquerna <HR>
e9be3aacfd6c0a1208e6c91a133be92ed0f94fe1bnicholes </LI>
e9be3aacfd6c0a1208e6c91a133be92ed0f94fe1bnicholes
e9be3aacfd6c0a1208e6c91a133be92ed0f94fe1bnicholes <LI><A NAME="user-authentication">
e9be3aacfd6c0a1208e6c91a133be92ed0f94fe1bnicholes <STRONG>How do I set up Apache to require a username and
1d14622beee568462689b2bbc6a9e0e9b6a40583striker password to access certain documents?</STRONG>
1d14622beee568462689b2bbc6a9e0e9b6a40583striker </A>
6e5f5644328bf50c3aa295d0ab20903369010829gregames <P>
6e5f5644328bf50c3aa295d0ab20903369010829gregames There are several ways to do this; some of the more popular
6e5f5644328bf50c3aa295d0ab20903369010829gregames ones are to use the <A HREF="/mod/mod_auth.html">mod_auth</A>,
e978097e0bf2ae161b6f9dde40eaf089bf046c89ake <A HREF="/mod/mod_auth_db.html">mod_auth_db</A>, or
e978097e0bf2ae161b6f9dde40eaf089bf046c89ake <A HREF="/mod/mod_auth_dbm.html">mod_auth_dbm</A> modules.
e978097e0bf2ae161b6f9dde40eaf089bf046c89ake </P>
275419d6395e6f072962fb701b89accaff1f3690jerenkrantz <P>
275419d6395e6f072962fb701b89accaff1f3690jerenkrantz For an explanation on how to implement these restrictions, see
275419d6395e6f072962fb701b89accaff1f3690jerenkrantz <A HREF="http://www.apacheweek.com/"><CITE>Apache Week</CITE></A>'s
e777da9fa7ff3138fead7860b53ef00e67a40e26jerenkrantz articles on
e777da9fa7ff3138fead7860b53ef00e67a40e26jerenkrantz <A HREF="http://www.apacheweek.com/features/userauth"
e777da9fa7ff3138fead7860b53ef00e67a40e26jerenkrantz ><CITE>Using User Authentication</CITE></A>
e777da9fa7ff3138fead7860b53ef00e67a40e26jerenkrantz or
8bdea88407c848c1c2693655e2f8b23abde12307bnicholes <A HREF="http://www.apacheweek.com/features/dbmauth"
8bdea88407c848c1c2693655e2f8b23abde12307bnicholes ><CITE>DBM User Authentication</CITE></A>.
8bdea88407c848c1c2693655e2f8b23abde12307bnicholes </P>
275419d6395e6f072962fb701b89accaff1f3690jerenkrantz <HR>
8e7fb6968047a527d1ccde25ad2aed20da5150ddjerenkrantz </LI>
8e7fb6968047a527d1ccde25ad2aed20da5150ddjerenkrantz
8e7fb6968047a527d1ccde25ad2aed20da5150ddjerenkrantz <LI><A NAME="remote-auth-only">
5a9fa4d75086e942f6e850e1a2e96c4c27a845d0jerenkrantz <STRONG>How do I set up Apache to allow access to certain
5a9fa4d75086e942f6e850e1a2e96c4c27a845d0jerenkrantz documents only if a site is either a local site <EM>or</EM>
5a9fa4d75086e942f6e850e1a2e96c4c27a845d0jerenkrantz the user supplies a password and username?</STRONG>
5a9fa4d75086e942f6e850e1a2e96c4c27a845d0jerenkrantz </A>
5a9fa4d75086e942f6e850e1a2e96c4c27a845d0jerenkrantz <P>
5a9fa4d75086e942f6e850e1a2e96c4c27a845d0jerenkrantz Use the <A HREF="/mod/core.html#satisfy">Satisfy</A> directive,
36c8049de63c446926139936c3d195330a0539cetrawick in particular the <CODE>Satisfy Any</CODE> directive, to require
36c8049de63c446926139936c3d195330a0539cetrawick that only one of the access restrictions be met. For example,
36c8049de63c446926139936c3d195330a0539cetrawick adding the following configuration to a <SAMP>.htaccess</SAMP>
36c8049de63c446926139936c3d195330a0539cetrawick or server configuration file would restrict access to people who
36c8049de63c446926139936c3d195330a0539cetrawick either are accessing the site from a host under domain.com or
36c8049de63c446926139936c3d195330a0539cetrawick who can supply a valid username and password:
0206c121a68a63559b2e843288e81bcf16093e46jerenkrantz </P>
0206c121a68a63559b2e843288e81bcf16093e46jerenkrantz <P>
0206c121a68a63559b2e843288e81bcf16093e46jerenkrantz <DL>
8ff094bdec6a2e1c355c1e6e95e9952d4fae7766jerenkrantz <DD><CODE>Deny from all
8ff094bdec6a2e1c355c1e6e95e9952d4fae7766jerenkrantz <BR>
628cf3411e8a6d09e27b3666312e43832dda93f3jorton Allow from .domain.com
628cf3411e8a6d09e27b3666312e43832dda93f3jorton <BR>
628cf3411e8a6d09e27b3666312e43832dda93f3jorton AuthType Basic
f0d89a5a23222e031db8113478645f28688fa748jorton <BR>
f0d89a5a23222e031db8113478645f28688fa748jorton AuthUserFile /usr/local/apache/conf/htpasswd.users
f0d89a5a23222e031db8113478645f28688fa748jorton <BR>
f0d89a5a23222e031db8113478645f28688fa748jorton AuthName "special directory"
f0d89a5a23222e031db8113478645f28688fa748jorton <BR>
f0d89a5a23222e031db8113478645f28688fa748jorton Require valid-user
f0d89a5a23222e031db8113478645f28688fa748jorton <BR>
f0d89a5a23222e031db8113478645f28688fa748jorton Satisfy any</CODE>
f0d89a5a23222e031db8113478645f28688fa748jorton </DD>
f0d89a5a23222e031db8113478645f28688fa748jorton </DL>
65d743d7fbb53143636ee2dec8fe8d8a1a581a6bjerenkrantz <P></P>
65d743d7fbb53143636ee2dec8fe8d8a1a581a6bjerenkrantz <P>
65d743d7fbb53143636ee2dec8fe8d8a1a581a6bjerenkrantz See the <A HREF="#user-authentication">user authentication</A>
afc08f35f5f387896bc625cdee21b88c7fe7699djerenkrantz question and the <A HREF="/mod/mod_access.html">mod_access</A>
a0fd132e01ab69f1c48e3d6a6791447cb6d65e51jerenkrantz module for details on how the above directives work.
a0fd132e01ab69f1c48e3d6a6791447cb6d65e51jerenkrantz </P>
a6bb6f2fb734e488a9b6335fabea3431f9dcf253jerenkrantz <HR>
a6bb6f2fb734e488a9b6335fabea3431f9dcf253jerenkrantz </LI>
a6bb6f2fb734e488a9b6335fabea3431f9dcf253jerenkrantz
3ca80e703a960eca0760c23636b7fe502a8f0342bnicholes <LI><A NAME="authauthoritative">
3ca80e703a960eca0760c23636b7fe502a8f0342bnicholes <STRONG>Why does my authentication give me a server error?</STRONG>
3ca80e703a960eca0760c23636b7fe502a8f0342bnicholes </A>
3ca80e703a960eca0760c23636b7fe502a8f0342bnicholes <P>
3ca80e703a960eca0760c23636b7fe502a8f0342bnicholes Under normal circumstances, the Apache access control modules will
5300d4a4fabe3b594da950e4b9ab0f90e076546ejerenkrantz pass unrecognized user IDs on to the next access control module in
5300d4a4fabe3b594da950e4b9ab0f90e076546ejerenkrantz line. Only if the user ID is recognized and the password is validated
5300d4a4fabe3b594da950e4b9ab0f90e076546ejerenkrantz (or not) will it give the usual success or &quot;authentication
b1306729566b49fb30aed5c46adaf07a637115afjerenkrantz failed&quot; messages.
b1306729566b49fb30aed5c46adaf07a637115afjerenkrantz </P>
b1306729566b49fb30aed5c46adaf07a637115afjerenkrantz <P>
418ee053321d0ee451bb482a9becdfcd3344201fjim However, if the last access module in line 'declines' the validation
418ee053321d0ee451bb482a9becdfcd3344201fjim request (because it has never heard of the user ID or because it is not
418ee053321d0ee451bb482a9becdfcd3344201fjim configured), the <SAMP>http_request</SAMP> handler will give one of
5c6cb72bfeee541644cea8177aefce1157571d3bjerenkrantz the following, confusing, errors:
5c6cb72bfeee541644cea8177aefce1157571d3bjerenkrantz </P>
5c6cb72bfeee541644cea8177aefce1157571d3bjerenkrantz <UL>
db8551deeb08fa799e7f27e8b748a9397f747bdcjorton <LI><SAMP>check access</SAMP>
db8551deeb08fa799e7f27e8b748a9397f747bdcjorton </LI>
db8551deeb08fa799e7f27e8b748a9397f747bdcjorton <LI><SAMP>check user. No user file?</SAMP>
db8551deeb08fa799e7f27e8b748a9397f747bdcjorton </LI>
9e3209bc06ddf32f23e4b254faa45914bc323cc9jim <LI><SAMP>check access. No groups file?</SAMP>
9e3209bc06ddf32f23e4b254faa45914bc323cc9jim </LI>
9e3209bc06ddf32f23e4b254faa45914bc323cc9jim </UL>
45ed846f4ed90f05c084f6a33d688e642be4e623jerenkrantz <P>
45ed846f4ed90f05c084f6a33d688e642be4e623jerenkrantz This does <EM>not</EM> mean that you have to add an
45ed846f4ed90f05c084f6a33d688e642be4e623jerenkrantz '<SAMP>AuthUserFile&nbsp;/dev/null</SAMP>' line as some magazines suggest!
54d22ed1c429b903b029bbd62621f11a9e286137minfrin </P>
54d22ed1c429b903b029bbd62621f11a9e286137minfrin <P>
54d22ed1c429b903b029bbd62621f11a9e286137minfrin The solution is to ensure that at least the last module is authoritative
54d22ed1c429b903b029bbd62621f11a9e286137minfrin and <STRONG>CONFIGURED</STRONG>. By default, <SAMP>mod_auth</SAMP> is
54d22ed1c429b903b029bbd62621f11a9e286137minfrin authoritative and will give an OK/Denied, but only if it is configured
54d22ed1c429b903b029bbd62621f11a9e286137minfrin with the proper <SAMP>AuthUserFile</SAMP>. Likewise, if a valid group
54d22ed1c429b903b029bbd62621f11a9e286137minfrin is required. (Remember that the modules are processed in the reverse
54d22ed1c429b903b029bbd62621f11a9e286137minfrin order from that in which they appear in your compile-time
92e8e44864d94866eefcbfde0a53fa3d12855149jerenkrantz <SAMP>Configuration</SAMP> file.)
92e8e44864d94866eefcbfde0a53fa3d12855149jerenkrantz </P>
92e8e44864d94866eefcbfde0a53fa3d12855149jerenkrantz <P>
06106b6b63b112a09de1b66fa29596035c0176ffthommay A typical situation for this error is when you are using the
06106b6b63b112a09de1b66fa29596035c0176ffthommay <SAMP>mod_auth_dbm</SAMP>, <SAMP>mod_auth_msql</SAMP>,
06106b6b63b112a09de1b66fa29596035c0176ffthommay <SAMP>mod_auth_mysql</SAMP>, <SAMP>mod_auth_anon</SAMP> or
e335319a08e12eb7daff9afa80e985dc53f652b8jorton <SAMP>mod_auth_cookie</SAMP> modules on their own. These are by
e335319a08e12eb7daff9afa80e985dc53f652b8jorton default <STRONG>not</STRONG> authoritative, and this will pass the
e335319a08e12eb7daff9afa80e985dc53f652b8jorton buck on to the (non-existent) next authentication module when the
e335319a08e12eb7daff9afa80e985dc53f652b8jorton user ID is not in their respective database. Just add the appropriate
e335319a08e12eb7daff9afa80e985dc53f652b8jorton '<SAMP><EM>XXX</EM>Authoritative yes</SAMP>' line to the configuration.
c8794ec1e4c474ae101ce3835080f638136e7860erikabele </P>
c8794ec1e4c474ae101ce3835080f638136e7860erikabele <P>
c8794ec1e4c474ae101ce3835080f638136e7860erikabele In general it is a good idea (though not terribly efficient) to have the
c8794ec1e4c474ae101ce3835080f638136e7860erikabele file-based <SAMP>mod_auth</SAMP> a module of last resort. This allows
c8794ec1e4c474ae101ce3835080f638136e7860erikabele you to access the web server with a few special passwords even if the
bb07ee33bce1a448bcc60ca43720b1ab1c413f87minfrin databases are down or corrupted. This does cost a
bb07ee33bce1a448bcc60ca43720b1ab1c413f87minfrin file open/seek/close for each request in a protected area.
22dda44322067379eeba28d7ec7fc833cb04c0dfminfrin </P>
22dda44322067379eeba28d7ec7fc833cb04c0dfminfrin <HR>
7b6ba9c468f26bdb3492d5e8cb79628a3b04e8c8wrowe </LI>
7b6ba9c468f26bdb3492d5e8cb79628a3b04e8c8wrowe
7b6ba9c468f26bdb3492d5e8cb79628a3b04e8c8wrowe <LI><A NAME="auth-on-same-machine">
7b6ba9c468f26bdb3492d5e8cb79628a3b04e8c8wrowe <STRONG>Do I have to keep the (mSQL) authentication information
77edcaaccc089335938f3844b752e1044f7eb278trawick on the same machine?</STRONG>
77edcaaccc089335938f3844b752e1044f7eb278trawick </A>
77edcaaccc089335938f3844b752e1044f7eb278trawick <P>
77edcaaccc089335938f3844b752e1044f7eb278trawick Some organizations feel very strongly about keeping the authentication
59b1b6c3fd51c83c3bb9f02a8f08751335f9fb1dminfrin information on a different machine than the webserver. With the
59b1b6c3fd51c83c3bb9f02a8f08751335f9fb1dminfrin <SAMP>mod_auth_msql</SAMP>, <SAMP>mod_auth_mysql</SAMP>, and other SQL
59b1b6c3fd51c83c3bb9f02a8f08751335f9fb1dminfrin modules connecting to (R)DBMses this is quite possible. Just configure
59b1b6c3fd51c83c3bb9f02a8f08751335f9fb1dminfrin an explicit host to contact.
9f1a88897168c3f1e5009acb585daf01e38a0299jim </P>
9f1a88897168c3f1e5009acb585daf01e38a0299jim <P>
9f1a88897168c3f1e5009acb585daf01e38a0299jim Be aware that with mSQL and Oracle, opening and closing these database
9f1a88897168c3f1e5009acb585daf01e38a0299jim connections is very expensive and time consuming. You might want to
616a448c1fca1648622707df5a1aae7316bb3d5djim look at the code in the <SAMP>auth_*</SAMP> modules and play with the
616a448c1fca1648622707df5a1aae7316bb3d5djim compile time flags to alleviate this somewhat, if your RDBMS licences
616a448c1fca1648622707df5a1aae7316bb3d5djim allow for it.
616a448c1fca1648622707df5a1aae7316bb3d5djim </P>
36bfefb6940a90242290e5b5713a2d831275eef1jim <HR>
5a8bb5948d2a258145174320587706de3219d8a3pquerna </LI>
5a8bb5948d2a258145174320587706de3219d8a3pquerna
5a8bb5948d2a258145174320587706de3219d8a3pquerna <LI><A NAME="msql-slow">
5a8bb5948d2a258145174320587706de3219d8a3pquerna <STRONG>Why is my mSQL authentication terribly slow?</STRONG>
0cba3a63e59bfa77f67955cb4e034264ed6c5523jerenkrantz </A>
0cba3a63e59bfa77f67955cb4e034264ed6c5523jerenkrantz <P>
e5abee85fe751fc27c5d4fc9a8ebe3b80f3d6603trawick You have probably configured the Host by specifying a FQHN,
e5abee85fe751fc27c5d4fc9a8ebe3b80f3d6603trawick and thus the <SAMP>libmsql</SAMP> will use a full blown TCP/IP socket
e5abee85fe751fc27c5d4fc9a8ebe3b80f3d6603trawick to talk to the database, rather than a fast internal device. The
ca3a25d12c5fe0926aa97550be39f0d88d0decb1pquerna <SAMP>libmsql</SAMP>, the mSQL FAQ, and the <SAMP>mod_auth_msql</SAMP>
ca3a25d12c5fe0926aa97550be39f0d88d0decb1pquerna documentation warn you about this. If you have to use different
ca3a25d12c5fe0926aa97550be39f0d88d0decb1pquerna hosts, check out the <SAMP>mod_auth_msql</SAMP> code for
ca3a25d12c5fe0926aa97550be39f0d88d0decb1pquerna some compile time flags which might - or might not - suit you.
74def8815c725f8128a4e76ab1f5704df80b024ajerenkrantz </P>
74def8815c725f8128a4e76ab1f5704df80b024ajerenkrantz <HR>
4d553781254e46f1dfc8d86b79667a74fb8a3eb5brianp </LI>
74def8815c725f8128a4e76ab1f5704df80b024ajerenkrantz
8f868f15482c7406db01216b6e4778ddabb26898trawick <LI><A NAME="passwdauth">
8f868f15482c7406db01216b6e4778ddabb26898trawick <STRONG>Can I use my <SAMP>/etc/passwd</SAMP> file
8f868f15482c7406db01216b6e4778ddabb26898trawick for Web page authentication?</STRONG>
8f868f15482c7406db01216b6e4778ddabb26898trawick </A>
f902601ea431a9b56106e0f5f641dd5fd7efbc30jorton <P>
f902601ea431a9b56106e0f5f641dd5fd7efbc30jorton Yes, you can - but it's a <STRONG>very bad idea</STRONG>. Here are
f902601ea431a9b56106e0f5f641dd5fd7efbc30jorton some of the reasons:
f902601ea431a9b56106e0f5f641dd5fd7efbc30jorton </P>
1e1e4f4f810b99732f06fc05141f42ca1965a9edpquerna <UL>
1e1e4f4f810b99732f06fc05141f42ca1965a9edpquerna <LI>The Web technology provides no governors on how often or how
1e1e4f4f810b99732f06fc05141f42ca1965a9edpquerna rapidly password (authentication failure) retries can be made. That
1e1e4f4f810b99732f06fc05141f42ca1965a9edpquerna means that someone can hammer away at your system's
5f80956ca9d98d5482f38eef0c465df0923d7781jerenkrantz <SAMP>root</SAMP> password using the Web, using a dictionary or
5f80956ca9d98d5482f38eef0c465df0923d7781jerenkrantz similar mass attack, just as fast as the wire and your server can
78fcc425fc9fc58202a1693fe40dd0ce75c031ffjorton handle the requests. Most operating systems these days include
78fcc425fc9fc58202a1693fe40dd0ce75c031ffjorton attack detection (such as <EM>n</EM> failed passwords for the same
78fcc425fc9fc58202a1693fe40dd0ce75c031ffjorton account within <EM>m</EM> seconds) and evasion (breaking the
78fcc425fc9fc58202a1693fe40dd0ce75c031ffjorton connection, disabling the account under attack, disabling
d2ffb32434f79782ff7a364ffa31064698c5c645jorton <EM>all</EM> logins from that source, <EM>et cetera</EM>), but the
d2ffb32434f79782ff7a364ffa31064698c5c645jorton Web does not.
d2ffb32434f79782ff7a364ffa31064698c5c645jorton </LI>
d2ffb32434f79782ff7a364ffa31064698c5c645jorton <LI>An account under attack isn't notified (unless the server is
01847067cfc639c14e1aa77d3b3e98f239447a12jerenkrantz heavily modified); there's no &quot;You have 19483 login
01847067cfc639c14e1aa77d3b3e98f239447a12jerenkrantz failures&quot; message when the legitimate owner logs in.
01847067cfc639c14e1aa77d3b3e98f239447a12jerenkrantz </LI>
01847067cfc639c14e1aa77d3b3e98f239447a12jerenkrantz <LI>Without an exhaustive and error-prone examination of the server
9fe74ffcdea85800f04a7222f716f78ae60cce51jerenkrantz logs, you can't tell whether an account has been compromised.
9fe74ffcdea85800f04a7222f716f78ae60cce51jerenkrantz Detecting that an attack has occurred, or is in progress, is fairly
9fe74ffcdea85800f04a7222f716f78ae60cce51jerenkrantz obvious, though - <EM>if</EM> you look at the logs.
dae3cb64cc6681b5f6b0fd12e7f8f6296ffaa19abnicholes </LI>
dae3cb64cc6681b5f6b0fd12e7f8f6296ffaa19abnicholes <LI>Web authentication passwords (at least for Basic authentication)
d2ffb32434f79782ff7a364ffa31064698c5c645jorton generally fly across the wire, and through intermediate proxy
9fe74ffcdea85800f04a7222f716f78ae60cce51jerenkrantz systems, in what amounts to plain text. &quot;O'er the net we
81540a0eb1da2c687e22de3367d8ded55e17e330pquerna go/Caching all the way;/O what fun it is to surf/Giving my password
d2ffb32434f79782ff7a364ffa31064698c5c645jorton away!&quot;
81540a0eb1da2c687e22de3367d8ded55e17e330pquerna </LI>
ce66c67eba79a20118d8664b65b0c9eeec1bebdabnicholes <LI>Since HTTP is stateless, information about the authentication is
ce66c67eba79a20118d8664b65b0c9eeec1bebdabnicholes transmitted <EM>each and every time</EM> a request is made to the
ce66c67eba79a20118d8664b65b0c9eeec1bebdabnicholes server. Essentially, the client caches it after the first
ce66c67eba79a20118d8664b65b0c9eeec1bebdabnicholes successful access, and transmits it without asking for all
ce66c67eba79a20118d8664b65b0c9eeec1bebdabnicholes subsequent requests to the same server.
ce66c67eba79a20118d8664b65b0c9eeec1bebdabnicholes </LI>
6cfc2ed5a8e633c5a40fec65775868d53952d992trawick <LI>It's relatively trivial for someone on your system to put up a
6cfc2ed5a8e633c5a40fec65775868d53952d992trawick page that will steal the cached password from a client's cache
6cfc2ed5a8e633c5a40fec65775868d53952d992trawick without them knowing. Can you say &quot;password grabber&quot;?
6cfc2ed5a8e633c5a40fec65775868d53952d992trawick </LI>
6cfc2ed5a8e633c5a40fec65775868d53952d992trawick </UL>
6cfc2ed5a8e633c5a40fec65775868d53952d992trawick <P>
e34223f72e630187c4d8ac7c22da5096c833eb20trawick If you still want to do this in light of the above disadvantages, the
e34223f72e630187c4d8ac7c22da5096c833eb20trawick method is left as an exercise for the reader. It'll void your Apache
e34223f72e630187c4d8ac7c22da5096c833eb20trawick warranty, though, and you'll lose all accumulated UNIX guru points.
5159c40648868a58745aa11981f706948ff0f0d1pquerna </P>
5159c40648868a58745aa11981f706948ff0f0d1pquerna <HR>
5159c40648868a58745aa11981f706948ff0f0d1pquerna </LI>
c178b761acd6bffa199c2fd28c4469492b989699nd <LI><A NAME="prompted-twice"><STRONG>Why does Apache ask for my password
c178b761acd6bffa199c2fd28c4469492b989699nd twice before serving a file?</STRONG></a>
c178b761acd6bffa199c2fd28c4469492b989699nd <P>
9c6bbd67082b5a47fb17cfa5b61b8a7e1fb01875pquerna If the hostname under which you are accessing the server is
9c6bbd67082b5a47fb17cfa5b61b8a7e1fb01875pquerna different than the hostname specified in the
9c6bbd67082b5a47fb17cfa5b61b8a7e1fb01875pquerna <A HREF="/mod/core.html#servername"><CODE>ServerName</CODE></A>
9c6bbd67082b5a47fb17cfa5b61b8a7e1fb01875pquerna directive, then depending on the setting of the
572f5b8a84bb399e51b02a562776f4aec119aa95pquerna <A HREF="/mod/core.html#usecanonicalname"><CODE>UseCanonicalName</CODE></A>
572f5b8a84bb399e51b02a562776f4aec119aa95pquerna directive, Apache will redirect you to a new hostname when
572f5b8a84bb399e51b02a562776f4aec119aa95pquerna constructing self-referential URLs. This happens, for example, in
572f5b8a84bb399e51b02a562776f4aec119aa95pquerna the case where you request a directory without including the
1b03ca18c41f51a25dcf1a623a8f558bd779e0a4jerenkrantz trailing slash.
1b03ca18c41f51a25dcf1a623a8f558bd779e0a4jerenkrantz </P>
1b03ca18c41f51a25dcf1a623a8f558bd779e0a4jerenkrantz <P>
1b03ca18c41f51a25dcf1a623a8f558bd779e0a4jerenkrantz When this happens, Apache will ask for authentication once under the
1b03ca18c41f51a25dcf1a623a8f558bd779e0a4jerenkrantz original hostname, perform the redirect, and then ask again under the
1b03ca18c41f51a25dcf1a623a8f558bd779e0a4jerenkrantz new hostname. For security reasons, the browser must prompt again
1b03ca18c41f51a25dcf1a623a8f558bd779e0a4jerenkrantz for the password when the host name changes.
1b03ca18c41f51a25dcf1a623a8f558bd779e0a4jerenkrantz </P>
1b03ca18c41f51a25dcf1a623a8f558bd779e0a4jerenkrantz <P>
db443e0132f14dac789ab97ec23ce124360d74c2nd To eliminate this problem you should
db443e0132f14dac789ab97ec23ce124360d74c2nd <OL>
db443e0132f14dac789ab97ec23ce124360d74c2nd <LI>Always use the trailing slash when requesting directories;
4ac7a7c09ac5732b09f8bf28873f7e9efcab34d5bnicholes <LI>Change the <CODE>ServerName</CODE> to match the name you are
4ac7a7c09ac5732b09f8bf28873f7e9efcab34d5bnicholes using in the URL; and/or
4ac7a7c09ac5732b09f8bf28873f7e9efcab34d5bnicholes <LI>Set <CODE>UseCanonicalName off</CODE>.
4ac7a7c09ac5732b09f8bf28873f7e9efcab34d5bnicholes </OL>
4ac7a7c09ac5732b09f8bf28873f7e9efcab34d5bnicholes </P>
4ac7a7c09ac5732b09f8bf28873f7e9efcab34d5bnicholes <HR>
4ac7a7c09ac5732b09f8bf28873f7e9efcab34d5bnicholes </LI>
4ac7a7c09ac5732b09f8bf28873f7e9efcab34d5bnicholes
4ac7a7c09ac5732b09f8bf28873f7e9efcab34d5bnicholes</OL>
ce8490f3812311582d1deee96b012c377311b317minfrin<!--#endif -->
ce8490f3812311582d1deee96b012c377311b317minfrin<!--#if expr="$STANDALONE" -->
ce8490f3812311582d1deee96b012c377311b317minfrin <!-- Don't forget to add HR tags at the end of each list item.. -->
38f6ebaca968b7b23c25c0b30d0be1c7aad7412bjorton
38f6ebaca968b7b23c25c0b30d0be1c7aad7412bjorton<!--#include virtual="footer.html" -->
38f6ebaca968b7b23c25c0b30d0be1c7aad7412bjorton</BODY>
cc7d8b55b16eee88be925a090473ca94b0a6e770jorton</HTML>
cc7d8b55b16eee88be925a090473ca94b0a6e770jorton<!--#endif -->
cc7d8b55b16eee88be925a090473ca94b0a6e770jorton