> Hi, > I'd like to restrict access to 1 of several cgi scripts on my > website to > authorized users only. > Problem is, after configuring httpd.conf, .htaccess, .passwd, > anyone can > still run the script. > I created the .passwd file with htpasswd -c myfilename myusername. > Of course, I restarted apache after all changes to httpd.conf with > apachectl restart. No errors. > I've poured over the Apache documentation on their website, > and Googled > all day yesterday, no joy. > The error log shows *nothing* related to execution of this > script. The > access log shows nothing other than the GET line for this script. > Any help would be appreciated. > > Here are some relevant sections from httpd.conf (I'll post the entire > 38k file if allowed.) > > # Dynamic Shared Object (DSO) Support > # > # To be able to use the functionality of a module which was built as a > DSO you > # have to place corresponding `LoadModule' lines at this > location so the > # directives contained in it are actually available _before_ they are > used. > # Statically compiled modules (those listed by `httpd -l') do not need > # to be loaded here. > # > # Example: > # LoadModule foo_module modules/mod_foo.so > # > LoadModule access_module libexec/apache2/mod_access.so > LoadModule auth_module libexec/apache2/mod_auth.so > > [snip] > > # DocumentRoot: The directory out of which you will serve your > # documents. By default, all requests are taken from this > directory, but > # symbolic links and aliases may be used to point to other locations. > # > DocumentRoot "/usr/local/www/data" > > # > # Each directory to which Apache has access can be configured with > respect > # to which services and features are allowed and/or disabled in that > # directory (and its subdirectories). > # > # First, we configure the "default" to be a very restrictive set of > # features. > # > <Directory /> > Options FollowSymLinks > AllowOverride None > </Directory> > <Directory /usr/local/www/cgi-bin> > AllowOverride AuthConfig > </Directory> > > Here is the .htaccess file which resides in /usr/local/www/cgi-bin: > > <Files "myscript.cgi"> > Options ExecCGI > AuthType Basic > AuthName "Password Required" > AuthUserFile /usr/local/www/.passwd # Not the best location for this > file, I know. > Require valid-user > </Files>
Well, I got it working. :-) I'm not perfectly satisfied yet, but I'm much better off than I was. I deleted the .htaccess file and put the directives in httpd.conf. # Each directory to which Apache has access can be configured with respect # to which services and features are allowed and/or disabled in that # directory (and its subdirectories). # # First, we configure the "default" to be a very restrictive set of # features. # <Directory /> Options FollowSymLinks AllowOverride None </Directory> <Directory /usr/local/www/cgi-bin> AllowOverride AuthConfig <Files status.cgi> AuthType Basic AuthName "Restricted File" AuthUserFile /home/charles/.htpasswd Require user charles </Files> </Directory> I still would like to protect an additional script. I tried: <Files status.cgi another.file.pl> That's unsupported. I just tried <Files ~ "\(file1.cgi|file2.pl)$"> Trying to match 2 specific filenames...no joy. The Apache documentation for the Files directive says, "The directives given within this section will be applied to any object with a basename (last component of filename) matching the specified filename." I wonder if that means that I can only match files based on the extension? _______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"