RE: Making mod_auth_digest mysql
Lol. I'm using the proper syntax on the server. Just checked. -Original Message- From: Eric Covener [mailto:cove...@gmail.com] Sent: Thursday, February 12, 2009 2:49 PM To: modules-dev@httpd.apache.org Subject: Re: Making mod_auth_digest mysql On Thu, Feb 12, 2009 at 2:25 PM, Michele Waldman mmwald...@nyc.rr.com wrote: RewriteCond ${REMOTE_USER} . does not seem to work when the REMOTE_USER is not defined. The statement evaluates to true. What happens when you use the proper syntax, %{REMOTE_USER}? -- Eric Covener cove...@gmail.com
Re: Making mod_auth_digest mysql
On Thu, Feb 12, 2009 at 3:27 PM, Michele Waldman mmwald...@nyc.rr.com wrote: RewriteCond ${REMOTE_USER} . does not seem to work when the REMOTE_USER is not defined. The statement evaluates to true. What happens when you use the proper syntax, %{REMOTE_USER}? Lol. I'm using the proper syntax on the server. Just checked. Works for me: http://apache.pastebin.ca/1335270 .htaccess: RewriteEngine on RewriteCond %{REMOTE_USER} . RewriteRule .* - [G] 127.0.0.1 - - [12/Feb/2009:15:40:42 --0500] [localhost/sid#954fc98][rid#9578328/initial] (4) RewriteCond: input='' pattern='.' = not-matched -- Eric Covener cove...@gmail.com
RE: Making mod_auth_digest mysql
Basically, when I user is logged out, %{REMOTE_USER} is not defined. It seems any rewritecode using an undefined server environment variable always evaluates to true. I don't want this. I want false if not defined. I'm going to hack apache, if I have to. Michele -Original Message- From: Michele Waldman [mailto:mmwald...@nyc.rr.com] Sent: Thursday, February 12, 2009 3:28 PM To: modules-dev@httpd.apache.org Subject: RE: Making mod_auth_digest mysql Lol. I'm using the proper syntax on the server. Just checked. -Original Message- From: Eric Covener [mailto:cove...@gmail.com] Sent: Thursday, February 12, 2009 2:49 PM To: modules-dev@httpd.apache.org Subject: Re: Making mod_auth_digest mysql On Thu, Feb 12, 2009 at 2:25 PM, Michele Waldman mmwald...@nyc.rr.com wrote: RewriteCond ${REMOTE_USER} . does not seem to work when the REMOTE_USER is not defined. The statement evaluates to true. What happens when you use the proper syntax, %{REMOTE_USER}? -- Eric Covener cove...@gmail.com
Re: Making mod_auth_digest mysql
On Thu, Feb 12, 2009 at 3:44 PM, Michele Waldman mmwald...@nyc.rr.com wrote: Basically, when I user is logged out, %{REMOTE_USER} is not defined. It seems any rewritecode using an undefined server environment variable always evaluates to true. I don't want this. I want false if not defined. I'm going to hack apache, if I have to. That's not the behavior of variables in rewriteconds. Try a simpler testcase. -- Eric Covener cove...@gmail.com
Re: Making mod_auth_digest mysql
On Thu, Feb 12, 2009 at 3:49 PM, Michele Waldman mmwald...@nyc.rr.com wrote: I'm doing this: RewriteEngine On RewriteCond %{REMOTE_USER} . RewriteRule ^.*$ - [S=1] RewriteRule ^.*$ http://domain/logged_out.html?%{N} [R] AuthType Digest AuthName account AuthUserFile /path/.htpasswd Require valid-user 1) The user is logged in. 2) The user logs out. 3) In ff, the user hits the backpage button. 4) The user gets a dialog box to login rather than being redirected. HTTP is stateless. You wrote a rule that wants to see if authentication has already occured, so on some level you're acknowledging that authentication is processed _before_ your rewrite. When you configure authentication for a resource, the very same code that would authenticate you will immediately prompt you for credentials if they're not provided. This happens before your per-directory rewrites have a chance to do anything. RewriteLog would likely tell you that the conditions/rules are not evaluated in this scenario, because the 401 is returned before the fixup hook where rewrite runs in per-dir context -- Eric Covener cove...@gmail.com
Re: Making mod_auth_digest mysql
Michele Waldman wrote: I'm doing this: RewriteEngine On RewriteCond %{REMOTE_USER} . RewriteRule ^.*$ - [S=1] RewriteRule ^.*$ http://domain/logged_out.html?%{N} [R] AuthType Digest AuthName account AuthUserFile /path/.htpasswd Require valid-user 1) The user is logged in. 2) The user logs out. 3) In ff, the user hits the backpage button. 4) The user gets a dialog box to login rather than being redirected. Michele Are you trying to get the user to be redirected if they are not logged in? It shouldn't require hacking apache or rewriting a module. Try turning off the authentication requirement for the /logged_out.html page. Then, on a 401, send them to the login page. Probably similar to : https://admin.sharktooth.org/account/ In this case, everything except the help files, and the utilities for assisting with logging in have been protected, while these resources have not. Is that what you are after? -- Joe Lewis Chief Nerd SILVERHAWK http://www.silverhawk.net/ (801) 660-1900 /You know there is a problem with the education system when you realize that out of the 3 R's only one begins with an R. --Dennis Miller/
RE: Making mod_auth_digest mysql
There is not authentication requirement for logged_out it's in a higher directory. -Original Message- From: Joe Lewis [mailto:j...@joe-lewis.com] Sent: Thursday, February 12, 2009 4:46 PM To: modules-dev@httpd.apache.org Subject: Re: Making mod_auth_digest mysql Michele Waldman wrote: I'm doing this: RewriteEngine On RewriteCond %{REMOTE_USER} . RewriteRule ^.*$ - [S=1] RewriteRule ^.*$ http://domain/logged_out.html?%{N} [R] AuthType Digest AuthName account AuthUserFile /path/.htpasswd Require valid-user 1) The user is logged in. 2) The user logs out. 3) In ff, the user hits the backpage button. 4) The user gets a dialog box to login rather than being redirected. Michele Are you trying to get the user to be redirected if they are not logged in? It shouldn't require hacking apache or rewriting a module. Try turning off the authentication requirement for the /logged_out.html page. Then, on a 401, send them to the login page. Probably similar to : https://admin.sharktooth.org/account/ In this case, everything except the help files, and the utilities for assisting with logging in have been protected, while these resources have not. Is that what you are after? -- Joe Lewis Chief Nerd SILVERHAWK http://www.silverhawk.net/ (801) 660-1900 /You know there is a problem with the education system when you realize that out of the 3 R's only one begins with an R. --Dennis Miller/
Re: Making mod_auth_digest mysql
Michele Waldman wrote: There is not authentication requirement for logged_out it's in a higher directory. Okay, then. I'm afraid I am not understanding everything here. I doubt the wheel needs to be reimplemented, but it seems the push is in that direction. For my feeble mind, can you give a brief overview of what you are trying to accomplish? As I see it, you were creating a mod_auth_digest_mysql . This now feels completely different than just an authentication. -- Joe Lewis Chief Nerd SILVERHAWK http://www.silverhawk.net/ (801) 660-1900 /They're multi purpose. Not only do they put the clips on, but they take them off. --Pratt Whitney spokesperson explaining why the company charged the Air Force nearly $1,000 for an ordinary pair of pliers./
RE: Making mod_auth_digest mysql
It is different that just authenticating. Due to an htaccess authentication implementation, it requires a work around to prevent those pesky popups the browsers produce. I'm trying to do a spin on this: http://www.berenddeboer.net/rest/authentication.html Implementing the mod_auth_digest authenticating against mysql was all part of this. Michele -Original Message- From: Joe Lewis [mailto:j...@joe-lewis.com] Sent: Thursday, February 12, 2009 6:39 PM To: modules-dev@httpd.apache.org Subject: Re: Making mod_auth_digest mysql Michele Waldman wrote: There is not authentication requirement for logged_out it's in a higher directory. Okay, then. I'm afraid I am not understanding everything here. I doubt the wheel needs to be reimplemented, but it seems the push is in that direction. For my feeble mind, can you give a brief overview of what you are trying to accomplish? As I see it, you were creating a mod_auth_digest_mysql . This now feels completely different than just an authentication. -- Joe Lewis Chief Nerd SILVERHAWK http://www.silverhawk.net/ (801) 660-1900 /They're multi purpose. Not only do they put the clips on, but they take them off. --Pratt Whitney spokesperson explaining why the company charged the Air Force nearly $1,000 for an ordinary pair of pliers./
Re: Making mod_auth_digest mysql
Michele Waldman wrote: All the actual authentication if fine. I wouldn't rely on cookies for security. It sounds like cookies would be a fake security. I was thinking about creating a logout cookie. Then, the popup would only happen if the user hacked their cookies. Shame on them. But it seems like such a hack to me. I dread it. I'm not seeing in your example how that 401 error would be generated. What would the htaccess look like? [HTACCESS] #AllowOverride AuthConfig Order allow,deny Allow from all AuthName Protected System AuthType Basic AuthBasicProvider ldap AuthzLDAPAuthoritative off AuthLDAPUrl ldap://localhost/dc=localhost?mail?sub AuthLDAPBindDN cn=directoryuser,dc=localhost AuthLDAPBindPassword directoryuserpassword AuthLDAPGroupAttribute memberuid AuthCookieName VisitorID require valid-user ErrorDocument 401 /account/help/unauthorized.html RewriteEngine on RewriteCond %{HTTPS} !=on RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [L,R] [/HTACCESS] To document the file - the first stuff is actually for LDAP authentication, and mod_auth_cookie. The utility that sets the cookie never sets the cookie, on which the browser is supposed to remove it when closed. A log out is simply a cookie overwrite. However, if you wish to demonstrate your apache module programming prowess, you can always create a mod_auth_cookie module that sets a SESSION variable, and then pulls the credentials from the session data rather than from a cookie - it can be as secure as anything out on the Internet today, depending on how you configure it to go. It can be as complex or as simple as you wish to make it. (I prefer simple - it's easier to troubleshoot if you have problems.) Convoluted? -- Joe Lewis Chief Nerd SILVERHAWK http://www.silverhawk.net/ (801) 660-1900 /They give you a round bat and they throw a round ball. And tell you to hit it square. -- Willie Stargell/
RE: Making mod_auth_digest mysql
I don't drink that frequently, but when I do I get chatty, even on the computer. -Original Message- From: Ray Morris [mailto:supp...@bettercgi.com] Sent: Sunday, February 08, 2009 8:00 PM To: modules-dev@httpd.apache.org Subject: Re: Making mod_auth_digest mysql Sorry, about the extraneous personal notes. The I love you was an exaggeration of thank you. I kid around. I don't know that people understand that. No problem - I get a lot of that. :) I should never go near a computer when I'm drinking. I also type stuff I regret. It used to be I shouldn't go around ANYTHING when I was drinking, which was pretty often! Then thirteen years ago I found a way that I don't need to drink like that any more, thankfully. -- Ray B. Morris supp...@bettercgi.com Strongbox - The next generation in site security: http://www.bettercgi.com/strongbox/ Throttlebox - Intelligent Bandwidth Control http://www.bettercgi.com/throttlebox/ Strongbox / Throttlebox affiliate program: http://www.bettercgi.com/affiliates/user/register.php On 02/08/2009 09:05:54 AM, Michele Waldman wrote: Sorry, about the extraneous personal notes. The I love you was an exaggeration of thank you. I kid around. I don't know that people understand that. I had already started drinking in celebration of finishing my project. I should never go near a computer when I'm drinking. I also type stuff I regret. Thank you again. But, I have to know how does RewriteCond ${REMOTE_USER} . Is the . for any character? Why does it evaluate correctly when undefined and != doesn't? Michele -Original Message- From: Ray Morris [mailto:supp...@bettercgi.com] Sent: Friday, February 06, 2009 3:05 PM To: modules-dev@httpd.apache.org Subject: Re: Making mod_auth_digest mysql I'm thinking about adding a -e flag for environment variable does not exist to httpd on my server. It would return true if the variable exists or false, otherwise. Is there a way to already do this? For your purpose, you can use: RewriteCond %{REMOTE_USER} !. or as appropriate: RewriteCond %{REMOTE_USER} . That will check for any non-empty value by matching at least any single character. It looks like: RewriteCond ${REMOTE_USER} != always evaluates to true if REMOTE_USER does not exist. Am I wrong? That's correct, if it doesn't exist, it's not the empty string. What's in that bucket on your desk? There is no bucket is a different answer than the bucket is empty. Since you apparently understand SQL, let me explain that by saying it's the same thing as the difference between trying to get the value of a column which doesn't exist, which is an outright error, versus a column with the value 0, versus a text column with empty text (), versus an unknown value, represented by NULL. Not existing isn't the same thing as existing and being empty. -- Ray B. Morris supp...@bettercgi.com Strongbox - The next generation in site security: http://www.bettercgi.com/strongbox/ Throttlebox - Intelligent Bandwidth Control http://www.bettercgi.com/throttlebox/ Strongbox / Throttlebox affiliate program: http://www.bettercgi.com/affiliates/user/register.php On 02/05/2009 10:43:57 PM, Michele Waldman wrote: RewriteCond has flags -f -d ... But not -e for exists. It looks like: RewriteCond ${REMOTE_USER} != always evaluates to true if REMOTE_USER does not exist. Am I wrong? I'm thinking about adding a -e flag for environment variable does not exist to httpd on my server. It would return true if the variable exists or false, otherwise. Is there a way to already do this? Thoughts? Michele
RE: Making mod_auth_digest mysql
I mean to check server environment variables which is what REMOTE_USER is. I just want to know if the variable is defined on the server then I could do this: RewriteEngine On RewriteCond %{REMOTE_USER} -e RewriteRule ^(.*)$ - [S=1] RewriteRule ^.*$ http://domain/login.html [R] Right now when REMOTE_USER is not defined this line gets executed: RewriteRule ^(.*)$ - [S=1] I want that line to be skipped if REMOTE_USER has not been defined as a server environment variable. You can see the values in phpinfo(); It is only defined if the user is logged in. Why would a nonexistent variable evaluate to true? Michele -Original Message- From: Dave Ingram [mailto:d...@dmi.me.uk] Sent: Friday, February 06, 2009 5:55 AM To: modules-dev@httpd.apache.org Subject: Re: Making mod_auth_digest mysql The -f and -d flags for RewriteCond are for checking the file system, not environment variables, although they can use environment variables if necessary. For example: RewriteCond %{DOCUMENT_ROOT}/%{ENV:foo} -d would check that the folder named by the environment variable foo exists in the document root. Dave Michele Waldman wrote: RewriteCond has flags -f -d ... But not -e for exists. It looks like: RewriteCond ${REMOTE_USER} != always evaluates to true if REMOTE_USER does not exist. Am I wrong? I'm thinking about adding a -e flag for environment variable does not exist to httpd on my server. It would return true if the variable exists or false, otherwise. Is there a way to already do this? Thoughts? Michele
Re: Making mod_auth_digest mysql
On Fri, Feb 6, 2009 at 8:49 AM, Michele Waldman mmwald...@nyc.rr.com wrote: I mean to check server environment variables which is what REMOTE_USER is. This might be better off on us...@httpd.apache.org I just want to know if the variable is defined on the server then I could do this: RewriteEngine On RewriteCond %{REMOTE_USER} -e I couldn't find any reference to -e, to check if it's empty you can do != or !^$ RewriteRule ^(.*)$ - [S=1] RewriteRule ^.*$ http://domain/login.html [R] Right now when REMOTE_USER is not defined this line gets executed: RewriteRule ^(.*)$ - [S=1] I want that line to be skipped if REMOTE_USER has not been defined as a server environment variable. In per-vhost context, that will never be set unless you use the lookahead feature. You can see the values in phpinfo(); It is only defined if the user is logged in. That processing is later, so REMOTE_USER may be set by then. Why would a nonexistent variable evaluate to true? Unless i'm confused re: -e, It seems like your -e would be interpreted as a regex, but that shouldn't match an empty string AFAICT. -- Eric Covener cove...@gmail.com
Re: Making mod_auth_digest mysql
The -f and -d flags for RewriteCond are for checking the file system, not environment variables, although they can use environment variables if necessary. For example: RewriteCond %{DOCUMENT_ROOT}/%{ENV:foo} -d would check that the folder named by the environment variable foo exists in the document root. Dave Michele Waldman wrote: RewriteCond has flags -f -d ... But not -e for exists. It looks like: RewriteCond ${REMOTE_USER} != always evaluates to true if REMOTE_USER does not exist. Am I wrong? I'm thinking about adding a -e flag for environment variable does not exist to httpd on my server. It would return true if the variable exists or false, otherwise. Is there a way to already do this? Thoughts? Michele
Re: Making mod_auth_digest mysql
2009/2/1 Michele Waldman mmwald...@nyc.rr.com: The userlist (http://httpd.apache.org/userslist.html) might be a better place, but... I want to do the following in htaccess for account security: FilesMatch .*[^(wp_login.php|logout.php)] That would not do what it should do. [^...] is a negated character class to exclude certain characters but not a specific string. You'll need a negative lookahead FilesMatch ^(?!wp_login\.php|logout\.php) Basic authentication doesn't remember the authtype, but Digest does. AuthType? AuthName, I guess. I'm connecting over a secure certificate. I believe a user could possible telnet and send an authorization header? I'd expect that you/your module would require SSL/TLS, but if a client sends an authorization request header which contains 'Account', you'd authenticate. Not very secure?! I want to know the risk of them getting or guessing the right AuthType under these circumstances. If you're requesting wp_login.php AuthName should be served. Of course, someone needs to know that; you could perform a probability calculation, of course. Expect the unexpected. The point of this is to avoid the ugly popus that require authentication causes. How do you convince the client to send an authorization request header? Via such a popup for wp_login.php. Once authenticated the popup shouldn't appear for that session and realm but I guess your point is that no one should see that they can authenticate except they are using the back door link wp_login.php? Does anyone have any suggestions on a better approach? May be. If my last assumption is your point modify/write an auth module which replies with a - 401 - for certain URLs (e.g. /wp_login.php) if no authorization header was present or - for all URLs if an authorization header was present but the credentials didn't match; or with a - 403 if the condition for a 401 didn't match. The bottom line would be that the client is either authenticated or receives a 403 forbidden instead of a 401. Bob