httpd.conf and securing website

Author Message

Heiner Wurbs

Sunday 20 August 2006 10:26:52 am

Hi !
I want to secure complete an eZ publish installation with a httpd password:

    	AuthType Basic 
    	AuthName "eZ publish installation" 
    
    	AuthUserFile /usr/local/apache/passwords
    	Require valid-user 

But it doesnt work :( it displays the content without the images, but I can navigate through the website !
Any help ?
Heiner

Claudia Kosny

Sunday 20 August 2006 1:57:06 pm

Hello Heiner,

your .htaccess file works fine for me.
So I would try the following:
Make sure that you apache reads the file at all.Easiest way to do that is to insert an error in the file and load a webpage that should be protected by the .htaccess. If you get an 500 - server error, your webserver reads the file just fine, if not, check your httpd.conf.
Also check whether your httpd.conf file permits the usage of .htaccess files, especially the authentication.
Make sure that apache has access to the password file, maybe the path is not accessible (especially if you use public webhosting). Although in this case you should get a login prompt but should not be able to login at all...

Greetings from Luxembourg

Claudia

Heiner Wurbs

Monday 21 August 2006 12:52:06 am

Hi Claudia,

thanks for your reply! Nice, that it works with you, so there is only a small thing missing :) It do not work on my vhost. I can modify the complete httpd.conf and the vhosts, so I post the VirtualHost configuration, maybe you will see the error. The Login prompt is displayed, but if I cancel it three times, I can see the content delivered by index.php without any images and styles. Something with the rewrite module?

<VirtualHost 111.222.333.444:80>

    ServerName myserver.com
    ServerAlias myserver.com

    DocumentRoot /srv/www/htdocs/web20/html

    <Directory /srv/www/htdocs/web20>
        Options FollowSymLinks
        AllowOverride None

        AuthType Basic
        AuthName "eZ publish installation"

        AuthUserFile /usr/local/apache/passwords
        Require valid-user
    </Directory>

    php_admin_flag safe_mode Off
    php_admin_value register_globals    0
    php_value magic_quotes_gpc  0
        php_value magic_quotes_runtime  0
        php_value allow_call_time_pass_reference 0

    php_admin_value memory_limit 90M

    DirectoryIndex index.php

    <IfModule mod_rewrite.c>
        RewriteEngine On
        Rewriterule ^/var/storage/.* - [L]
        Rewriterule ^/var/[^/]+/storage/.* - [L]
        RewriteRule ^/var/cache/texttoimage/.* - [L]
        RewriteRule ^/var/[^/]+/cache/texttoimage/.* - [L]
        Rewriterule ^/design/[^/]+/(stylesheets|images|javascript)/.* - [L]
        Rewriterule ^/share/icons/.* - [L]
        Rewriterule ^/extension/[^/]+/design/[^/]+/(stylesheets|images|javascripts?)/.* - [L]
        Rewriterule ^/packages/styles/.+/(stylesheets|images|javascript)/[^/]+/.* - [L]
        RewriteRule ^/packages/styles/.+/thumbnail/.* - [L]
        RewriteRule ^/favicon\.ico - [L]
        RewriteRule ^/robots\.txt - [L]
        # Uncomment the following lines when using popup style debug.
        # RewriteRule ^/var/cache/debug\.html.* - [L]
        # RewriteRule ^/var/[^/]+/cache/debug\.html.* - [L]
        RewriteRule .* /index.php
    </IfModule>

    CustomLog /srv/www/htdocs/web20/log/access_log confixx2
</VirtualHost>

Thanks !
Heiner

Claudia Kosny

Monday 21 August 2006 2:51:02 am

Hello Heiner,

The only thing I can say (again) that it works well for me (on a windows machine)... The only way I could kind of recreate your problem is to set the directory in the part where you set the authentication to the 'design' or 'var' directory which you obviously have not done.
Unfortunately I don't know much about virtual hosts, so here just some ideas on how to pinpoint he problem:
It looks like the var and design directories are protected by authentication whereas the base directory for EZ is not. To confirm this I would try to fetch e.g. the robots.txt (which should work without problems) and some file in the design or var directory (where you should be prompted for login).
If that works as expected, try whether the rewrite rules are to blame, first by just taking them out totally. The startpage of your EZ-website should still work fine. Can you see the pictures and styles now? If yes, enable the rewrite rules again and check your rewrite and access log, maybe you can see some information there. If you still can't see the styles and pics and are still prompted for login, I would maybe try to set the directory for the authentication directly in the document root, not one level higher (although both versions were working for me)

Good luck

Claudia

Heiner Wurbs

Monday 21 August 2006 3:48:28 am

Hi Claudia,
thanks for that hints. I made that tests, and it turned out, that the RewriteEngine is the problem. At the moment I have no idea how to solve that. It could be, that this authentication and the rewrite_mod do not work together.

Greetings
Heiner

Powered by eZ Publish™ CMS Open Source Web Content Management. Copyright © 1999-2014 eZ Systems AS (except where otherwise noted). All rights reserved.