IP based referral between hosts, .htacces - Apache Web Server forum at WebmasterWorld - WebmasterWorld

Forum Moderators: phranque

Message Too Old, No Replies

IP based referral between hosts, .htacces

got the directives in place, but referral still doesn't log in

kapshure

9:35 pm on May 17, 2010 (gmt 0)

10+ Year Member

Hi there. I apologize if this has been covered somewhere, but alas, I'm not an Apache power user so I'm not even quite sure what to search for.

We have (2) servers, one that is running a wiki, and another CMS/publishing tool. We'd like to put links in the CMS tool that direct over to the wiki. I've added the directives I think are correct in .htaccess in: /var/www/html/wiki directory.

Here are those directives:

AuthType Basic
AuthName "Intranet Wiki"
AuthUserFile /var/www/html/wiki/.htpasswd
AuthGroupFile /dev/null
Require valid-user
Order Deny,Allow
Allow from X.X.X.*
Allow from 10.0.100.*
Allow from 127.*
Allow from *.subdomain.domain.com
Allow from *.subdomain.ofapp.domain.com
Allow from hostname.domain.com
Allow from another.hostname.domain.com
Satisfy any

On this line: Allow from X.X.X.* - that actually contains a valid public IP but I have changed this for security reasons.

Also, on the wiki server, we have added some preliminary test accounts to the .htpasswd file

However, when we click a link from the CMS tool, the redirect does go to the correct Wiki URL, but it doesn't take the credentials being passed. The page just stops at an error saying that the user needs to be logged in. We are using TikiWiki by the way.

Thanks in advance.

J

jdMorgan

3:45 pm on May 18, 2010 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

HTTP authentication/authorization is "per-directory/per-hostname" so auth credentials will not be sent by the browser to any but the original domain and URL-path for which they were originally set.

The simplest solution might be to remove all authentication/authorization from your back-end application server, and configure it to accept requests from the front-end server only, which is what I presume your "allow/deny" section was for.

Note also that using a literal "*." in front of a hostname for Allows and Denys won't work, and should not be necessary unless you have multiple front-end server IP addresses -- See mod_access documentation. I would recommend replacing these hostnames with the front-end machine's IP address anyway, since that eliminates DNS lookups and will be far more efficient.

Note that for security reasons, the front-end server *must* have a unique IP address, since Allow/Deny is based on the requesting IP address, regardless of whether a hostname or IP address is specified in Allow/Deny. You would not want the situation where any third-party host sharing your name-based shared virtual server could access your back-end...

Jim

kapshure

12:23 am on May 19, 2010 (gmt 0)

10+ Year Member

so I went back and edited .htaccess:

AuthType Basic
AuthName "example.com Intranet Wiki"
AuthUserFile /var/www/html/tiki/.htpasswd
AuthGroupFile /dev/null
Require valid-user
Order Deny,Allow
Allow from 10.0.100.236
Allow from 127.0.0.1
Allow from cm.user.dev.example.com
Satisfy any

When I attempt it still gives me same 'you are not logged in prompt'

10.0.100.36 - - [18/May/2010:07:26:10 -0700] "GET /tiki-index.php?page=I+need+to+call+someone+for+help&login-user=jwiggins@example.com HTTP/1.1" 200 10904

I even went back and added 10.0.100.36 to .htaccess with no luck on access.

Am I missing something here?

[edited by: jdMorgan at 12:30 am (utc) on May 19, 2010]
[edit reason] example.com [/edit]