Matching Query String in LocationMatch - Apache Web Server forum at WebmasterWorld - WebmasterWorld

Forum Moderators: phranque

Message Too Old, No Replies

Matching Query String in LocationMatch

Matching Query String in LocationMatch

sensming

4:23 pm on Sep 19, 2005 (gmt 0)

10+ Year Member

I have seen postings for similar problems, but, I cannot figure out how to apply these solutions to my problem... ...which is;

I restrict access to files in; /reports/PROTECTED via a location block.

The files in /reports/PROTECTED are simple html files.

However, they are hard to read as-is, so we have a script that "splits" the reports (on-the fly) into a header and a body, using frames. An example would be;

raw location:
/reports/PROTECTED/any_report.htm

split report location:
/cgi-bin/split_rep.sh?/reports/PROTECTED/any_report.htm

These two links access the same report in my /reports/PROTECTED directory.

Access directly to the report is handled by my simple location block, which properly enforces authentication.

BUT, the report splitter allows an 18-wheeler sized hole because Apache thinks the location is '/cgi-bin/split_rep.sh', so it does not match the location block, and therefore, *does not* enforce authentication. Even though a user should not be able to directly access the file, they sure as heck can access the report through the splitter.

I am sure there are mod_rewrite games I can play here. However my mod_rewrite skills are rudimentary, and I don't even know *where* I would rewrite this url to make this work.

Any help would be appreciated.

jdMorgan

2:06 am on Sep 21, 2005 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

sensming,

Welcome to WebmasterWorld!

I've never tried this before, but it would not suprise me if it won't work. The reason is that <Location> references a URL-location, but it probably looks only at the URL-path. Since query strings are not part of a URL, but rather, data appended to the request to be passed to the resource *at* that URL, I doubt that <location> will examine the query string.

Jim

sensming

9:04 pm on Sep 21, 2005 (gmt 0)

10+ Year Member

Thanks for the reply.

That is definitely why it is not working... I'm looking for a (hopefully not-so) clever way around this. :)

Is any way to somehow re-write the url to a 'dummy' url that included the QUERY_STRING. Say, to, /split_rep/reports/PROTECTED/any_report.htm, or similar?

That way, that the LocationMatch will match, but, then I still need to actually serve the content, which obviously won't work from that dummy url.

Maybe I need to get into the business of using handlers. I could write a perl module that would interrupt the URI translation phase (or, just use mod_rewrite to do what I mentioned above), then allow the authentication phases to occur against the 'modified' url (that would hopefully match at that point), then use a Fixup handler to piece back together the orignal request.

That may or may not work, and could be complicated to put together.

I was just wondering if any of the 'dummy' mod_rewrite stuff that has been written about to, for example, send requests to different Java servers may apply to me....

Trying to keep it simple... may not be possible in this case.

jdMorgan

4:25 am on Sep 22, 2005 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

I'll stick my neck out here, and ask...

Can't you set up a ScriptAlias on a 'fake' location inside /Protected to point those requests over to the script?

For example /reports/PROTECTED/split/any_report.htm aliased to /cgi-bin/split_rep.sh

Then tweak the script to look at the original request to get the 'report name' being requested.

See also the notes on <Directory> and <Location> processing in the documentation of the Alias directives (Apache mod_alias).

Jim