[mpm-itk] problem with authentication (AuthType Basic...)
patpro at patpro.net
Fri Mar 29 08:25:16 CET 2013
On 29 mars 2013, at 07:54, Alex Domoradov wrote:
>> but I need a way out, a workaround, to allow my users to use authentication...
> 1 virtual host = 1 web site = 1 user ?
Unfortunately, not possible. It would need a major reengineering of this hosting and related services (dns...). Many web sites are also dependent on their domain name / base URL (badly coded CMS), and would need reconfiguration to work properly.
Do you have any explanation why would a call to mod_auth* in a directory trigger a call to the root level of parent virtual host?
And quite important too: is there any other mod_* that will eventually fail the same way in this context?
> On Thu, Mar 28, 2013 at 6:13 PM, Patrick Proniewski <patpro at patpro.net> wrote:
>> I've just deployed apache 2.2 with mpm-itk in production (~35 vhosts, 250 web sites) and discovered a serious issue.
>> As you can read, I've got more web sites than vhosts, so basically, for some vhosts I have many web sites:
>> <vhost number 1>
>> # global directives
>> # default user:group
>> AssignUserID www www
>> <directory #1>
>> # local user:group
>> AssignUserID user1 www
>> <directory #2>
>> # local user:group
>> AssignUserID user2 www
>> # and so on
>> Works great, until some user tries to use authentication (.htaccess for example). Something quite simlpe like this will fail:
>> AuthType Basic
>> AuthName "foo bar"
>> AuthUserFile /tmp/patpro.passwd
>> AuthGroupFile /tmp/patpro.group
>> Require group admin
>> The symptom is quite clear:
>> [warn] Couldn't set uid/gid/priority, closing connection.
>> [warn] (itkmpm: pid=82842 uid=1002, gid=80) itk_post_perdir_config(): initgroups(www, 80): Operation not permitted
>> When I GET a web page into http://vhost #1/directory #1/ httpd process takes UID user1 and GID www (80), then the process tries to trigger authentication. This authentication process seems to relate to vhost #1, so httpd process tries to switch to UID www, and fails.
>> I understand it's perfectly "legal", but I need a way out, a workaround, to allow my users to use authentication...
>> Any idea?
>> mpm-itk mailing list
>> mpm-itk at err.no
More information about the mpm-itk