[mpm-itk] problem with authentication (AuthType Basic...)

Patrick Proniewski patpro at patpro.net
Fri Mar 29 09:53:26 CET 2013

Problem almost solved.

Thanks to truss, I've been able to trace the file accesses for the httpd process while performing the .htaccess parsing. As I've stated earlier, the problem was not about AllowOverride, that were set right. It was is fact due to the process of authentication if self. When Apache request an authentication, it tries to serve an error document to the client, the client intercept the error, and present the user with an auth dialog. 
The problem starts when you have a default apache config that handle multilang error documents:

Alias /error/ "/usr/local/www/apache22/error/"
<Directory "/usr/local/www/apache22/error">
    AllowOverride None
    Options IncludesNoExec
    AddOutputFilter Includes html
    AddHandler type-map var
    Order allow,deny
    Allow from all
    LanguagePriority fr en de es it cs ja ko nl pl pt-br ro sv tr
    ForceLanguagePriority Prefer Fallback
ErrorDocument 400 /error/HTTP_BAD_REQUEST.html.var
ErrorDocument 401 /error/HTTP_UNAUTHORIZED.html.var
ErrorDocument 403 /error/HTTP_FORBIDDEN.html.var

Those error documents are out of the scope of the user directory. And even if the authentication dialog always masks the corresponding error doc, the file is actually read by httpd and sent to the client, unless it fails switching to the proper UID and drops the connection.

I've commented out everything, and replaced each ErrorDocument directives with this kind of things: 

ErrorDocument 400 "400 HTTP_BAD_REQUEST"
ErrorDocument 401 "401 HTTP_UNAUTHORIZED"
ErrorDocument 403 "403 HTTP_FORBIDDEN"

restarted Apache, and now my mod_auth* .htaccess files are working again.

My problems are not all solved, I've found some other glitches with mod_rewrite that I need to figure out.


On 29 mars 2013, at 09:26, Patrick Proniewski wrote:

> On 29 mars 2013, at 09:22, Knut Auvor Grythe wrote:
>> This means that if you set AllowOverride none on
>> /srv/vhosts/www.example.com/, Apache will still try to read from these:
>> /.htaccess
>> /srv/.htaccess
>> /srv/vhosts/.htaccess
>> If one of those reads fail, you're in trouble. The solution is to set
>> AllowOverride none on /.
> it is set.
> If it was not set, I wouldn't need an .htaccess in my deepest directory for the request to fail, every request would fail.
> Patrick
> _______________________________________________
> mpm-itk mailing list
> mpm-itk at err.no
> http://lists.err.no/mailman/listinfo/mpm-itk

More information about the mpm-itk mailing list