Wednesday, January 26, 2011

Dynamic AuthUserFile in apache with mod_rewrite. Is it possible?

I've got a server with several scponly accounts and I want to provide http access under Basic Auth.

The first part of the problem is solved, using mod_rewrite to chop and select the right directory for each user. But the problem arise when I try to stablish a different auth user file for each user. Simply I can't find how to do it.

Here's a sample config.

<VirtualHost an-ip-number-and:a-port>
    ServerName *.example.com
    RewriteEngine On
    UseCanonicalName Off

    RewriteCond %{HTTP_HOST} ^(.*).example.com
    RewriteCond /server/scponly/%1/incoming -d
    RewriteRule ^(.+)   %{SERVER_NAME}$1 [C]
    RewriteRule ^([^.]+)\.example\.com/(.*) /server/scponly/$1/incoming/$2 [L]

    RewriteRule ^(.+) http://FAIL.example.com

    <Directory /server/scponly/*/incoming>
        AuthType Basic
        AuthName "SFTP-HTTP Area"
        AuthUserFile  ???????   # <-- this!
        require valid-user
    </Directory>
</VirtualHost>

Notes:

  • I can't drop mod_rewrite beacuse actual config is mixed with other servername / directory-check / rewrites for other purposes.
  • I can't move auth details to .htaccess files because users could erase them. But I'm interested if this approach would be a partial solution.
  • I'm also interested on other approaches
  • I need differenciate auth files for each directory, having only one file will grant access to all directories to each user
From serverfault theist

  • Huh? You can have just one file. You just need to change your Require parameter to be the userid instead of valid-user. See here: Apache Docs.

    From peelman

  • To expand on peelman's answer you will have to have a separate section for each user: 

    <Directory /server/scponly/*/incoming>
    AuthType Basic
    AuthName "SFTP-HTTP Area"
    AuthUserFile  /path/to/user/htpasswd
</Directory>
<Directory /server/scponly/bob/incoming>
    require user bob
</Directory>
<Directory /server/scponly/smith/incoming>
    require user smith
</Directory>

    A radical approach would be to use mod_perl which allows you to configure apache with perl. This would go in an apache config file:

    <Perl>

for $dir (glob "/server/scponly/*/incoming") {

  ($user) = $dir =~ m%/server/scponly/([^/]+)/incoming%;

  exists $Directory{$dir} or $Location{$dir} = { };
  $Directory{$dir}{AuthType} = 'Basic';
  $Directory{$dir}{AuthName} = 'SFTP-HTTP Area';
  $Directory{$dir}{AuthUserFile} = '/path/to/htpasswd';
  $Directory{$dir}{require} = "user $user";

}

</Perl>

    (Written off the top of my head.)

    peelman : Yeah, what he said!
    theist : I like the radical one. The main point of such config is don't have the need to mantain a configuration entry for each user/scp account as them change over time.
    From embobo
Posted by Mu Cat at 6:13 AM

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)