0

I have a front end server acting as a gateway proxy for many (a dynamic 'many') building monitors with embedded webservers.

They are accessed with a URL like:

http://www.example.com/monitor1/
http://www.example.com/monitor2/
    ...

I'm trying to restrict access to these monitors to only the users that own them. So what I need is a way of specifying rights to users or groups for specific directories.

The standard auth mechanisms I see in Apache won't work because I need to specify every location. I'd prefer some dynamic map or script.

Any suggestions?

Cogsy
  • 227
  • 1
  • 2
  • 6
  • I'm not entirely clear on what you want to do. Do you want a way to dynamically set the group for a directory and maintain the users and what group they're in on your own? What would your ideal setup look like from the administration point of view? – Jeff Snider Oct 16 '09 at 17:37
  • I need to set the rights for many locations (which are actually proxied servers). I'd like to get the auth details from a script or map file rather than write all of them into a static apache conf file. – Cogsy Oct 17 '09 at 05:56

1 Answers1

1

Ok, here's a quick and (very) hacky way to do this. Short story is, there isn't a way (that I know of) to dynamically do what your asking with the standard Apache tools. Extra modules or code is necessary. Someone out there may have already made a module that does what you want. I didn't go looking.

Install and enable mod_perl in your Apache config, then put this block anywhere in your config after the LoadModule for perl. It doesn't have to be in any VirtualHost or Directory or anything like that.

<Perl>
 use Apache2::ServerUtil qw//;
 use Apache2::RequestRec qw//;
 use Apache2::RequestUtil qw//;
 use Apache2::Const qw/OK DECLINED/;

 my $s = Apache2::ServerUtil->server;

 $s->push_handlers(PerlHeaderParserHandler => sub { my($r) = @_;
  if ( $r->hostname eq 'www.example.com' &&
       $r->uri =~ m|^/(monitor\d+)/$| ) {
   my $monitorDirectory = $1;

   eval{$r->add_config([
    "AuthType basic",
    "AuthName 'secret $monitorDirectory'",
    "AuthUserFile /path/to/user/file",
    "require user $monitorDirectory"
   ])};
   if ( $@ ) { warn $@ }

   return OK;

  } else {
   return DECLINED;
  }
 });
</Perl>

Basically what this is doing is looking at the url of every request and if it is matches, inserting some config rules on the fly before the authentication and authorization stage of the request. To modify it, change the www.example.com bit, the regex match ^/(monitor\d+)/$, and the list of directives to insert.

This will leave you with a user file to maintain, where the username is the directory name from the url. If you want multiple users per directory, you'll have to use groups and maintain that file as well. For that, change require user $monitorDirectory to require group $monitorDirectory and add AuthGroupFile /path/to/group/file.

Jeff Snider
  • 3,252
  • 17
  • 17
  • This actually works pretty well so, (although there is plenty of room for error). Thanks! – Cogsy Oct 18 '09 at 23:14
  • Thank you for this perl script, it works like a charm ! I need to improve it by adding a check on the client IP address. It is to say, verify that the IP address belongs to a list of subnets (192.168.1.0/24, 172.16.0.1/20, etc...) OR a list of static ip address (192.168.3.2, 172.16.10.3 ...). So i would like to modify the If condition : $s->push_handlers(PerlHeaderParserHandler => sub { my($r) = @_; if ( $r->hostname eq 'www.example.com' && $r->uri =~ m|^/(monitor\d+)/$| && ???...........) But I do not develop in perl, maybe someone can help me ? Thx for all. Best regards –  Oct 15 '12 at 15:17