I have web page running on the Apache. Web page is using Apache basic authentication. So when user tries to access certain page - must enter user/pass before to get authorised. I would like to display notification (except a list of IP addresses) screen with accept button just before authentication.
Other comments on above:
- I can't stop using Apache basic authentication
- I must resolve this in httpd.conf using mod_rewrite
Currently I managed to display notification page before authentication:
<Location />
RewriteEngine On
RewriteCond %{HTTP_COOKIE} !^.*notification=accepted.*$
RewriteCond %{REQUEST_URI} !^/cgi-bin/notification.pl
RewriteRule ^.*$ /cgi-bin/notification.pl [L,QSA]
AuthName "Test"
AuthType Basic
AuthBasicProvider ldap
AuthLDAPUrl ldap://localhost:389/ou=People
require valid-user
SetEnvIf Request_URI "^/cgi-bin/notification.pl" allow_content
SetEnvIf Cookie "notification=accepted" do_auth
Order Allow,Deny
Allow from all env=allow_content
Deny from env=do_auth
Satisfy Any
</Location>
But how to apply list of IP addresses which will not be redirected to the notification page?
Current rules means:
1.
- if user tries to access some file in /*
- and notification cookie isn't set
- and target url isn't notification.pl
- redirect user to notification.pl
2.
- set basic authentication
- use ldap as a provider
3.
- since everything under "/" is under Apache basic authentication control
- set environment variable if user tries to access notification.pl
- set environment variable if notification cookies is set
4.
- rules from (3) allows to access notification.pl without Apache basic authentication
- if cookie isn't set user will be redirected to notification.pl where cookie being is set
- if cookie is found here - do_auth variable is set, and rules from (1) will not work
- so if user tries to access any page, after accepting notification will be forced to authenticate
Question is: How to define list of IP addresses which will skip notification page, but still will be forced to pass Apache basic authentication? It would be perfect when the exclusion list with IP addresses could be defined in separate file and just included in httpd.conf in Location section. Any ideas how to do that?
On the other hand - do you see any security vulnerability in my above solution?