tags:

views:

17

answers:

0
Q: 

How to display a web page just before Apache basic authentication (with exclusion list)?

I have web page running on the Apache. Web page is using Apache basic authentication. So when user tries to access certain page - must enter user/pass before to get authorised. I would like to display notification (except a list of IP addresses) screen with accept button just before authentication.

Other comments on above:

  • I can't stop using Apache basic authentication
  • I must resolve this in httpd.conf using mod_rewrite

Currently I managed to display notification page before authentication:

<Location />
  RewriteEngine On
  RewriteCond %{HTTP_COOKIE}  !^.*notification=accepted.*$
  RewriteCond %{REQUEST_URI}  !^/cgi-bin/notification.pl
  RewriteRule ^.*$            /cgi-bin/notification.pl [L,QSA]

  AuthName "Test"
  AuthType Basic
  AuthBasicProvider ldap
  AuthLDAPUrl ldap://localhost:389/ou=People
  require valid-user

  SetEnvIf Request_URI "^/cgi-bin/notification.pl" allow_content
  SetEnvIf Cookie "notification=accepted" do_auth

  Order Allow,Deny
  Allow from all env=allow_content
  Deny from env=do_auth
  Satisfy Any
</Location>

But how to apply list of IP addresses which will not be redirected to the notification page?

Current rules means:

1.

  • if user tries to access some file in /*
  • and notification cookie isn't set
  • and target url isn't notification.pl
  • redirect user to notification.pl

2.

  • set basic authentication
  • use ldap as a provider

3.

  • since everything under "/" is under Apache basic authentication control
  • set environment variable if user tries to access notification.pl
  • set environment variable if notification cookies is set

4.

  • rules from (3) allows to access notification.pl without Apache basic authentication
  • if cookie isn't set user will be redirected to notification.pl where cookie being is set
  • if cookie is found here - do_auth variable is set, and rules from (1) will not work
  • so if user tries to access any page, after accepting notification will be forced to authenticate

Question is: How to define list of IP addresses which will skip notification page, but still will be forced to pass Apache basic authentication? It would be perfect when the exclusion list with IP addresses could be defined in separate file and just included in httpd.conf in Location section. Any ideas how to do that?

On the other hand - do you see any security vulnerability in my above solution?

related questions

How do I add a MIME type to .htaccess?
Difference between the Apache HTTP Server and Apache Tomcat?
How do I support SSL Client Certificate authentication?
Why can't I connect to my CAS server with Perl's AuthCAS?
Cleanest & Fastest server setup for Django
Installing Apache Web Server on 64 Bit Mac
Running Apache alongside another web server?
Algorithm behind MD5Crypt
Can you compile Apache HTTP Server and redeploy its binaries to a different location ?
mod_rewrite rule to redirect all requests except for one specific path
How do I create a self signed SSL certificate to use while testing a web app.
Software for Webserver Log Analysis?
What is the difference between an endpoint, a service, and a port when working with webservices?
What are the proper permissions for an upload folder with PHP/Apache?
mod_rewrite to alias one file suffix type to another
How do you redirect HTTPS to HTTP?
Using mod_rewrite to Mimic SSL Virtual Hosts?
User authentication on Resin webserver
How do you set up Python scripts to work in Apache 2.0?
Block user access to internals of a site using HTTP_REFERER
.htaccess directives to *not* redirect certain URLs
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP