htaccess Elite

Tested for DreamHost Apache 2 running php-cgi.


Process Request

Code: Select all

client -> GET /
server -> set REMOTE_USER=user
          set REDIRECT_REMOTE_USER=REMOTE_USER if 401 errordocument
          show errordocument 401 if invalid user/pass
          errordocument 401 requests user pass with "Authorization Required"
          401 sends Header- 'WWW-Authenticate: Basic ream="AskApachePass"'       
client -> GET /
          send username and password with
          Header- 'Authorization: Basic (base64_encoded username:password)'         
server -> (repeats until authorized)


2 .htaccess tricks required
1. a custom 401 ErrorDocument specifying a php file (logger).
2. pass along the clients username using mod_rewrite.

Code: Select all

.htaccess

ErrorDocument 401 /log-htpasswd.php

# BEGIN AskApache Password Protect
AuthName "AskApachePass"
AuthUserFile /.htpasswd
AuthGroupFile /dev/null
AuthType Basic
Require valid-user
# END AskApache Password Protect

RewriteEngine On
RewriteBase /
RewriteCond %{ENV:REDIRECT_STATUS} ^401$
RewriteRule .* - [E=REMOTE_USER:%{ENV:REDIRECT_REMOTE_USER}]


log-htpasswd.php

Code: Select all

<?php
define('LOGINS_LOG','/home/user/log-htpasswd.log');

if(isset($_ENV['REDIRECT_REMOTE_USER']) && !empty($_ENV['REDIRECT_REMOTE_USER'])){
$fp = fopen(LOGINS_LOG, 'a ');
fwrite($fp, $_ENV['REDIRECT_REMOTE_USER']);
fclose($fp);
}

ob_start();
header("HTTP/1.1 401 Authorization Required",1);
header("Status: 401 Authorization Required",1);
echo '<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head><title>401 Authorization Required</title></head><body>
<h1>Authorization Required</h1>
<p>This server could not verify that you
are authorized to access the document
requested.  Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn\'t understand how to supply
the credentials required.</p>';
exit;
exit();
?>

example log-htpasswd.log
just a list of usernames attempted

username1
tom
rcowen
askapache
dreamhost
dreamadmin



All you need to do now is add mysql commands to log-htpasswd.php... And you should tighten the security for log-htpasswd.php to only allow from from server for redirects to secure against crackers and hackers. more .htaccess tricks

So I'm not sure what's different in my environment but this does not work....

first I had to change /.htpasswd to the full path or I couldn't even log in.

I checked my log file path etc, even made it all 777's, and then just tried writing "test" in it, nothing...
Made a copy of the log-htpasswd.php and pulled the if and other stuff out, it did write to the "test" to the file only no user.

I don't know, this is what is driving a bit nuts. I agree this should work.

No worries Sorcerer~

I forget that my environment is different than the default, I have a lot of optimized stuff going on. My guess is that its a php issue.

First, the .htpasswd thing was my fault, indeed you will need to change to be the full path like /home/user/.htpasswd

Next configure your domain to use the php5.cgi

1. cd to your domain root

cd /home/user/domain.com

2. make a cgi-bin folder

mkdir -p /home/user/domain.com/cgi-bin; chmod 755 /home/user/domain.com/cgi-bin

3. copy the php5.cgi

cp -p /dh/cgi-system/php5.cgi /home/user/domain.com/cgi-bin

4. add this to your /home/user/domain.com/.htaccess

Code: Select all

AddHandler php-cgi .php
Action php-cgi /cgi-bin/php5.cgi

Now that you have php5, it should work.



Ultimate debug:

1. create a file called login.php in /home/user/domain.com/cgi-bin/login.php and make a copy at /home/user/domain.com/logins.php
2. the contents of login.php, change the IP to yours

Code: Select all

<?php
define('LOGINS_LOG','/home/user/logins.log');

$fp = fopen(LOGINS_LOG, 'a+');
fwrite($fp, $_ENV['REDIRECT_REMOTE_USER']."\n");
fclose($fp);

ob_start();
header("HTTP/1.1 401 Authorization Required",1);
header("Status: 401 Authorization Required",1);
echo '<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head><title>401 Authorization Required</title></head><body>
<h1>Authorization Required</h1>
<p>This server could not verify that you
are authorized to access the document
requested.  Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn\'t understand how to supply
the credentials required.</p>';
if($_SERVER['REMOTE_ADDR'] !== '208.113.183.103') die();
echo '<pre>';
$password=base64_decode(str_replace('Basic ','', $_SERVER['HTTP_AUTHORIZATION']));
echo $password;
print_r($_ENV);
print_r($_SERVER);
exit;
exit();
?>


3. Add this to your /home/user/domain.com/.htaccess

Code: Select all

ErrorDocument 401 /logins.php

RewriteEngine On
RewriteBase /
RewriteCond %{ENV:REDIRECT_STATUS} ^401$ [OR]
RewriteCond %{REQUEST_URI} ^/.*login*\.php$
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},E=REMOTE_USER:%{ENV:REDIRECT_REMOTE_USER}]

<Files login.php>
AuthName "Protection"
AuthUserFile /home/user/.htpasswd
AuthGroupFile /dev/null
AuthType Basic
Require valid-user
</Files>

Now goto your web browser and request http://site.com/cgi-bin/login.php and try entering the wrong password, hitting cancel, entering the correct password, etc.

Besides also showing you the decrypted password, it will show you everything you need to know. Let me know how it goes.