stackoom
  简体   繁体   中英

/cgi-bin .htaccess or apache2.config rules bring up password dialog but cgi executes before authorization

 原文  2018-08-14 22:00:18       html/ apache/ cgi-bin

Question

I have some cgi scripts that create dynamic content that we need to password protect. However if I put apache2 authorization requirements on the cgi-bin the authorization dialog pops but behind the dialog the page loads anyway and users can just cancel the authorization dialog and access the cgi script created content. How do I prevent this behavior and force the authorization check before the script executes?

-Thanks

J

1 answers

solution1
 0  2019-02-12 22:40:51

As far as I can tell this is a bug in apache2 module execution priorities. I worked around this by moving the cgi-bin out of the default ubuntu directory /usr/lib/cgi-bin and into the actual website directory /var/www/html/mywebsite/cgi-bin by editing apache2.conf as follows...note /var/www/html/mywebsite is symlinked to /mywebsite: 

# Include list of ports to listen on
Include ports.conf


ScriptAlias "/cgi-bin/" "/var/www/html/mywebsite/cgi-bin/"


# Sets the default security model of the Apache2 HTTPD server. It does
# not allow access to the root filesystem outside of /usr/share and /var/www.
# The former is used by web applications packaged in Debian,
# the latter may be used for local directories served by the web server. If
# your system is serving content from a sub-directory in /srv you must allow
# access here, or in any related virtual host.
<Directory />
    Options FollowSymLinks
    AllowOverride None
    AuthUserFile /mywebsite/.htpasswd
        AuthType Basic
        AuthName "from root"
    Require valid-user
</Directory>

<Directory /var/www/html/>
        Options FollowSymLinks
        AllowOverride None
        AuthUserFile /mywebsite/.htpasswd
        AuthType Basic
        AuthName "from var/www/html"
        Require valid-user
</Directory>

#<Directory /usr/share>
#   AllowOverride None
#   Require all granted
#</Directory>

<Directory /var/www/html/mywebsite/cgi-bin/>
    Options Indexes FollowSymLinks ExecCGI
    #AddHandler cgi-script .cgi
    SetHandler cgi-script 
    AllowOverride None
    AuthUserFile /mywebsite/.htpasswd
    AuthType Basic
    AuthName "from cgi-bin"
    Require valid-user
</Directory>



#<Directory /srv/>
#   Options Indexes FollowSymLinks
#   AllowOverride None
#   Require all granted
#</Directory>




# AccessFileName: The name of the file to look for in each directory
# for additional configuration directives.  See also the AllowOverride
# directive.
#
AccessFileName .htaccess

#
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#
<FilesMatch "^\.ht">
    Require all denied
</FilesMatch>

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question variable href in cgi-bin How to find the cgi-bin in the workspace for cloud 9? Paypal /cgi-bin/webscr form data What were the main disadvantages of CGI-BIN based web development? How to do I create a cgi-bin directory? How do I serve HTML from cgi-bin? Running a .cgi script via /var/www/cgi-bin in lighttpd web server on raspberry pi Have password field and a next button displayed via c/cgi-bin/html. I want the focus to be in the password field when screen is displayed How to display an error message on HTML page when the login credentials are wrong? (cgi-bin) HtmlUnit HtmlSubmitInput.click() results in “Incorrect URL” corrected to “cgi-bin” which then leads to an UnknownHostException
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM