Home / server / Questions / 577509
In Process
batfastad
Asked: 2014-02-22 15:52:56 +0800 CST

Apache Auth directive cascade to alias directories

  • 772

I have a reasonably lengthy block of authorization config directives within an Apache <Directory> context in a virtual host configuration file.
It has LDAP credentials and a complex filter that will be annoying to reproduce within the vhost configuration file.

Here's a simplified example:

ServerName server.domain.com
DocumentRoot /var/www/server.domain.com

<Directory /var/www/server.domain.com/>
    AllowOverride FileInfo
    Options +ExecCGI

    # PASSWORD PROTECT
    AuthType Basic
    AuthBasicProvider ldap file
    AuthName "INTERNAL"
    AuthLDAPURL ldap://xxx
    AuthLDAPBindDN uid=xxx,cn=xxx
    AuthLDAPBindPassword xxx
    AuthzLDAPAuthoritative on
    AuthUserFile /var/www/server.domain.com/.htpasswd
    Require valid-user
</Directory>

Alias /alias1 /var/www/alias1.domain.com
<Directory /var/www/alias1.domain.com>
    # ?
</Directory>

Alias /alias2 /var/www/alias2.domain.com
<Directory /var/www/alias2.domain.com>
    # ?
</Directory>

Alias /alias3 /var/www/alias3.domain.com
<Directory /var/www/alias3.domain.com>
    # ?
</Directory>

</VirtualHost>

Now because most of the Auth* directives have to be used within a Directory or .htaccess context, I am faced with having to repeat the full AuthType...Require valid-user block for each Alias that I add.

The only way I can think of to avoid this is to split the auth section out into a separate file and reference that using Include.

As a solution the Include would work fine and be easy to maintain.

Is there another way of doing this which gives a cleaner vhost configuration file with less repetition?
Just in case there's a great way of doing things like this in Apache that I haven't picked up in the last 15 years!

EDIT: I should point out that the reason I'm using Alias is for easy deployment, I don't want to have to re-create symlinks whenever I re-build that DocumentRoot directory. I realise though that using symlinks and Location would provide the cascade I would be looking for to avoid the repetition.
The problem I've got I suppose is more to do with the fact that Alias requires a matching Directory block to be able to restrict access.

apache-2.2

1 Answers

  1. You could use mod_authn_alias to group and reuse some of the directives, but I don't think it would help much. You'd still have to repeat a lot of the directives.

    In my experience, the Include solution works well and is easy to maintain.

    Could you apply your authnz directives to all of /var/www? That would eliminate the need to specify them separately for each subdirectory. If not, maybe you could move just the sites that need the authnz into a subdirectory, say /var/www/authnz, and apply the settings just once to that directory.

    • 0