问题
It seems to me that I have a fundamental misunderstanding how "mod_auth_form" is supposed to work. I refer to this page of the Apache documentation:
http://httpd.apache.org/docs/current/mod/mod_auth_form.html
I have a public folder and a private folder
What I want to achieve is that a folder is locked down. The users will need to sign in with their user name and password to see the index.php page of my protected folder.
Here is my virtual host setup:
<VirtualHost *:80>
ServerName customform.uwe
DocumentRoot "/home/uwe/www/protected_custom_form"
DirectoryIndex index.php
ErrorLog /var/log/apache2/protected_custom_form.error.log
CustomLog /var/log/apache2/protected_custom_form.access.log combined
<Directory "/home/uwe/www/protected_custom_form">
AllowOverride All
Allow from All
</Directory>
<Directory "/home/uwe/www/protected_custom_form/secret/">
</Directory>
<Location /dologin>
SetHandler form-login-handler
AuthFormLoginRequiredLocation http://customform.uwe/login.html
AuthFormProvider file
AuthUserFile /home/uwe/www/conf/passwd
AuthType form
AuthName realm
Session On
SessionCookieName session path=/
SessionCryptoPassphrase secret
</Location>
</VirtualHost>
Here is my login form which is hosted in the public folder of my virtual server:
<form method="POST" action="/dologin">
Username: <input type="text" name="httpd_username" value="" />
Password: <input type="password" name="httpd_password" value="" />
<input type="submit" name="login" value="Login" />
<input type="hidden" name="httpd_location" value="http://customform.uwe/secret/index.php" />
</form>
OK, here is what happens
- going to 'customform.uwe' works nicely -> I see my index page for this folder being displayed
- going to 'customform.uwe/login.html' -> I see my login form coming up and I can sign in and am redirected to my 'index' page of my secret 'folder'
- going to 'customform.uwe/secret/index.php' show me my index pagge signed in or not.
Here my question:
- How do protect my secret folder so that a not signed in user is being redirected to the login form.
- Is this the right approach altogether?
I am really banging my head against the wall at the moment, so thanks a lot for your help.
OK, I believe I have got it sorted now. I must have got a bit confused :-)
The idea I followed includes two things:
- Provide a log in functionality
- If a user goes to a page where he/she needs to be authenciated - and he/she is not - redirect the user to the login page
To achieve that I needed to edit two files:
- My Virtual Host
- My login file
This is the Virtual hosts:
<VirtualHost *:80>
ServerName customform.uwe
DocumentRoot "/home/uwe/www/protected_custom_form"
DirectoryIndex index.php
ErrorLog /var/log/apache2/protected_custom_form.error.log
CustomLog /var/log/apache2/protected_custom_form.access.log combined
#This is the public
<Directory "/home/uwe/www/protected_custom_form">
AllowOverride All
Allow from All
</Directory>
#This is the login handler, the login form needs to pint to this handler in its action!
<Location /dologin>
SetHandler form-login-handler
AuthFormLoginRequiredLocation http://customform.uwe/login.html
AuthFormLoginSuccessLocation http://customform.uwe/secret/secretindex.php
AuthFormProvider file
AuthUserFile /home/uwe/www/conf/passwd
AuthType form
AuthName realm
Session On
SessionCookieName session path=/
SessionCryptoPassphrase secret
</Location>
# This is the location setting I missed earlier: When a
# user comes to this location unauthorised, he will be redirect to the login form
# This happens as the ErrorDoucment gets overwritten with login page
<Location /secret/index.php>
Require valid-user
AuthFormProvider file
ErrorDocument 401 /login.html
AuthUserFile /home/uwe/www/conf/passwd
AuthType form
AuthName realm
AuthFormLoginRequiredLocation http://customform.uwe/login.html
Session On
SessionCookieName session path=/
SessionCryptoPassphrase secret
</Location>
</VirtualHost>
This is the login form html The change in here is that the action handler of the form is now pointing to my location which I defined above
<form method="POST" action="/dologin">
Username: <input type="text" name="httpd_username" value="" />
Password: <input type="password" name="httpd_password" value="" />
<input type="submit" name="login" value="Login" />
<input type="hidden" name="httpd_location" value="/secret/secretindex.php" />
</form>
This seems to work, it was all (more or less) in the Apache documentation, but I got confused as their is no complete example
来源:https://stackoverflow.com/questions/27180119/apache-mod-auth-form-how-to-lock-down-a-folder