NetBSD-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: bozohttpd .htpasswd basic auth being non recursive



On 01 Jun 2019, mayuresh%acm.org@localhost wrote:

> On Sat, Jun 01, 2019 at 08:33:42AM +0100, Mark Carroll wrote:
>> I'm running lighttpd on NetBSD, also hosting DokuWiki. Seems great so
>> far,
>
> Thanks for sharing first hand experience. My requirement is also like
> yours - simple hardware, not too many concurrent users (may be in single
> digit max).
>
> What sort of auth did you use?

(This will make more sense once you've glanced over lighttpd's config
file structure but,) I start out the configuration with having
url.access-allow permit nothing then I protect subdirectories based on
users and passwords. I have some HTTPS setup setting ssl.pemfile,
ssl.cipher-list, etc. then within a $HTTP["scheme"] == "https" block I
set auth.backend and auth.backend.htdigest.userfile and have stuff like,

auth.require = (
  "/some/subdirectory/" =>
    ("method"  => "digest",
     "realm"   => "some-realm",
     "require" => "valid-user",
    ),

then still in that "https" block I write some inner $HTTP["url"] =~
"^/some/URL/regex" blocks that set url.access-allow for whatever file
extensions I want to permit in them.

For that htdigest userfile I set it was just a case of putting the
hashes of the users, passwords, realms line-by-line.

I didn't attempt to integrate with DokuWiki's authentication so for the
more sensitive areas of the wiki people have to go through two layers
but they haven't complained, I suppose their browsers just remember it
all anyway for them. (I don't want to get my wiki access substructure
mixed into my web server access stuff!)

It's highly likely that I just tweaked existing official examples
because porting my whole configuration took no more than a few hours
then I spent a bit of time another day getting the HTTPS all green in
the usual online server checking sites. The lighttpd official docs are
quite reasonable, I don't remember having to dig up secret knowledge or
being long frustrated by mysterious behaviors or having to read over the
whole manual three times.

The main thing for me is just remembering to include enough of /var/
among critical_filesystems_local so I get to see logs at all. (-: (I
tend to put things that might grow plenty onto separate partitions.)

-- Mark


Home | Main Index | Thread Index | Old Index