Mixing Auth on Apache
Here at UQ Library we have a blog server which has a mix of blogs both public and staff only. To restrict access I had a problem because if you can get to index.php on the server then you can see all the blogs. We use IP restriction here so that computers on our internal network don’t have to go through the pain of logging into the website to see the blogs. There are plenty of plugins for wordpress that work with lyceum to restrict access based on passwords.
Looking at the problem today, I realised I could use SetEnvIf to solve this issue. The basic example is:
SetEnvIf ^/ms public_blog=1
<Directory /blah>
order deny,allow
deny from all
allow from internal.subnet
allow from env=public_blog
satisfy any
</directory>
But this didn’t work for some reason. I eventually worked out it’s to do with the Rewrite rules. When the rule is re-written, the SetEnvIf doesn’t pass the test, so I put an extra rewrite rule in before the usual rewrite stuff:
# Detect the public_blog env setting and pass it on when redirecting
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{ENV:public_blog} 1
RewriteRule ^([^/]+)/? /index.php?b=$1 [L,QSA,E=public_blog:1] Then I had to add
allow from env=REDIRECT_public_blog
To the auth stuff above and now it works! The downside is that it requires a sysadmin to make a blog public rather than it being a config option.
UPDATE: I also had to look through the logs for 401 errors on publicly viewable blogs. I did this by grepping for the URL, then choosing an external ip and grepping that IP (since most of the 401s happened on files that weren’t blog related such as the plugins and templates.) I then used
This entry was posted
on Friday, November 17th, 2006 at 3:25 pm by Matthew Smith and is filed under Lyceum.
You can follow any responses to this entry through the RSS 2.0 
feed.
You can leave a response, or trackback from your own site.
