Forum

Hallo Hugo,

The Topic already says everything, I would like to use two protective functions for a folder, but this does not work anyhow.
Here is the segment from my configuration file:

.....
Directory {
  Path = /var/www/mysite.de/administrator
  StartFile = index.php
  PasswordFile = basic:/var/www/.passwords
  AccessList = allow 86.34.0.0/16, deny all  
  ExecuteCGI = yes      
}
......

How can I do this?

Thanks to you in Ahead.

Greeting, Alex.

Hiawatha version: 6.19
Operating System: Debian Lenny 86x_64x

The format of AccessList parameters is (allow|deny|pwd) <IP address[/netmask]>

'allow' always gives access, 'deny' always denies access and 'pwd' allows access if a valid password has been given.

I'm not really sure about what you try to achieve, but my guess is that

AccessList = allow 86.34.0.0/16, deny all

must be

AccessList = pwd 86.34.0.0/16, deny all

it leads to ' 500 - Internal server of Error'
In the log file stands ' error in configuration file ' I will look sometimes for the cause and inform again.
Thanks for the answer Hugo.

OK, it was a mistake in .hiawatha, a comma too much
Now everything functions very well

Hi Hugo,
I have a problem again, the authentication is not accepted.
I have done the following:

# htpasswd -nbm admin test123
admin:$apr1$xQnDVk4u$jE3EtT4VR7Do9jZ2lbavl.

then
in .passwords inserted.
the segment from the configuration file is on top.

What have I made wrong?

Greeting, Alex.

Is the .passwords file readable for the webserver?

you mean chmod?
OK, the owner is www-data, but does not work, nevertheless.

Don't use the 'm' flag with htpasswd.

htpasswd -nb admin test123

don't works

does work with you?

Yes, works fine here.

maybe you find a mistake in the configuration file:

# Hiawatha main configuration file
#


# GENERAL SETTINGS
#
ServerId = www-data
ConnectionsTotal = 150
ConnectionsPerIP = 10
SystemLogfile = /var/log/hiawatha/system.log
GarbageLogfile = /var/log/hiawatha/garbage.log 


# BINDING SETTINGS
# A binding is where a client can connect to.
#
Binding {
	Port = 80
	MaxRequestSize = 3072
	MaxUploadSize = 100
	MaxKeepAlive = 100 
	TimeForRequest = 3,20
}
#
#Binding {
#	Port = 443
#	Interface = ::1
#	MaxKeepAlive = 30
#	TimeForRequest = 3,20
#	SSLcertFile = hiawatha.pem
#}


# BANNING SETTINGS
# Deny service to clients who misbehave.
#
BanOnGarbage = 30
BanOnMaxPerIP = 60
BanOnMaxReqSize = 60
BanOnFlooding = 5/1:15
BanOnWrongPassword = 3:120
BanOnDeniedBody = 120 
KickOnBan = yes
RebanDuringBan = yes
PreventCSRF = yes 
PreventXSS = yes 


# COMMON GATEWAY INTERFACE (CGI) SETTINGS
# These settings can be used to run CGI applications. Use the 'php-fcgi'
# tool to start PHP as a FastCGI daemon.
#
CGIhandler = /usr/bin/perl:pl
#CGIhandler = /usr/bin/php-cgi:php
#CGIhandler = /usr/bin/python:py
#CGIhandler = /usr/bin/ruby:rb
#CGIhandler = /usr/bin/ssi-cgi:shtml
CGIextension = cgi
#
FastCGIserver {
	FastCGIid = PHP5
	ConnectTo = 127.0.0.1:2005
	Extension = php
	SessionTimeout = 150
}
                                   
UrlToolkit {
	ToolkitID = joomla
	Match mosConfig_[a-zA-Z_]{1,21}(=|\%3D) DenyAccess
	Match base64_encode.*\(.*\) DenyAccess
	#Match (<|%3C).*script.*(>|%3E) DenyAccess
	Match GLOBALS(=|\[|\%[0-9A-Z]{0,2}) DenyAccess
	Match _REQUEST(=|\[|\%[0-9A-Z]{0,2}) DenyAccess
	RequestURI exists Return
	Match .* Rewrite /index.php
}

# DEFAULT WEBSITE
# It is wise to use your IP address as the hostname of the default website
# and give it a blank webpage. By doing so, automated webscanners won't find
# your possible vulnerable website.
#
Hostname = 65.64.78.32
WebsiteRoot = /var/www/hiawatha
StartFile = index.html
AccessLogfile = /var/log/hiawatha/access.log
ErrorLogfile = /var/log/hiawatha/error.log
#LoginMessage = Der Zugang Wird bewacht !!!
#PasswordFile = digest:/var/www/.passwords
Alias = /mysql:/usr/share/phpmyadmin
Alias = /backup:/var/www/backup
AccessList = pwd 82.53.0.0/16, deny all
UseFastCGI = PHP5
ExecuteCGI = yes
TimeForCGI = 240
UseGZfile = yes
EnablePathInfo = yes
#ErorHandler = 404:/error.cgi

# VIRTUAL HOSTS
# Use a VirtualHost section to declare the websites you want to host.
#
VirtualHost {
	Hostname = mysite1.de, www.mysite1.de
	WebsiteRoot = /var/www/mysite1.de
	StartFile = index.php
	AlterGroup = www-data 
	AccessLogfile = /var/www/mysite1.de/logs/access.log
	ErrorLogfile = /var/www/mysite1.de/logs/error.log 
	ExecuteCGI = yes
	FollowSymlinks = yes 
	EnablePathInfo = yes 
	TriggerOnCGIstatus = no
	TimeForCGI = 60
	UseFastCGI = PHP5
	UseToolkit = joomla
	EnablePathInfo = yes
	UseGZfile = yes
} 

VirtualHost {
	Hostname = mysite2.de, www.mysite2.de
	WebsiteRoot = /var/www/mysite2.de
	StartFile = index.php 
	AlterGroup = www-data
	AccessLogfile = /var/www/mysite2.de/logs/access.log
	ErrorLogfile = /var/www/mysite2.de/logs/error.log
	ExecuteCGI = yes
	FollowSymlinks = yes 
	EnablePathInfo = yes 
	TriggerOnCGIstatus = no
	TimeForCGI = 60
	 UseFastCGI = PHP5
	UseToolkit = joomla
	EnablePathInfo = yes
	UseGZfile = yes
}

VirtualHost {
	Hostname = mysite3.de, www.mysite3.de
	WebsiteRoot = /var/www/mysite3.de
	StartFile = index.php
	AlterGroup = www-data
	AccessLogfile = /var/www/mysite3.de/logs/access.log
	ErrorLogfile = /var/www/mysite3.de/logs/error.log
	ExecuteCGI = yes
	FollowSymlinks = yes 
	EnablePathInfo = yes 
	TriggerOnCGIstatus = no
	TimeForCGI = 60
	UseFastCGI = PHP5
	UseToolkit = joomla
	EnablePathInfo = yes
	UseGZfile = yes
}

# DIRECTORY SETTINGS
# You can specify some settings per directory.
#
Directory {
	Path = /var/www/mysite1.de/administrator
	StartFile = index.php
	AccessList = pwd 82.53.0.0/16, deny all
	PasswordFile = basic:/var/www/.passwords
	ExecuteCGI = yes       
}
Directory {
	Path = /var/www/mysite2.de/administrator
	StartFile = index.php
	AccessList = pwd 82.53.0.0/16, deny all
	PasswordFile = basic:/var/www/.passwords
	ExecuteCGI = yes        
}
Directory {
	Path = /var/www/mysite3.de/administrator
	StartFile = index.php
	AccessList = pwd 82.53.0.0/16, deny all
	PasswordFile = basic:/var/www/.passwords
	ExecuteCGI = yes       
}

I have no idea what goes wrong. Hiawatha works fine, just checked everything. There must be some mistake you are making.

Thanks Hugo,
I dont understand what a mistake i making.
What can the authentication depend on?
Maybe the password is wrong generated with me, lets us test this sometimes.
How would that look to you?

htpasswd -nb admin test123

The htpasswd generates a unique output everytime you run it. But the length of the password should be the same everytime. My output is this:

admin:LipnnLblRz0N6

You should have a similar output.

Thanks,
I already have of all tried, nothing works.
Maybe there is no any program or tool for my Debian.
What do I need with it it works?

I am disappointed, it does not work also in the new version 7.1
does nobody have here this problem?

Are you using some kind of security patch on your kernel, like grSecurity or SELinux?

I dont use this, but this is installed

dpkg -l| grep SELinux
ii  libselinux1                     2.0.89-4                  SELinux runtime shared libraries
ii  libsepol1                       2.0.40-2                  SELinux library for manipulating binary secu

should I uninstall this?

As long as you don't have SELinux enabled in your kernel, it won't be a problem. If you are using a default Debian kernel, this is the case.

I'm still thinking about what can be the cause of your problem. I've done several tests here. HTTP authentication works just fine. I've no idea, yet.