logo
Apache Lounge
Webmasters

 


About

Forum Index Downloads Search Register Log in  RSS Apache Lounge
 


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Apache Lounge is not sponsored.

Your donations will help to keep this site alive and well, and continuing building binaries.




HTTP GET for pdf/zip files under protected <Directory>

 
Post new topic   Reply to topic    Apache Forum Index -> Apache third-party Modules



View previous topic :: View next topic  
Author Message
alexqian



Joined: 07 Jan 2016
Posts: 7
Location: U.S.A

PostPosted: Wed 27 Jan '16 4:42    Post subject: HTTP GET for pdf/zip files under protected <Directory> Reply with quote

Newly upgraded from Apache 2.2 to 2.4...we have a login protected Directory (<Directory /var/www/html/main>) using mod_auth_form 2.4/mod_session_dbd. After users logging in successfully to the protected directory, a session cookie was set and a main web page was shown where they can access various resources under the protected directory. We found http GET method for some resources in the directory work (return code 200), some do not (return code 307).

For example, after logging in successfully the first time, I can then go to some files under the /var/www/html/main with no issues (no login required), but I got code 307 for other files under the same directory /var/www/html/main/ and subsequently redirected to the login page again . Not sure why the file types seem to matter…

Any one knows what the issue might be with GET for these pdf/zip files after the user already logged in the protected Directory <Directory /var/www/html/main>?

Quote:
# ls -lt /var/www/html/main
total 17124
-rw-r----- 1 apache apache 70606 Jan 25 12:13 main.php
-rw-r----- 1 apache apache 5296 Jan 23 12:44 changePW.php
…
-rw-r----- 1 apache apache 1279 Jan 18 08:00 na.php


135.224.29.80 alex2 [25/Jan/2016:15:04:48 -0500] "GET /main/main.php HTTP/1.1" 200 20390 "https://protected.wow.com/main/main.php" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.80 Safari/537.36" 679 21163
135.224.29.80 alex2 [25/Jan/2016:15:34:56 -0500] "GET /main/changePW.php HTTP/1.1" 200 11386 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.80 Safari/537.36" 1172 12305



But not these:

Quote:
-rw-r----- 1 apache apache 17312240 Jan 18 08:00 900_UserGuide.pdf
-rw-r----- 1 apache apache 2420 Jan 18 08:00 alerter.zip


135.224.29.80 alex2 [25/Jan/2016:15:38:40 -0500] "GET /main/900_UserGuide.pdf HTTP/1.1" 307 226 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.80 Safari/537.36" 1181 912


135.224.29.80 alex2 [25/Jan/2016:15:40:20 -0500] "GET /main/alerter.zip HTTP/1.1" 307 226 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.80 Safari/537.36" 603 767
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 6383
Location: Germany, Next to Hamburg

PostPosted: Wed 27 Jan '16 10:47    Post subject: Reply with quote

The error code 307 is a Temporary Redirect. I wonder why apache tries to redirect you.

it would be nice if you would offer a sample config so that we can try it.
Back to top
alexqian



Joined: 07 Jan 2016
Posts: 7
Location: U.S.A

PostPosted: Wed 27 Jan '16 18:53    Post subject: Reply with quote

I think it is because I have the "ErrorDocument" directive in the <Directory /var/www/html/main>

Here is the segment of my httpd.conf (we use mod_auth_form and mod_authnz_external, mod_authnz_external just allows us to provide our own authUser script instead of using the standard mod_authz_dbd. I checked in all instances the authUser script passed authentication check):


Quote:
<Directory "/var/www/html/main">

Options -Indexes +FollowSymLinks

SSLRequireSSL

SetHandler form-login-handler
AuthType form
AuthName "9900"
AuthFormLoginSuccessLocation /main/main.php
AuthFormProvider external
AuthExternal secmgrws
AuthFormUsername uid
AuthFormPassword password
ErrorDocument 401 /login2.php
SetHandler form-logout-handler
AuthFormLogoutLocation /main/logout.php
Session On
SessionEnv Off
SessionMaxAge 300
SessionDBDCookieName session path=/;secure;
SessionDBDSelectLabel selectsession
SessionDBDDeleteLabel deletesession
SessionDBDInsertLabel insertsession
SessionDBDUpdateLabel updatesession
SessionDBDCookieRemove Off
Require valid-user

</Directory>


I did the following experiment: If I commented out these 3 lines

Quote:
# ErrorDocument 401 /login2.php
# SetHandler form-logout-handler
# AuthFormLogoutLocation /main/logout.php


I get 405

135.224.23.24 alex2 [27/Jan/2016:11:38:10 -0500] "GET /main/9900_UserGuide.pdf HTTP/1.1" 405 247 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537. 36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36" 1081 889

If I just remove the ErrorDocument line:

# ErrorDocument 401 /login2.php
SetHandler form-logout-handler
AuthFormLogoutLocation /main/logout.php

I get 307 followed by 401

135.224.23.24 alex2 [27/Jan/2016:11:39:42 -0500] "GET /main/9900WNG_UserGuide .pdf HTTP/1.1" 307 226 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537. 36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36" 1081 912
135.224.23.24 alex2 [27/Jan/2016:11:39:43 -0500] "GET /main/logout.php HTTP/1 .1" 401 381 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36" 502 888
Back to top
alexqian



Joined: 07 Jan 2016
Posts: 7
Location: U.S.A

PostPosted: Thu 28 Jan '16 0:02    Post subject: Reply with quote

Another experiment I did was to create files of other types under the protected /var/www/html/main/, like test.txt, test.htm. It appears only php files got retrieved OK (http code 200), retrieving other file types (txt, htm, pdf, zip) are all rejected by server (oode 405). Any clues what's going on here?
Back to top
alexqian



Joined: 07 Jan 2016
Posts: 7
Location: U.S.A

PostPosted: Thu 28 Jan '16 5:51    Post subject: Reply with quote

I do see an error in ssl_error_log:

Quote:
[Tue Jan 26 13:15:42.627132 2016] [auth_form:error] [pid 19259] [client 135.224.23.24:49913] AH01811: the form-login-handler only supports the POST method for /main/9900_UserGuide.pdf, referer: ...
Back to top


Post new topic   Reply to topic    Apache Forum Index -> Apache third-party Modules
Page 1 of 1