Re: [cgiwrap-users] Is there no relief?
Brought to you by:
nneul
From: Nathan N. <nn...@um...> - 2003-02-13 03:22:17
|
Generally, on all my servers (around 30 different web servers split among two main domains), I configure a central auth-cgi-bin directory that authenticates against the system password database/kerberos/etc. All cgi's run through that path are authenticated. I then leave it up to the particular cgi script to do it's own authorization. (authentication vs. authorization). It takes a little bit to get used to initially, but it's a LOT easier over the long run when you can know for sure that "If it came via auth-cgi-bin, I know for certain that the user has been authenticated, and that I can fully trust the value of REMOTE_USER to be accurate." For password safety, I recommend all auth-cgi-bin be SSL-only, but that's up to your individual policies. If you're using digest-auth, that's less imperitive. -- Nathan On Wed, 2003-02-12 at 20:48, Tuc wrote: > > > > Not sure on either. > > > > I think you'd need something like a rewrite rule that says "if it's not > > an internal request, redirect this pattern to your protected path". > > > > Unfortunately, I'm not really a mod_rewrite expert. You might consider > > asking on the apache httpd-users list and passing information back here > > - I'll be happy to add it to the tips and tricks documentation. > > > Then how do you stop this on your own servers, or are you > vulnerable too? > > Tuc/TTSG Internet Services, Inc. -- ------------------------------------------------------------ Nathan Neulinger EMail: nn...@um... University of Missouri - Rolla Phone: (573) 341-4841 Computing Services Fax: (573) 341-4216 |