This is a teeny tiny silly patch to mod_auth_mysql 2.6.0 (thank you!)
With this, you can place AuthMYSQLEnable Off in .htaccess and still get mod_ssl's FakeBasicAuth to work.
I was having problems with mod_auth_mysql defeating mod_ssl with or without +StrictRequire. I tracked it down to this section, swapped the two blocks, and *poof* it worked like magic. It's been working for me for a little while now (a few hours for now). I'll keep playing to see if it breaks anything else.
Looking at the code, you're correct - I did get the enable test too late. Sorry for the bug; I'll have it fixed in the next version.
Since I made several changes to this version, I'm planning to come out with a 2.6.1 version shortly. It will be a bugfix version just for things like this <G>.
Again, sorry for the bug, and thanks for the patch.
Jerry
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Also, I should add that I ran into another related issue, but I used the new AuthMYSQLEnable option in a directory's .htaccess. My httpd.conf sample is below (you might need something in the documentation for those using this rather-specific combination).
In the directory /var/www, I have .htaccess:
AuthMySQLEnable off
This is so that mod_auth_mysql will not try to do anything (with the patch) (comment below on this)
My httpd.conf for that directory has the AllowOverride AuthConfig and the optional bits for client certificates using mod_ssl's FakeBasicAuth.
<Directory /var/www>
AllowOverride AuthConfig
<IfDefine SSL>
SSLRequireSSL
SSLVerifyClient optional #for client certificates
SSLVerifyDepth 1 # i am my own CA
SSLOptions +FakeBasicAuth \
+StdEnvVars +CompatEnvVars \
+StrictRequire +OptRenegotiate
</IfDefine>
Order deny,allow
Deny from all # force auth
# either mod_ssl or mod_auth_mysql
Allow from 10.0.1.0/24 # from a private trusted net
Satisfy Any # SOMEBODY, ANYBODY authorize me :)
</Directory>
I know this is all rather site-specific stuff, but this is an example of what I'm using.
The strange thing which caused me to look into this was that mod_auth_mysql seemed to always be attempting to authenticate the user, even with 'AuthMYSQLAuthoritative Off', which I thought was rather odd. Hopefully this will all be useful information :)
Thanks again for the module. It is very helpful.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
This is a teeny tiny silly patch to mod_auth_mysql 2.6.0 (thank you!)
With this, you can place AuthMYSQLEnable Off in .htaccess and still get mod_ssl's FakeBasicAuth to work.
I was having problems with mod_auth_mysql defeating mod_ssl with or without +StrictRequire. I tracked it down to this section, swapped the two blocks, and *poof* it worked like magic. It's been working for me for a little while now (a few hours for now). I'll keep playing to see if it breaks anything else.
--- mod_auth_mysql.c 2004-09-21 16:07:42.000000000 -0400
+++ mod_auth_mysql.c.new 2004-09-23 00:38:39.594283040 -0400
@@ -823,12 +823,12 @@
int res;
char *scrambled_sent_pw;
- if ((res = ap_get_basic_auth_pw (r, &sent_pw)))
- return res;
-
if (!sec->mysqlEnable) /* no mysql authorization */
return DECLINED;
+ if ((res = ap_get_basic_auth_pw (r, &sent_pw)))
+ return res;
+
/* Determine the encryption method */
if (sec->mysqlEncryptionField) {
if (strcasecmp(sec->mysqlEncryptionField, "none") == 0)
Thanks for the patch.
Looking at the code, you're correct - I did get the enable test too late. Sorry for the bug; I'll have it fixed in the next version.
Since I made several changes to this version, I'm planning to come out with a 2.6.1 version shortly. It will be a bugfix version just for things like this <G>.
Again, sorry for the bug, and thanks for the patch.
Jerry
no problem.
Also, I should add that I ran into another related issue, but I used the new AuthMYSQLEnable option in a directory's .htaccess. My httpd.conf sample is below (you might need something in the documentation for those using this rather-specific combination).
In the directory /var/www, I have .htaccess:
AuthMySQLEnable off
This is so that mod_auth_mysql will not try to do anything (with the patch) (comment below on this)
My httpd.conf for that directory has the AllowOverride AuthConfig and the optional bits for client certificates using mod_ssl's FakeBasicAuth.
<Directory /var/www>
AllowOverride AuthConfig
<IfDefine SSL>
SSLRequireSSL
SSLVerifyClient optional #for client certificates
SSLVerifyDepth 1 # i am my own CA
SSLOptions +FakeBasicAuth \
+StdEnvVars +CompatEnvVars \
+StrictRequire +OptRenegotiate
</IfDefine>
Order deny,allow
Deny from all # force auth
# either mod_ssl or mod_auth_mysql
Allow from 10.0.1.0/24 # from a private trusted net
Satisfy Any # SOMEBODY, ANYBODY authorize me :)
</Directory>
I know this is all rather site-specific stuff, but this is an example of what I'm using.
The strange thing which caused me to look into this was that mod_auth_mysql seemed to always be attempting to authenticate the user, even with 'AuthMYSQLAuthoritative Off', which I thought was rather odd. Hopefully this will all be useful information :)
Thanks again for the module. It is very helpful.