SetEnv vs. SetEnvIf --

[ibips]

Hi all,

I am trying to limit access to a directory, allowing only request with certain env variable set to get resources.

This configuration will not give me access to the resource.
--------------DOESNT WORK----------
SetEnv let_me_in 1
<Directory "/web/htdocs/zips">
Order Deny,Allow
Deny from all
Allow from env=let_me_in
</Directory>
-----------------------------------

However, if I change the configuration using SetEnvIf, it will allow me access to the resource (zip file within that directory).
------------WORKS------------------
SetEnvIf User-Agent ^Mozilla/4\.0 let_me_in
<Directory "/web/htdocs/zips">
Order Deny,Allow
Deny from all
Allow from env=let_me_in
</Directory>
-----------------------------------

Does this two commands (SetEnv/SetEnvIf) sets the same environment variable? If so, why does the first config (with SetEnv) doesn't work?

Thanks,

 

[feherke]

Hi

Interesting question. Of course, there is only one environment, so both sets the same variable. I did not noticed until now, but you are right, with [tt]SetEnv[/tt] the trick does not work. But it set the variable. I already used it, but only from CGI scripts.

So I think the problem is other. [tt]SetEnv[/tt] is implemented in mod_env and [tt]SetEnvIf[/tt] in mod_setenvif. A possible difference between them could be the execution order. Seems that mod_setenvif get runned before mod_access, while mod_env only after that. So the variable is set, but too late.

Just a theory.

Feherke.

http://rootshell.be/~feherke/

 

[ibips]

Hi Feherke,

Thanks for your reply. My original intention was to set the environment var from php (using apache_setenv("let_me_in", "1") to control authorization of certain resources, verifying it against user database in php.

I tried your sugesstion on the order of the apache mod.
Tried different combination between the 3 modules order.
I moved them around to every possible combination (settings at the bottom), but it does not help. Unless, I need to recompile for this to take effect?

In the meantime, I'm going to try to get around the problem by using Basic Auth to restrict the directory access. I will attempt to have php send http headers to send Basic Auth credentials to apache.


Original setting:
LoadModule access_module modules/mod_access.so
LoadModule env_module modules/mod_env.so
LoadModule setenvif_module modules/mod_setenvif.so

Setting1:
LoadModule access_module modules/mod_access.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule env_module modules/mod_env.so


Change2:
LoadModule env_module modules/mod_env.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule access_module modules/mod_access.so

Change3:
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule env_module modules/mod_env.so
LoadModule access_module modules/mod_access.so

Thanks,
ivan

 

[feherke]

Hi

My original intention was to set the environment var from php (using apache_setenv("let_me_in", "1") to control authorization of certain resources, verifying it against user database in php.

Hmm... Interesting idea. But where do you want to put that PHP code ?

I tried your sugesstion on the order of the apache mod.
Tried different combination between the 3 modules order.

No, I did not made any suggestion. I do not belive that the order of loading the modules will change the order of their execution.

Is possible to find some usefull details here :

http://httpd.apache.org/docs/2.0/developer/API.html

Feherke.

http://rootshell.be/~feherke/