Multiple .htpasswd, how to make it work?
 

Before I post the problem, I did search this board but none of the solution I found work for me. The merging of .htpasswd require too many process that it's not worth it.

Here's my situation, I have 2 paysite, I want the members of paysite1 to be able to access a certain members content from paysite2. I thought of placing another AuthUserFile line to the .htaccess from site2 so that site1 members can have access to the content, but because the two site are on two different server, it is not possible to point to the .htpasswd from site1.

So if any who have experience on this, please I need advice bad.

Well if you're working with 2 servers, there are two options I'd suggest.

1. Run a cron job every 5 minutes to rsync the htpasswd file for SiteA to SiteB and the htpasswd file for SiteB to SiteA. This works if you don't have huge member lists and its not particularly important for the person to have access to the second site immediately (they have to wait 5 minutes). The down side is they have enter their username and password again when they go to the second site.

2. Use mod_auth_mysql and have each server connect to their own local database and the remote servers database. The downside to this is you have to have mysql running on both servers and listening on a public ip (unless you set up a vpn between the two servers). The user still has to enter their username and password a second time when they try to enter the second site but they can log in immediately.

3. Use Apache::AuthCookie and use a token based authentication system for clicks between the two sites. This is by far the most complex system to implement but the most userfriendly. The downside to this is some software blocks cookies and makes it difficult for users to login.

good post :thumbsup

Me count gud!

Agreed.

Thanks Rodent for replying.

I looked at your option and after some thought , option 3 seem to have too large a potential for failure so I'm not even going to touch it.

I have thought about Option 1 for a while, I been trying to use the method that Labret did but in the end it's too clumsy of a routine because I have to cron jobs both for ftping in to retrieve new update .htpasswd and another cron jobs for merging two file. (does keep ftping into the server every 3 minute will wear down my server at all?)

That would left me with option2 but I have no idea and never heard of this so I have to read up on this more to see what you're talking about.

You can run mysql as a master / slave with two servers so that if one goes down the otherone automaticly picks up the traffic, and they are always syncronised.

Use a simple php script to point to the file from the first site. This should eliminate your problem.

True, replicated databases work quite for for doing selects. You just have to be careful to only insert, update, and delete on the master. Supposedly you can set up mysql so that A --> B --> C --> A but there's always the danger of conflicting writes.

hmm with that u may have problem wih clients with same username

cheap solution:

dupe members folder from site a to members2 and
site b to memebers2 in each domain (same one u are duping or even other one nm as long as u remember)

then copy .htpasswd or whatever u called it and add to .htaccess from site a to members2 in site b

then copy .htpasswd or whatever u called it and add to .htaccess from site b to members2 in site a

then link site a to members2 siteb

then link site b to members2 sitea

u may get confussions if users goto other site
with out link first site

u can fix this with cookies and or note in 401 error document
specifed itn the error document apache directive

expensive:
get a programmer to cook u something with mod auth external

there :-)

Can't you just have your processor write to both htpass files?

Are these servers on the same network?? If so just NFS mount.

If both sites are on the same server, I have a hacked apache mod_auth to support a second password file (and hacked copies to support up to 20 password files). This was an old hack I got from riverstyx way back when.. don't think it's available from them anymore (it was GNU anyway)... if anyone wants it, I'll post the source somewhere.

CGI

Shit, just realized he said different servers :D

You could still use the multiple htpasswd module, but you'll need to scp your password files between servers every 5 minutes or something.. that's how we were doing our videos, which were stored on a seperate server, but allowed to be access from all our sites. Cookies or referrer were both buggy for that application, so we just synced up the password files and let the video area read from them all.

I just did mod_auth2.c though mod_auth20.c and packed them up in a tgz file if anyone needs them... http://www.manicproductions.com/authmodules.tgz

It's all gnu, so it's all good .. I've only built them as DSOs, but they probably work fine compiled into the core too.

CGI

Hi CGI... thanks for the hacked mod_auths
I wanted to ask exactly this but seems I don't have to anymore. But can you tell how to implement that into htaccess?

does it look like
AuthUserFile /usr/home/domain.com/.htpasswd
AuthUserFile /usr/home/domain2.com/.htpasswd

or does it work with a text file like
AuthUserFile /usr/home/domain.com/path.txt
where path.txt contains the pathes???

Thanks,
Stramm

Like this:
-------
AuthUserFile /home/www/passwords/.htpasswd-psw
AuthGroupFile /dev/null

AuthUserFile2 /home/www/passwords/.htpasswd-ccbill
AuthGroupFile2 /dev/null
AuthAuthoritative2 Off
AuthUserFileStrict2 Off

AuthUserFile3 /home/www/passwords/.htpasswd-ibill
AuthGroupFile3 /dev/null
AuthAuthoritative3 Off
AuthUserFileStrict3 Off

AuthUserFile4 /home/www/passwords/.htpasswd-globill
AuthGroupFile4 /dev/null
AuthAuthoritative4 Off
AuthUserFileStrict4 Off

AuthUserFile5 /home/www/passwords/.htpasswd-globosale
AuthGroupFile5 /dev/null
AuthAuthoritative5 Off
AuthUserFileStrict5 Off
-------
The "AuthAuthoritative# Off" sets it so that if there isn't a valid login/password combo in said file, it will pass it on to the next mod_auth to handle it. The "AuthUserFileStrict# Off" is to tell it to keep checking the other files if it finds a username without a matching password.

This means that unlike merging your password files, you can have more then one user with the same username. The only thing you really need to watch is that your password protection system doesn't flip out because of it.

The original mod_auth (the password file, etc above without the number) will be Authoritative and is checked last. If a user/password combo doesn't exist in one of the other files and doesn't exist in mod_auth, apache will stop checking and toss the 401 result again.

We are just starting to experiement with a new system we've come up with to check against password files from a form based login and then dynamically generate a .htpasswd entry using a random username and password. The user then gets redirected into the site. So far it's very promising and has been working very very well for us, plus we can do some new tricks (similar to cookie auth) -- such as "We're sorry, someone is already logged into this account". It also basically makes brute force attacks obsolite. This could be another solution for your problem, but I have no idea when we'd be thinking about marketing it. ICQ me if you really need something like that and I could rush it :D 2302124

CGI

:thumbsup thanks for your help

I'll try that now. Perfect way to outsource content I use on all sites.

And your new system looks pretty handy too.. guess you'll announce it here when finished?

Probably will :D

I actually do have a script announcement mailing list set up if you wanted to make sure you know when it's done... it's very very low volume (read: no volume.. I've sent out one mailing in the last 5 months lol)... the URL for that is http://www.manicproductions.com/programming.html

If you want to see how the system works, hit me up on ICQ or E-mail and I'll set you up with an account on the site we're testing it on :D

CGI

format C:

Eh why not use a NFS mount on the machines.... by far the most
simple and effective solution....

DynaMite :2 cents:

NFS has it's issues, but yeah - that would work too..

However, if you want to share member's areas and allow members from your site A to access your site B and so on, using multiple password files is a great solution. Looking at the original post again, I think they just want to share some content between sites -- and NFS would be one of the better solutions in that case.

I just figure that some people would have a use for the multi auth modules.. they're a bitch to find now (and apparently I was right).

Anyway, it's fucking late here... nite all

CGI

I assume the 2 servers are at the same ISP if this is the case
NFS mount work very well....you could even combine it with a cron
to sync files to the servers their own filesystem in case 1 of the
servers goes down....but even without I have used this method
a lot on very large sites.....with over 6 servers using NFS mounts
and never had any issues with it.....

Secure the boxes properly with ipchains give the slave machines
read access only do all the updates from 1 primary server which
increases security and avoids file locking problems.

DynaMite

DynaSpain I'm not familiar with NFS mount, is there a source or guide somewhere I can read up on this? Thanks.

Oh and no the two site are on two completely different server, with different ISP. Hope this clear up a bit.

NFS stands for Network File System what it does is mount a
directory or Partition over a network to another computer as
if it was a local directory/partition. http://nfs.sourceforge.net/
there you will find all the info you will need.

Ok the different ISP´s shouldn´t be that much of a problem
as .htaccess files are very small files...I suggest setup a secured
IP tunnel connection between the machines and use NFS over
the tunnel....unprotected is not a very good idea because NFS
is known to be exploitable....but over a ip tunnel that should
take care of that.

DynaMite :thumbsup