CUNY Academic Commons

Thanks for vetting the plugin; it's dispiriting to hear that a better option doesn't already exist. Are there any other options, like adding password protection of the subdomain at the server level?

And when next week would we be talking about?

André, could you please tell me whether we have mod_setenvif enabled for Apache on cdev and commons, and if not, enable it?

Using setenvif I might be able to do it at the level of .htaccess.

If this is important, I can adjust things to clear some time on Monday afternoon.

Yes, I can confirm that this apache module is in effect.

Thanks, André. Can you chmod /var/www/.htpasswd on cdev and commons so that the commons user can edit it?

Thanks, André.

Boone, can you clarify for me whether the availability of this apache module means that you would potentially be able to get to this by Monday or whether there is now a simpler solution that doesn't require those few hours of coding (and can thus be set up more quickly)? Thanks.

Matt, I am trying to find a solution that does not require any PHP coding. I can't guarantee any deadlines, as I am trying to figure out SetEnvIf and the related Apache modules as I go along, though I will attempt to do it as quickly as possible.

Great. Many thanks, Boone.

Boone Gorges wrote:

Thanks, André. Can you chmod /var/www/.htpasswd on cdev and commons so that the commons user can edit it?

No such file, Boone:

[root@commons ~]# ll /var/www/.htpasswd
ls: cannot access /var/www/.htpasswd: No such file or directory

Would you prefer that I create one or do you want to create it at /home/commons?

You're right, André. I can just put it at /home/commons. I was thinking that it wouldn't be compatible with /var/www/.htpasswd on cdev, but I guess it doesn't matter since the latter is handled at the level of httpd.conf.

I think I need your help here. I'm really struggling to get this working. The goal is to add htpasswd authentication only on a single subdomain, and I had a feeling that this could be done using SetEnvIf, but my regex seems to be failing me.

More specifically. The following works in order to protect all subdirectories EXCEPT FOR cunypie:

SetEnvIf Host ^cunypie\.cdev\.gc\.cuny\.edu let_me_in
Order Allow,Deny
AuthType Basic
AuthName Testing
AuthUserFile /home/commons/.htpasswd
Satisfy any
Require jitp
Order allow,deny
Allow from env=let_me_in

Based on that, you'd think I'd be able to simply add a ! in front of my regex to flip it. But it doesn't work - when I do that, let_me_in is never set.

Is there something obvious that I'm doing wrong? Is it possible for you to just set this at the level of the main Apache config? (I have already spent more time learning about this .htaccess stuff than I should have today ;) )

How about:

SetEnvIf Host ^cunypie\.cdev\.gc\.cuny\.edu dont_let_me_in
Order Deny,Allow
AuthType Basic
AuthName Testing
AuthUserFile /home/commons/.htpasswd
Satisfy any
Require jitp
Order deny,allow
Deny from env=dont_let_me_in
Allow all

Let me test it...

Ok, I think I got it...

In my test cunypie.cdev.gc.cuny.edu was challenged for auth, while other subdomains were not, with this:

AuthType Basic
AuthName "Must be a valid user!" 
AuthUserFile /var/www/mypasswd
Require valid-user

SetEnvIf Host ^cunypie\.cdev\.gc\.cuny\.edu challenge_me

Satisfy any
Order Deny,Allow
Deny from env=challenge_me

Could I ask you to kindly test with me here? Thanks!

Oh, I had changed the htpasswd file for testing, but reverted to the previous one now...

AuthUserFile /var/www/.htpasswd

...and all this stuff is now in /var/www/html/.htaccess, where it belongs ;)

Fantastic work!

I'm thrilled : ) Loved being able to help out and also learned something new!

Awesome. The last step, then, would be to add this password protection to the site where it is needed: http://jitp.commons.gc.cuny.edu/

Can I email you a preferred login/password combo for it?

Yes, email works. I'm ready.

Ok, I tested successfully in production and reverted the change in cdev.

Please mark the issue resolved if everything is in order, ok?

Thanks, André. Getting the right combination of 'Order' with 'Satisfy any' was starting to make my head spin.

Could I ask that the plaintext password be stored somewhere, like maybe in a comment in the .htpasswd file itself? There may come a time when a developer needs to access the site.

Thanks again for your work on this, guys.

Boone Gorges wrote:

Thanks, André. Getting the right combination of 'Order' with 'Satisfy any' was starting to make my head spin.

: D

Could I ask that the plaintext password be stored somewhere, like maybe in a comment in the .htpasswd file itself? There may come a time when a developer needs to access the site.

Yes, good idea. Done.

Matt Gold wrote:

Thanks again for your work on this, guys.

You're welcome.