Althttpd

Does basic authentication work hierachically in althttpd?
Login

Does basic authentication work hierachically in althttpd?

(1.1) By geoff (geoffrey) on 2023-08-28 03:19:39 edited from 1.0 [link] [source]

Hi,

I am confused with the althttpd documentation. The documentation for althttpd says under the heading "Basic authentication":

If a file named "-auth" appears anywhere within the content hierarchy, then all sibling files and all files in lower-level directories require HTTP basic authentication, as defined by the content of the "-auth" file. The "-auth" file is plain text and line oriented.

On testing and looking at the C-code, I am unclear whether althttpd currently does apply the directives of an -auth file to files within subdirectories, which is how I understood the documentation.

I made a chroot with a default.website directory in it, and placed an -auth file chroot/website.default/-auth containing something like this:

http-redirect
https-only
realm My Realm
user john_doe john_doe:12345

I also placed a CGI file chroot/default.website/one/index.cgi with a basic wapptclsh script for testing purposes. (Disclaimer: I had renamed wapptclsh to sh with the path chroot/default.website/bin/sh and adjusted the CGI file accordingly).

If the browser was directed to 127.0.0.1/one it would redirect to https://127.0.0.1/one/index.cgi and return the result of the CGI script without requesting basic authentication. I had expected basic authentication details to have been required at this point, before the page was displayed.

If the browser was directed to 127.0.0.1 it would redirect to https://127.0.0.1/index.html and request basic authentication details as expected.

In short, the -auth file appears to apply to the directory in which it is found, but not to files contained within subdirectories. Am I misinterpreting the documentation?


Additional:

Putting a symbolic link in subdirectory one/ called -auth targetting the -auth file in the parent directory made Basic Authentication work as expected.

(2) By sodface on 2024-02-22 03:05:50 in reply to 1.1 [source]

I was confused by this in the other thread on redirects. The homepage doc althttpd.md still reads:

If a file named "-auth" appears anywhere within the content hierarchy, then all sibling files and all files in lower-level directories require HTTP basic authentication, as defined by the content of the "-auth" file.

When testing the http->https redirects I found this link on sqlite.org that doesn't redirect, which seemed to conflict with the doc:

http://sqlite.org/c3ref/funclist.html

I think some browsers will (helpfully?) try https first even if you purposely type http so if the above link appears to redirect from http->https it's probably the browser doing it, not althttpd. Test it with something else like wget or curl.

There's an open bug report for this. where Dr. Hipp stated:

The documentation is incorrect. The -auth only protects the directory that it is in. Subdirectories are unprotected and can be accessed directly.

So I think the intent was to update the doc but that never got done.

(3) By Stephan Beal (stephan) on 2024-02-22 03:30:41 in reply to 2 [link] [source]

I think some browsers will (helpfully?) try https first even if you purposely type http ...

Correct. Firefox optionally does this and, IIRC, Chrome does as well.

However, that's independent of...

There's an open bug report for this. ...

The -auth file is about HTTP Basic Authentication, not HTTPS redirection (though it may also try to force an HTTPS redirection in that case (i haven't checked), those are independent features).

So I think the intent was to update the doc but that never got done.

The docs have been fixed, thank you for the reminder.

(4.1) By spindrift on 2024-02-22 11:15:45 edited from 4.0 in reply to 3 [link] [source]

The -auth file is about HTTP Basic Authentication, not HTTPS redirection

I think this answer may be a bit misleading, Stephan.

http --> https redirection is specifically mentioned as one of the functions of the -auth file in the documentation, and is, I believe, the only way to compel althttpd to redirect port 80 to port 443 with tls.