Question

We have a TWiki protected by WebAuth & LDAP on a separate proxy server. I'm trying to configure unauthenticated access for viewing topics, and authentication enforcement for anything else.

In ssl.conf on the proxy server, I have this configuration (please see attached; the code keeps getting stripped out).

With this code enabled, Apache begins to load the page ... but just before the end of the page load, it asks for a login/pass. If I cancel, I can see that the header image doesn't load, along with the favicon image, but it seems like everything else loads. The code above also doesn't have the desired authentication result: no login is required for edit, save, etc.

Why is Apache asking for a login to load images during "view", but not for editing? I must have the syntax wrong....

Environment

-- JohnDeStefano - 15 Oct 2007

Answer

If you answer a question - or someone answered one of your questions - please remember to edit the page and set the status to answered. The status selector is below the edit box.

The first part of the problem (login for viewing images) was solved by going through some of the WebPreferences topics and changing any hard-coded paths to image files.

Part of the second problem (no login required) was due to the need to change the authentication method in configure to tell TWiki to let Apache handle authentication. Once I did this, TWiki started asking me to log in in order to edit. However, after I log in, I get "Access check" failures: "Action "edit": authentication required", and the "view" pages still think I'm not logged in ("Log In or Register").

-- JohnDeStefano - 15 Oct 2007

Did you set up your proxy as described in the mod_webauth documentation? It has a section Using WebAuth with Proxy Servers which describes how to pass authentication information from a WebAuth protected proxy to the backend. Otherwise, how would TWiki know that the proxy did authentication?

But still, TWiki does not recognize the X-WEBAUTH-USER header, it only checks REMOTE_USER, which is not passed on. To make TWiki think that a local Apache authentication took place, I'd recommend my favourite hack of adding WFM patches to bin/LocalLib.cfg. In your case, this would be something like (given that you use the proxy as described)

$ENV{'REMOTE_USER'} = $ENV{'X-WEBAUTH-USER'};

-- HaraldJoerg - 15 Oct 2007

Yup: I have used that REMOTE_USER hack, compliments of your earlier advice (thank you!). We're also using the proxy in exactly the same way as described in Using WebAuth with Proxy Servers, with the caveat that, for whatever reason, the ProxyPass and ProxyPassReverse directives have been defined outside of the Location but inside a VirtualHost (along with the Location).

-- JohnDeStefano - 17 Oct 2007

Sorry, closing this after more than 30 days of inactivity. Please feel free to re-open if needed.

-- PeterThoeny - 03 Dec 2007

-- JohnDeStefano - 03 Dec 2007

Sorry, closing this question after more than 30 days of inactivity. Feel free to re-open if needed.

-- PeterThoeny - 02 Feb 2008