我在尝试让 apache mod auth_form 工作时遇到了麻烦。
我有一个子域名,希望保护它并将其用于我的网站上的各种管理功能。
当我提交授权表单时,我得到:
Method Not Allowed
The requested method GET is not allowed for the URL /admin/index.html.
我已尽最大努力遵循此处文档中的说明:
http://httpd.apache.org/docs/current/mod/mod_auth_form.html
和这里:
http://httpd.apache.org/docs/current/mod/mod_session.html
我也在使用 Apache 2.4.9,并且已加载其工作所需的所有模块。
因此我设置了子域名如下:
/index.html (Public root / auth form)
/admin/index.html (The contents of the folder i wish to protect)
/index.html包含以下内容:
<form method="POST" action="/admin">
User: <input type="text" name="httpd_username" value="" />
Pass: <input type="password" name="httpd_password" value="" />
<input type="submit" name="login" value="Login" />
</form>
对于控制子域的 Vhost 块,我添加了以下内容(注意,我正在为该域启用 GET 和 POST,因为默认情况下这些是禁用的):
<VirtualHost *:80>
ServerAdmin [email protected]
ServerName mydomain.com
ServerAlias admin.mydomain.com
DocumentRoot /var/www/mydomain.com/admin/
<Directory /var/www/mydomain.com/admin/>
<LimitExcept GET POST>
Require all denied
</LimitExcept>
Options -ExecCGI -FollowSymLinks -Includes -Indexes -MultiViews
Require all granted
</Directory>
<Location /admin>
SetHandler form-login-handler
AuthFormLoginRequiredLocation http://admin.mydomain.com/index.html
AuthFormLoginSuccessLocation http://admin.mydomain.com/admin/index.html
AuthFormProvider file
AuthUserFile /var/www/mydomain.com/admin_inc/.htpasswd
AuthType form
AuthName realm
Session On
SessionCookieName session path=/private;domain=admin.mydomain.com;httponly;secure;
SessionCryptoPassphrase secret
</Location>
</VirtualHost>
在 Apache 错误日志中我得到以下内容:
[Mon May 19 10:26:38.xxxxxx 2014] [auth_form:error] [pid xxxxx] [client xxxxxx:xxxxx] AH01811: the form-login-handler only supports the POST method for /admin/index.html, referer: http://admin.mydomain.com/
如果有人能向我解释我在这里做错了什么导致了这个错误,我将不胜感激,谢谢!
答案1
我终于解决了这个问题,并且在尝试寻找问题的解决方案时遇到了这个问题。
您收到此错误是因为您的调用被仅支持 POST 的 form-login-handler 拦截。
诀窍在于,该SetHandler指令应仅对将用作身份验证表单操作的 URL 有效。所有其他受保护的资源都应使用相同的配置,但不使用此处理程序。
这是一个工作配置:
<VirtualHost *:80>
ServerAdmin [email protected]
ServerName example.com
ServerAlias www.example.com
DocumentRoot /var/www/example.com/
<Location /admin>
# Protect all resources under /admin with form auth. Note that the login form is NOT under /admin : not sure this is required, but this is how I got it working
AuthFormLoginRequiredLocation http://www.example.com/index.html
AuthFormLoginSuccessLocation http://www.example.com/admin/index.html
AuthFormProvider file
AuthUserFile /var/www/example.com/.htpasswd
AuthType form
AuthName realm
Session On
SessionCookieName session path=/private;domain=www.example.com;httponly;secure;
SessionCryptoPassphrase secret
</Location>
<Location /admin/dologin>
# Since this location is a sub-path of the previous one, it inherits all parameters above
# It will be the only URL to be able to process form logins, and the only one to require POST
SetHandler form-login-handler
</Location>
</VirtualHost>
当然,您需要将表单中的操作属性设置为登录处理程序 url:
<form method="POST" action="/admin/dologin">
User: <input type="text" name="httpd_username" value="" />
Pass: <input type="password" name="httpd_password" value="" />
<input type="submit" name="login" value="Login" />
</form>
希望这对某些人有帮助(尽管这个帖子已经有 4 年了!:))
答案2
您以某种方式使用非 POST¹ 的方法发送登录凭据。也许需要仔细检查您的登录表单?