Enable or disable Apache password protection depending on requested URL

Question

We have a CGI script in Apache 2.2.3 for browsing log files on our syslog server. The script is called like this:

http://myserver/cgi-bin/logView.cgi?/var/log/syslog-ng/a/b/c/20100923.log

Does anyone know if it is possible to impose an .htaccess style control on accessing this CGI, but only if certain paths are browsed? We would like to let anyone in our organisation browse URLs such as:

http://myserver/cgi-bin/logView.cgi?/var/log/syslog-ng/public/log/201000923.log

but if someone goes to:

http://myserver/cgi-bin/logView.cgi?/var/log/syslog-ng/private/log/201000923.log

then they are asked for a password. Basically all of our applications log to the same server, but there are some log files which should only be seen by certain staff members. The others can be seen by anyone.

Thanks in advance for any suggestions!

Rich

score 0 · Accepted Answer · answered Sep 24 '10 at 08:26

I found a solution in the end.

ScriptAlias /log-cgi-bin/ "/var/www/log-cgi-bin/"
ScriptAlias /secure-log-cgi-bin/ "/var/www/log-cgi-bin/"

RewriteEngine on
RewriteCond %{QUERY_STRING} ^/var/log/syslog-ng$
RewriteRule ^/log-cgi-bin/(.*)$ /secure-log-cgi-bin/$1 [R=302,L,QSA]

<Location "/secure-log-cgi-bin">
  AuthUserFile /etc/httpd/conf.d/.log-view-htpasswd
  AuthType Basic
  AuthName "Logs"

  Require valid-user
  Satisfy All
</Location>

This basically does the job. The RewriteCond regex should be improved to require a password for anything less than /var/log/syslog-ng/.

Rich

Enable or disable Apache password protection depending on requested URL

1 Answers1