Cosign/Apache interaction

For too long now, Neil, Roger and I have occasionally looked at the
way cosign behaves (or doesn’t) with apache, only to end up looking at
the same thing a few months later. I’ll attempt here to note down
specifically what the problems are.

Testing is being done on kant and melody. They’re configured slightly
differently, in that kant is configured solely through apacheconf
while melody uses the apache component, so provides its own

What we’re seeing is strange behaviour when attempting to use cosign
authentication when combined with host-based restrictions.

I’m doing my testing mainly using Safari on Leopard and Firefox on

I’ve set up an area on kant: /var/www/html/restricted with an htaccess

First, let’s test cosign auth:

CosignProtected On
AuthType Cosign
Require valid-user

… this works fine – I get redirected to weblogin and, following
authentication, can see the restricted page.

So, let’s test host-based access:

order deny,allow
deny from all
allow from

… works fine – connecting from – OK, connecting
from home – 403 forbidden.

Now, combining host-based restrictions and cosign auth is where it
starts to fall apart:

order deny,allow
deny from all
allow from

satisfy any

CosignProtected On
AuthType Cosign
Require valid-user

This configuration should allow you in from .inf OR if you are

Access from – works fine
cosign: no, gives an internal server error, with the following in

[Thu Oct 30 15:54:04 2008] [crit] [client] configuration error: couldn’t check user. No user file?: /restricted/

Same behaviour when cosign authenticating prior to visiting
restricted area. Note that it’s necessary to shift-reload when using
safari as it seems to cache successful visits.

Peculiarly, when testing with the exact same .htaccess file on melody,
you get a 401 error, _not_ an internal server error as on kant. TODO:
test this properly when in inf (don’t want to open holes in the
firewall to melody just now).

This entry was posted in Apache, Cosign. Bookmark the permalink.