Conflict with Custom HTTP Status pages?

[aaa426 Profile]

I've just replaced IISPassword with Helicon Ape on an IIS7 development server.

I've spent most of the afternoon struggling to get Ape working, and have come to the conclusion that I couldn't get it to work because we have a custom HTTP Status page for 401.x errors:

If I enable the custom error page, when I visit a protected resource I am taken to the custom page, with no login prompt If I disable it I am given a Basic Auth prompt and can login to the content as expected.

Is this expected behaviour, or am I doing something wrong?

[Anton]

Could you please show the config you have in Helicon Ape.
And consider setting up the custom error pages with Ape as well: http://www.helicontech.com/ape/doc/mod_ ... orDocument

[aaa426 Profile]

Thanks for getting back to me; I'd be happy to post the config. To answer your second question - I want to keep as much stuff within IIS/the web.config as possible, but this is a preference rather than a absolute need.

httpd.conf

Code: Select all

# Helicon Ape version 3.0.0.76

# Helicon Ape core configuration

#Automatically generated license file
Include licenses.conf

##----------------------------------------------------------------------
##
## The following code enables most detailed logging for Ape
##

Loglevel debug
ErrorLog error.log

#force Ape to ignore syntax errors in config
Options -StopOnError

##----------------------------------------------------------------------
##
## Read more about supported modules here http://www.helicontech.com/ape/doc/overview.htm
##

LoadModule authz_host_module     modules/mod_authz_host.so
LoadModule auth_basic_module    modules/mod_auth_basic.so
LoadModule auth_digest_module   modules/mod_auth_digest.so
LoadModule authn_dbd_module     modules/mod_authn_dbd.so
LoadModule authn_file_module    modules/mod_authn_file.so
LoadModule authn_anon_module    modules/mod_authn_anon.so
LoadModule authn_default_module modules/mod_authn_default.so
LoadModule authz_user_module    modules/mod_authz_user.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_default_module modules/mod_authz_default.so
LoadModule asis_module      modules/mod_asis.so
LoadModule cache_module          modules/mod_cache.so
LoadModule dbd_module      modules/mod_dbd.so
LoadModule dbd_exec_module   modules/mod_dbd_exec.so
LoadModule dir_module        modules/mod_dir.so
LoadModule disk_cache_module    modules/mod_mem_cache.so
LoadModule developer_module       modules/mod_developer.so
LoadModule env_module           modules/mod_env.so
LoadModule expires_module       modules/mod_expires.so
LoadModule filter_module    modules/mod_filter.so
LoadModule gzip_module           modules/mod_gzip.so
LoadModule headers_module       modules/mod_headers.so
LoadModule hotlink_module   modules/mod_hotlink.so
LoadModule linkfreeze_module   modules/mod_linkfreeze.so
LoadModule log_config_module   modules/mod_log_config.so
LoadModule logio_module      modules/mod_logio.so
LoadModule mem_cache_module   modules/mod_mem_cache.so
LoadModule mime_module      modules/mod_mime.so
LoadModule proxy_module         modules/mod_proxy.so
LoadModule rewrite_module       modules/mod_rewrite.so
LoadModule replace_module      modules/mod_replace.so
LoadModule usertrack_module   modules/mod_usertrack.so
LoadModule setenvif_module      modules/mod_setenvif.so
LoadModule speling_module       modules/mod_speling.so
LoadModule seo_module       modules/mod_seo.so
LoadModule xsendfile_module       modules/mod_xsendfile.so


##----------------------------------------------------------------------
##
## The following code enables most detailed logging for mod_rewrite
##

#RewriteLog rewrite.log
#RewriteLogLevel 9


##----------------------------------------------------------------------
##
## The following code hides .htaccess and .htpasswd files from sites visitors.
##

#
#<FilesMatch "^\.ht">
#    Order allow,deny
#    Deny from all
#    Satisfy All
#</FilesMatch>


##----------------------------------------------------------------------
##
## Use htaccess.txt instead of .htaccess
## put it in the httpd.conf
##
#AccessFileName htaccess.txt


##----------------------------------------------------------------------
##
## Basic Authentication for the folder
##

#<Directory c:\inetpub\wwwroot\admin\>
#   AuthType Basic
#   AuthName "secret area"
#   AuthBasicProvider file
#   AuthUserFile c:\inetpub\.htpasswds
#   Require valid-user
#</Directory>

##----------------------------------------------------------------------
##
## MD5 Digest Authentication
##

#<Location /private/>
#   AuthType Digest
#   AuthName "private area"
#   AuthDigestDomain /private/ http://www.domain.com/myprivate/
#   AuthDigestProvider file
#   AuthUserFile c:/inetpub/passwords/.digest_pwd
#   Require valid-user
#</Location>


##----------------------------------------------------------------------
##
## Enable memory-based cache for php files
##

#<Files *.php>
#   ExpiresActive On
#   ExpiresByType text/html "access 1 hour"
#   CacheEnable mem
#</Files>


##----------------------------------------------------------------------
##
## Force Ape account for trailing slash redirects and index files
##

#DirectoryIndex index.html index.asp index.php
#DirectorySlash On


##----------------------------------------------------------------------
##
## Cache all cacheable content to the disk
##

## please create this folder before using
#CacheRoot c:\inetpub\cache
#SetEnv cache-enable disk

##----------------------------------------------------------------------
##
## Prevent ddos attacks
##

#<IfModule evasive_module>
#   DOSPageCount        10
#   DOSSiteCount        150
#   DOSPageInterval     1
#   DOSSiteInterval     1
#   DOSBlockingPeriod   10
#</IfModule>



##----------------------------------------------------------------------
##
## Enable smart expiration
##

#ExpiresActive On
## html expires in a 2 hour
#ExpiresByType text/html A7200
## css expires in a 4 hour
#ExpiresByType text/css A14400



##----------------------------------------------------------------------
##
## The following code enables caching and compression for all static files
## accounting for browser peculiarities
##

#Include smart_gzip_compression.conf


##----------------------------------------------------------------------
##
## Stop hotlinking
##

#SetEnv mod_hotlink
#<Files *.pdf>
#   HotlinkProtect /pdf [ Link, ParamName=hlb ]
#</Files>


#----------------------------------------------------------------------
##
## Enable Linkfreeze
##

#SetEnv mod_linkfreeze
#LinkFreezeRule --- "aspx=htm" [ AbsLinks,MoveExt ]


##----------------------------------------------------------------------
##
## Enable cache in-memmory
##

#<LocationMatch "/|/index.php">
#   SetEnv cache-enable mem
#</LocationMatch>



##----------------------------------------------------------------------
##
## Enable proxying /accounts/ application to internal server
##

#<Location /accounts/>
#   ProxyPass http://internal.company.com/accounts/
#   ProxyPassReverse http://internal.company.com/accounts/
#   ProxyPassReverseCookieDomain internal.company.com www.company.com
#</Location>


##----------------------------------------------------------------------
##
## Common rule for cms systems
##

#RewriteEngine on
#RewriteCond %{REQUEST_FILENAME} !-f
#RewriteCond %{REQUEST_FILENAME} !-d
#RewriteRule (.*) /index.php [NC,L,NS]

##----------------------------------------------------------------------
##
#Header append Server "enhanced by Helicon Ape/3.0"



web.config
(I've currently got the 401 custom status directive removed, but it follows the same pattern as the others)

Code: Select all

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <httpErrors>
            <remove statusCode="404" subStatusCode="-1" />
            <remove statusCode="403" subStatusCode="-1" />
            <error statusCode="400" path="/errors/400.htm" responseMode="ExecuteURL" />
            <error statusCode="403" prefixLanguageFilePath="" path="/errors/403.htm" responseMode="ExecuteURL" />
        </httpErrors>
        <staticContent>
            <mimeMap fileExtension=".gdb" mimeType="application/octet-stream" />
            <mimeMap fileExtension=".mp4" mimeType="audio/mpeg" />
        </staticContent>
        <handlers>
            <add name="Helicon.Ape Handler" path="*.apehandler" verb="*" type="Helicon.Ape.Handler, Helicon.Ape, Version=3.0.0.76, Culture=neutral, PublicKeyToken=95bfbfd1a38437eb" resourceType="Unspecified" preCondition="integratedMode" />
        </handlers>
        <modules>
            <add name="Helicon.Ape" type="Helicon.Ape.ApeModule, Helicon.Ape, Version=3.0.0.76, Culture=neutral, PublicKeyToken=95bfbfd1a38437eb" />
        </modules>

    </system.webServer>
    <system.web>
        <httpHandlers />
        <httpModules />
    </system.web>
</configuration>


[aaa426 Profile]

Should mention that there is no .htaccess at the website level - and where I do have them, I am only currently using APE for Basic Authorization

[Anton]

Hello,

Thanks for showing us the config, but there are no uncommented directives. How did you manage to enable Basic authorization?

Also, please check that no .htaccess files left from IISPassword.

And consider trying the ErrorDocument directive in Ape instead of Custom Error Pages in IIS.

[aaa426 Profile]

The directives are as they came when I installed - I have not touched them.

Basic auth is done via an htaccess file in each folder - here is a typical example:

Code: Select all

# Helicon Ape version 3.0.0.76

AuthName "The Teaching Resource Website needs the username and password that you got when you received the software. If you have lost this, please contact us."
AuthType Basic
AuthBasicProvider file
AuthUserFile c:\inetpub\wwwroot\site\.htpassinfo\.htpwdmha
Require valid-user



Re your comment about IISPassword - this file was indeed originally an IISPassword file, but I have edited it to suit APE (which basically comes down to adding in the AuthType and AuthBasicProvider elements)

[Anton]

Hello,

We've done some investigation and found out that the CustomErrorPages module in IIS gives out 200 status for all mistakes that's why browser doesn't show the login form.

Please try using our http://www.helicontech.com/ape/doc/mod_ ... orDocument which does absolutely the same but with correct statuses.

[aaa426 Profile]

Anton,

OK! That seems to be and end of that then Looks like I'll be using ErrorDirective instead then.

Thank you for your help - I very much appreciate it.

Craig

[aaa426 Profile]

OK. Gave ErrorDocument a try and still no success. Here is my web.config - I've cleared all IIS custom pages:

Code: Select all

<httpErrors errorMode="Detailed">
  <clear/>
</httpErrors>


If I enable ErrorDocument in .htaccess i.e.

Code: Select all

# Helicon Ape version 3.0.0.76

ErrorDocument 401 /errors/401.htm


then I am taken straight to this page when I visit a protected resource, without opportunity for supplying credentials. If I disable ErrorDocument, then I am prompted for my login. In other words, this behavior is the same as IIS's custom error pages.

I can't help feeling that I am missing something here!

[laviethan Profile]

I to am having the same issue and one thing to note is helicon ape is just using IIS error pages by default. Changing out the default file in C:\inetpub\custerr\en-US will make the page different but i do not believe this is the correct way to handle this problem. A better way would be to change the default path for errordocuments in helicon. This should be handled by errordocument configs but it does not work for me. Any successful config causes you to land straight to the 401 page bypassing authentication.