Excluding IPs from HTTP auth when Apache is behind Varnish

I had a situation whereby I had to protect a site with HTTP auth, but exclude a certain IP address or two from having to use HTTP auth (e.g loadtesting).

The problem was, the site was also behind a Varnish proxy. So I couldn't do 'Allow from (ip)' in the Apache settings, because the IP would always be the IP address of the Varnish server at this point.

And obviously, I couldn't 'Allow from (varnish ip)' because that's the same as not having any HTTP auth at all :)


Was I the last to know? mod_auth basic, crypt() and the first 8 chars

I did not know this until just last week. Seems everyone I've mentioned it to already did, so I thought I'd better prove my noobness in bulk to you all now by writing about it.

It seems when you crypt a password with htpasswd and use (at least) basic mod_auth in Apache, the crypt only takes the first 8 characters of your password for use in authenticating a user.


Subscribe to RSS - mod_auth