Topic on Project:Support desk
Hello, for the testing version of my site, I would like to have the site password protected (its under a sub-domain).
The way I was trying to do this was through .htaccess, now when I do that I get a 401 from Parsoid Visual Editor.
From the following: User:Andrujhon/Allow Parsoid Server I was assuming that to fix it all I needed to do was whitelist localhost. So I tried moving the authentication to my apache2 config with the following (https://stackoverflow.com/a/27209938/14435944):
<Directory /var/www/>
AuthType Basic
AuthName "Please enter your username and password"
AuthUserFile /var/www/files/.htpasswd
<RequireAny>
Require ip 127.0.0.1
Require ip ::1
Require ip local
Require valid-user
</RequireAny>
</Directory>
But it is still blocking my parsoid (deleting the password protection makes parsoid/visual editor works correctly, to be clear).
Does anyone know what I'm doing wrong, or any better suggestion as to having a testing sub-domain password protected?
Thank you
Eddie
Also tried the following:
<Directory /var/www/>
<If "%{REMOTE_ADDR} != '127.0.0.1'">
AuthType Basic
AuthName "Development Environment"
AuthUserFile /var/www/files/.htpasswd
require valid-user
</If>
</Directory>
Which looks very similar to User:Andrujhon's solution. Just that it is done in apache conf instead of LocalSettings.php
.
I can confirm that SetEnvIfNoCase User-Agent VisualEditor-MediaWiki/* visualeditor
"resolves" the problem, in the sense that Visual Editor works again for an Apache-hosted wiki using AuthType Basic
. However, it also allows anyone to access to your wiki if they merely set User-Agent: VisualEditor-MediaWiki/something
on their request.
To demonstrate this:
curl -ILH 'User-Agent: VisualEditor-MediaWiki/foo' https://url.for.your/wiki
This effectively defeats your site's password protection, so it's inadvisable to do this for a wiki where any kind of access from untrusted users is possible, and especially for a wiki on the public InterWebs.
I wish I had better news, but I don't, yet. I'm confronted with two equally unpalatable options: not use VisualEditor, or switch to a private wiki instead of HTTP auth, leaving more parts of MediaWiki exposed to the public internet. --Ernstkm (talk) 11:06, 14 January 2024 (UTC)