mod_auth_mysql

sidsel

I like the simple idea of http authentication and ease of being able to protect a full directory by placing a htaccess file there.

The downside is that every element downloaded will require a query, ie. 1 page with 10 pictures will result in 11 queries :bemused:

I can imagine if you have a busy restricted area you can easily get a "too many connections" error.

Are there any ways to protect a full directory (incl. all static files) without doing a query for every element?

herve

Are talking about .htaccess/.htpasswd mecanism or antoher authentification scheme ?

With .htaccess there's no need for query for each object. The first time, Apache will prompt you
with the login/password form, then store some cookie into the browser so each time
the browser will try to access a protected object (inside the protected directory),
there will be a "negocation" between the browser and Apache, but there's not query
in the MySQL database at that time.

Or may be if you're interfacing the .htaccess and a MySQL database ? Is that what you mean ?

sidsel

Right now I have a password protected directory using .htaccess and a flatfile with logins. I am trying to get rid of the password file but still keep the "power" of htaccess to protect all files in a directory.

The mysql module could be what I need, but to my knowledge it will make a database query for every element you download in the protected directory.

Can you give an example of a htaccess file that do what you say above?

herve

Well in fact, I was wrong. The regular authentification (using .htaccess/.htpasswd flat file)
is not using cookies but instead, it's the browser who cache the login/password that you
have typed the first time and send it back to the Apache server for each protected
document.

Nonetheless, using a flat file is way much slower than using database.

That why mod_auth_db exist in fact.

The mecanism are the same (browser sending back transparently the login/password)
but it intended to be fast (because of the indexes the db is using).

Now the question is : is it fast enough for you ? The best way to know is to
check, by simulating some hundred of connections (let's say in Python or PERL script)
at the same time. You will see if your Apache server is ok or slowing a bit or complety
crashed 🙂

sidsel

How do I simulate hundred of connections with perl? And what should I look for (if it doesn't crash)?

I have about 3800 lines in my password file so it must be time to switch to a database 🙂

herve

Yes, it's time to move 🙂

If you don't know PERL, I will not recommend you that solution, because
you have to deal with the authentification system "by hand",
it's not just about getting a regular URL

(otherwise, something simple like :

use LWP::Simple;
$content = get($URL)

with LWP (Library for Web Programming in PERL), will be enough )

Another way of simply simulating connections can be :

having a index.html file in the protected directory and having a META refresh
like this :

<html>
  <head>
    <meta http-equiv='refresh' content='1'>
  </head>
  <body> 
   a simple text 
  </body>
</html>

will force the refresh of the page each second inside the browser,
so you just have to open dozens of windows to get your Apache server
quite busy 🙂

Or may be using some web spider/crawler software ?
(the software you normaly use to get a local copy of a distant web server)
see here : http://en.wikipedia.org/wiki/Web_crawler