Apache2 Http2



Apache is a tried and tested HTTP server which comes with access to a very wide range of powerful extensions. Although it might not seem like the go-to choice in terms of running a reverse-proxy, system administrators who already depend on Apache for the available rich feature-set can also use it as a gateway to their application servers. HTTP/2 can be deployed in Apache HTTP 2.4.17 or later version with the help of modhttp2 module. So if you have 2.2 or lower version then first you got to upgrade to the compatible version. Let’s compile Apache HTTP with the modhttp2, modssl module. Download the latest version (I’ll do 2.4.25 on Linux).

Apache2 Http2 Debian

In computing, the Apache HTTP Server, an open-source HTTP server, comprises a small core for HTTP request/response processing and for Multi-Processing Modules (MPM) which dispatches data processing to threads and/or processes.

Apache authentication can be configured to require web site visitors to login with a user idand password. This is different than adding a login form on a web pageand creating your own authentication. This tutorial describes the variousmethods available for authentication with Apache and its' configuration.Login protection is applied to the web pages stored in a directory. The login dialog box which requests the user id and password is provided by the web browser at the request of Apache.Apache allows the configuration to be entered in its' configuration files(i.e. main configuration file /etc/httpd/conf/httpd.conf, supplementary configuration files /etc/httpd/conf.d/component.confor in a file which resides within the directory to be passwordprotected.Five forms of authentication are detailed here: Apache password fileauthentication, digest file authentication, LDAP, NIS and MySQL.

Apache authentication methods using local files to store passwords, have no association with system user accounts. If using LDAP or NIS for system loginauthentication, its use can be extended to support Apache web site logins.

Terms:
  • Authentication: Prove it is you. Authenticate the login by requiring a password only the user would know.
  • Authorization: Only certain users or members of a privaleged group are allowed.

Typically Authentication or Authentication and Authorization are required for access.

Apache configuration files: (refered to generically in this tutorial as httpd.conf or reside as the file .htpasswd, in the directory being protected.)

  • Red Hat / Fedora Core / CentOS: /etc/httpd/conf/httpd.conf or /etc/httpd/conf.d/application.conf
  • Novell SuSE: /etc/apache2/httpd.conf or /etc/apache2/conf.d/application.conf
  • Ubuntu (dapper 6.06) / Debian: /etc/apache2/apache2.conf or /etc/apache2/conf.d/application.conf
Apache password file authentication:

Directory protection using .htaccess and .htpasswd

This tutorial applies to Apache based web servers. It requires:

  1. Editing the server configuration file (httpd.conf) to enable/allow a directory structureon the server to be password protected. Basically the default <Directory>access permission statement need modification.
  2. The creation and addition of two files specifying the actual logins and passwords. (.htaccess and .htpasswd)

Use this sparingly because Apache will have to check all directories andsubdirectories specifiedin the configuration file for the existence of the .htaccess file adding toa servers latency.

When trying to access a file in a protected directory, the user will be presented with a window (dialog box) requesting a username and password.This protection applies to all sub-directories. Other .htaccess files in sub directories may respecify access rules.

Apache authentication uses the modules mod_auth and mod_access.

File: /etc/httpd/conf/httpd.conf (older systems used access.conf)

Apache2 Http2

Default: This disables the processing of .htaccess files for the system.

or for a specified directory:Apache2 Http2

Change to and/or specify directory to protect:

OR

AllowOverride parameters: AuthConfig FileInfo Indexes Limits Options

The name of the 'distributed' and user controlled configuration file .htaccess is defined with the directive: (default shown)

Password protection by a single login:

Password files:

  1. Create the directory you want to password protect (example: membersonly)
  2. Create a file /home/domain/public_html/membersonly/.htaccess in that director that looks something like this:
    In this case the 'name-of-user' is the login name you wish to usefor accessing the web site.

    [Pitfall] The literature is full of examplesof the next method but I never got it to work.

    One can use Apache directives to specify access and restriction:


    Also see: List of Apache directives. If an incorrect directive is used in the .htaccess file itwill result in a server error. Check your log files: /var/log/httpd/error_log.
    The name of the access file .htaccess is specified by the httpd.confdirective AccessFileName.
  3. Create (or clobber if it already exists) the password file /home/domain/public_html/membersonly/.htpasswdusing the program htpasswd:
    Add a new user to the existing password file:
    Man page: htpasswd

    Example file: .htpasswd

Password file protection, ownership and SELinux attributes:
  • File privileges: chmod ug+rw .htpasswd
  • File ownership: chown apache.apache .htpasswd
  • SELinux file attributes: chcon -R -h -u system_u -r object_r -t httpd_config_t .htpasswd
This is required so that the Apache web server can access the password file.
Flexible password protection by group access permissions:

This example differs from the previous example in that it allows for greatercontrol and flexibility by using groups.

Password files:

  1. Create a file .htgroup in that directory that contains the groupname and list of users: Where member-users is the name of the group.
  2. Modify .htaccess in the membersonly directory so it looks something like:
  3. Create the password file .htpasswd using the program htpasswd for each useras above. You don't need the -c option if you are using the same .htpasswd file. (-c is only to create a new file)

Allow specified domain to access site:

Specify first three (or one, or two, ...) octets of IP address defining allowable domain.
Placing Authentication directives in httpd.conf exclusively instead of using .htaccess:

The purpose of using the 'distributed configuration file' .htaccessis so that users may control authentication. It can also be set in the Apache configuration file httpd.conf WITHOUT using the .htaccess file. This can improve server performance as the server will not have to look for the .htaccess file in each subdirectory.

File: httpd.conf (portion)

This allows users to manage / change their own passwords.

Use the Perl CGI script htpasswd.pl [cache]

  • Edit location of Perl .i.e.: /usr/bin/perl
    Not /usr/local/bin/perl
  • Edit the script to specify location of the password file i.e. /var/www/PasswordDir/.htpasswd
  • SELinux users must add the correct attribute i.e. chcon -R -h -t httpd_sys_content_t /var/www/PasswordDir
  • The password file must be located in a directory where CGI is allowed to modify files.
    File: httpd.conf (portion)
Using Digest File for Apache Authentication:

This method authenticates a user login using Apache 2.0 on Linux. The logins have no connection to user accounts.

For more on digest authentication see:
  • Man page: htdigest

This method authenticates using Apache 2.0/2.2 and the LDAP authentication modules on Linux (supplied by default with most Linux distros) and an LDAP server.LDAP can be used to authenticate user accounts on Linux and other computer systems as well as web site logins.
Also see YoLinux TUTORIAL: LDAP system authentication.

Try this out with your Apache server authenticating to our open LDAP serverusing our Three Stooges example.

Apache LDAP modules:

Note that the following configurations work if the LDAP modules are enabled:

  • Apache 2.0 (Red Hat Enterprise 4/CentOS4): mod_ldap, mod_auth_ldap
  • Apache 2.2 (Red Hat Enterprise 5/CentOS 5): mod_ldap,mod_authnz_ldap
These are turned on by default. See /etc/httpd/conf/httpd.conf
  • Apache 2.0:
  • Apache 2.2:

Apache authentication configuration is version dependent.

  • # Apache HTTPd 2.2
  • # Apache HTTPd 2.0

Apache HTTPd 2.2:

Authenticate using Apache httpd 2.2 AuthzLDAP:

User Authentication:

File: httpd.conf (portion)There are two configurations for the directive AuthzLDAPAuthoritative:AuthzLDAPAuthoritative on (default)AuthzLDAPAuthoritative offThis configuration allows a waterfall of other authentication methods to be employed along side LDAP.

Group Authentication:

LDAP LDIF file: (part of our stooges example)Apache Configuration:Note:
  • Allow users (LDAP attribute: memberUid) in group gidNumber: 100 of objectClass: posixGroup which match to the login uid, authentication approval.
    The directive AuthLDAPGroupAttribute identifies the attribute to match with the login uid.
  • AuthLDAPGroupAttributeIsDN:
    • on (default): Use DN (Distinguished name) cn=Moe Howard,ou=MemberGroupA,o=stooges
    • off: Use username moe
  • Multiple Require ldap-group ... statements may be included to allow multiple groups.
  • Multiple Require ldap-attribute ... statements may be included to allow multiple groups.
  • The directive Satisfy any is required if testing multiple conditions. Only one positive in any of the conditions is required to authenticate.Thus you can combine the following authorization schemes as well:
    • Require ldap-user
    • Require ldap-dn
    • Require ldap-attribute
    • Require ldap-filter

Apache HTTPd 2.0:

Authenticate to an Open LDAP server. (No bind name/password required to access LDAP server)

File: httpd.conf (portion)or create the file /var/www/html/.htaccess

Point your browser to http://localhost/
Login with the user id 'LFine@isp.com' and password 'larrysecret'.
You will be asked to use a user id (email address) and password to enter the site.

Bind with a bind DN: (password protected LDAP repository)

File: httpd.conf (portion)Examples:
  • require valid-user: Allow all users if authentication (password) is correct.
  • require user greg phil bob: Allow only greg phil bob to login.
  • require group accounting: Allow only users in group 'accounting' to authenticate.
For this LDAP authentication example to work, configure your LDAP server with our YoLinux Three Stooges exampleand set the password in the /etc/openldap.slapd.conf file.

This example specified the use of the email address as a login id. If usinguser id's specify:

Concurrent File and LDAP authentication:

Apache can use both File and LDAP authentication concurently.This is sometimes required to run cron jobs with a login where you do not want to use a system login or login managed by a directory server in another department.

Note:
  • AuthBasicProvider file ldap - Check password 'file' authentication then LDAP
  • AuthBasicAuthoritative off - Allows fall back to another auth scheme, in this case LDAP
  • AuthzLDAPAuthoritative off - Allows fall back to other auth scheme besides LDAP, in this case file

Http 2 Protocol

Set LogLevel debug when debugging authentication.This will log all the LDAP connection events and the LDAP attributes requested.

Authenticating with Microsoft Active directory using Microsoft's 'Unix services for Windows':

AuthLDAPURL ldap://ldap.your-domain.com:389/ou=Employees,ou=Accounts,dc=sos,dc=com?sAMAccountName?subAlso note that encrypted connections will use the URL prefix 'ldaps://' and the added directives:
  • LDAPTrustedCA directory-path/filename
  • LDAPTrustedCAType type
    Where the 'type' is one of:
    • DER_FILE: file in binary DER format
    • BASE64_FILE: file in Base64 format
    • CERT7_DB_PATH: Netscape certificate database file

Restart Apache after editing the configuration file: service httpd restart for configuration changes to take effect.
See /var/log/httpd/error_log for configuration errors.

Links:
  • YoLinux Tutorial: Configuration of an LDAP server - includes a quick start example using the Three Stooges.
Apache documentation:
  • Apache 2.0:
  • Apache 2.2:
Other LDAP modules:
  • Apache LDAP module mod_ldap_userdir (Apache 2.x)
  • Apache mod_auth_ldap web server module for authentication with Netscape or OpenLDAP servers (HowTo)

This method authenticates using Apache on Linux and an NIS server. The advantage of using NIS, is thecomonality of computer system accounts and web site logins.This configuration requires that the system the Apache web server isrunning on, must be using NIS authentication for system logins.

This requires a NIS server. See the YoLinux.com NIS configuration tutorial.

Requires the Linux RPM package mod_perl and the following Perl modules:

  • ExtUtils-AutoInstall
  • Net-NIS
  • Apache2-AuthenNIS or Apache-AuthenNIS
The version of Apache determines which Perl modules to use:
  • Apache 2.2 (RHEL5, CentOS5, FC6): Use the Perl module Apache2-AuthenNIS.
  • Apache 2.0 (RHEL4, CentOS4, FC3): Use the Perl module Apache-AuthenNIS.

Download / Install Perl modules:

  • RedHat:
    • Download 'perl-ExtUtils-AutoInstall' as an RPM from EPEL: perl-ExtUtils-AutoInstall-0.xx-x.x.elx.noarch.rpm
      Install: rpm -ivh perl-ExtUtils-AutoInstall-0.xx-x.x.elx.noarch.rpm
  • Ubuntu:
    • Install: sudo apt-get install libextutils-autoinstall-perl
  • Net-NIS: (CPAN)
    • tar xzf Net-NIS-0.xx.tar.gz
    • cd Net-NIS-0.xx/
    • perl Makefile.PL
    • make
    • make install
  • Apache(2)-AuthenNIS:
    Apache 2.2Apache 2.0
    Apache2-AuthenNIS: (CPAN)
    • tar xzf Apache2-AuthenNIS-0.15.tar.gz
    • cd Apache2-AuthenNIS-0.15
    • perl Makefile.PL
    • make
    • make install
    		Apache-AuthenNIS: (CPAN)
    • tar xzf Apache-AuthenNIS-0.13.tar.gz
    • cd Apache-AuthenNIS-0.13
    • perl Makefile.PL
    • make
    • make install

Or install from CPAN via the internet:

  • perl -MCPAN -e shell
    (Answer no)
  • install ExtUtils::AutoInstall
  • install Net::NIS
  • install Apache2::AuthenNIS (or Apache::AuthenNIS)
  • quit

Test Perl module:

File: testApache2AuthenNIS.plTest: [root]# ./testApache2AuthenNIS.pl
  • Good: Apache2::AuthenNIS installed
  • Not good: Apache2::AuthenNIS not installed

OR

File: testApacheAuthenNIS.plTest: [root]# ./testAuthenNIS.pl
  • Good: Apache::AuthenNIS installed
  • Not good: Apache::AuthenNIS not installed

Apache NIS authentication Examples:

  1. require valid-user: Allow all users if authentication (password) is correct.
  2. require user greg phil bob: Allow only greg phil bob to login.
  3. require group accounting: Allow only users in group 'accounting' to authenticate.

1) Restric access to NIS authenticated users:

Apache Configuration File: httpd.conf (portion)

2) Restrict to listed users greg, phil and bob, but still authenticate to NIS:

Apache Configuration File: httpd.conf (portion)

3) Restrict access to NIS members of a specific NIS group:

Apache Configuration File: httpd.conf (portion) Note Apache2::AuthzNIS only checks for group membership by group name (not GID). Apache2::AuthenNIS still required to authenticate the user (check password).

Example showing password protection for user web directories:

Apache Configuration File: httpd.conf (portion)

Also see YoLinux SysAdmin: Perl Admin

Links:

  • NIS+ (More secure than NIS):
  • Group NIS authentication:
Note:
  • Apache allows further restriction by client IP network address or subnet.
  • Passwords can also be sent over an encrypted https connection by use of the Apache directive SSLRequireSSL.See Apache SSL/TLS encryption

[Potential Pitfall]:This method of authentication will fail if using 'adjunct password maps'.This Perl module requires the use of the library call yp_match()which must have access to the encrypted passwords. If 'adjunct password maps'are used, then this is not accessible to processes other than root thusthe web server daemon process apache will not be able to access the data required.Test your system using the command ypcat passwd | head. If the second field is prefixed with '##', then this perl module will not work.If the second field is an encrypted password, then this perl module can work.

Ubuntu
CGI to allow users to modify their NIS Passwords:

For those users who get a shell of /sbin/nologin, the 'cgipaf' web interface is ideal for user management of NIS passwords.Cgipaf uses PHP, cgi (written in C) and your system PAM authentication (or /etc/passwd, /etc/shadow files). Cgipaf also can manage mail accounts using procmail.

Download from http://www.wagemakers.be/english/programs/cgipaf

Installation/configuration:

  • tar xf cgipaf-1.3.1.tar.gz
  • cd cgipaf-1.3.1/
  • ./configure --bindir=/var/www/cgi-bin --datadir=/srv/cgipaf --sysconfigdir=/etc/cgipaf --prefix=/opt
    Note: nothing ends up in /opt
  • make
  • make install
  • cd /srv/cgipaf
  • ln -s cgipasswd.php index.php
File: /etc/httpd/conf.d/cgipaf.conf (Red Hat style systems)Note the Apache 2 directive 'SSLRequireSSL' will only allow https encrypted access. This is important when managing passwords over the web.

The PHP pages reside in /srv/cgipaf/. The compiled C cgi will reside in /var/www/cgi-bin. The configuration file will be /etc/cgipaf/cgipaf.conf.

See the web page at http://localhost/NIS/

Two Apache modules are available for database authentication:

  • MySQL: mod_auth_mysql (This tutorial)
    • Red Hat RPM package: mod_auth_mysql
    • SuSE RPM package: apache2-mod_auth_mysql
  • DBM database file: mod_auth_dbm
    (Fast even for 1000's of users.)
Apache Configuration:
  • Red Hat: /etc/httpd/conf/httpd.conf or /etc/httpd/conf.d/application.conf
  • SuSE: /etc/apache2/httpd.conf or /etc/apache2/conf.d/application.conf
Examples:
  • require valid-user: Allow all users if authentication (password) is correct.
  • require user greg phil bob: Allow only greg phil bob to login.
  • require group accounting: Allow only users in group 'accounting' to authenticate.

Directives:

DirectiveDescription
AuthMySQLEnable OnIf 'Off', MySQL authentication will pass on the authentication job to the other authentication modules i.e password files.
AuthMySQLHost host_nameName of MySQL Database hosr. i.e. 'localhost'
AuthMySQLPort TCP_Port_numberPort number of MySQL Database. Default: 3306
AuthMySQLDB database_nameName of MySQL Database.
AuthMySQLUser user_idMySQL Database login id.
AuthMySQLPassword user_passwordMySQL Database login password. Plain text.
AuthMySQLUserTable user_table_nameName of MySQL Databse table in the database which holds the user name and passwords.
AuthMySQLGroupTable group_table_nameDatabse table holding group info.
AuthMySQLNameField user_field_nameIf not using default field name 'user_name', then specify. Not case sensitive id CHAR or VARCHAR.
AuthMySQLPasswordField password_field_nameIf not using default field name 'user_passwd', then specify. Passwords are case sensitive.
AuthMySQLGroupField group_field_nameIf not using default field name 'groups', then specify.
AuthMySQLNoPasswd OffOff: Passwords can be null (').
On: password must be specified.
AuthMySQLPwEncryption noneOptions: none, crypt, scrambled (MySQL password encryption), md5, aes, sha. If you are going to use plain-text passwords for mysql authentication, you must include this directive with the argument 'none'.
AuthMySQLSaltField salt_string mysql_column_nameSalt field to be used for crypt and aes.
AuthMySQLAuthoritative onAuthenticate using other authentication modulesafter the user is successfully authenticated by the MySQL auth module.Default on: request is not passed on.
AuthMySQLKeepAlive OffOff: Close the MySQL link after each authentication request.

MySQL Admin:

  • mysqladmin -h localhost -u root -ppassword create http_auth
  • mysql -h localhost -u root -ppassword
  • mysql> use http_auth
  • mysql> create table mysql_auth ( user_namechar(30) NOT NULL,user_passwd char(60) NOT NULL,user_groupchar(25),primary key (user_name) );
  • mysql> insert into mysql_auth values('Fred','supersecret','worker');

Links:

  • Home page for mod_auth_dbm [Apache 1.3] - [Apache 2.0]
Login URL Tricks:

Here is a trick to incorporate a login and password into a URL. Typicallone would attempt to enter the password protected area of the web siteand the userwould be confronted with a login dialog box into which one would enterthe user id and password.Another option is to enter a URL with the login and password embedded.

Apache:
  • Apache::AuthenSmb, Apache2::AuthenSmb - Microsoft Active Directory authentication
  • Apache::AuthenMSAD, Apache2::AuthenMSAD - Samba NT PDC authentication
  • Apache::AuthenNTLM, Apache2::AuthenNTLM- Microsoft NTLM LAN protocol suported by MS/Internet Explorer.Login/password credentials passed on the web server by IE browser.
Http2Other forms of web authentication:
  • Facebook Platform authentication - Using OAuth protocol, the Facebook API allows developers to use Javascript, PHP, Python, etc.
    IETF OAuth 2.0 Protocol draft
  • OpenID - decentralized URL based auth
    Authentication Server Providers:
    • Google OpenID
      OpenID for Google Apps API
    • OpenID - two factor auth
    API:
    • mod_auth_openid - Apache 2
    • List of OpenID Libraries - developer interfaces
  • SAML: Security Assertion Markup Language - XML based authentication
    Authentication Server Providers:
Books:
'Apache Server Bible 2'
by Mohammed J. Kabir
ISBN # 0764548212, Hungry Minds

This book is very complete covering all aspects in detail. It is not your basic reprint of the apache.org documents like so many others.


'LDAP System Administration',
Gerald Carter
ISBN 1565924916, O'Reilly & Associates

This book covers the use of OpenLDAP and the integration of services.


'Managing NFS and NIS',
by Hal Stern, Mike Eisler, Ricardo Labiaga
ISBN 1565925106, O'Reilly & Associates
Please enable JavaScript to view the comments powered by Disqus.