Authentication and authorization of Apache httpd server

Have about 1 months of time did not continue to write about the technical article, in this one months in addition to the new Year to rest 2 days, other time I have to develop their own personal website, this is a can help phper and engaged in the operation of the brother convenient building lamp configuration environment of the functional site, later will be introduced in detail, From today onwards, I will continue to write some configuration articles about the httpd server. In this article, we mainly discuss the authentication and authorization of the HTTPD server.

The so-called certification, in my understanding is the user through a credential into the server process, and authorization is whether the user has the right to get a resource in the server. Certification is responsible for the whole, the authority is responsible for the local.

HTTPD provides the browser authentication function, that is, the user in the browser input to enter the URL, the browser pops up a request user name and password Authentication box, when the user entered the correct user name and password, that can enter the site to obtain resources. This feature can be removed from the application logic to achieve the authentication function, without the application layer to write a special authentication program. If you are too lazy to write a specific authentication code, and want to implement the authentication function, you can use this feature to steal a lazy =. =

The authorization function provided by HTTPD can continue to protect the server resource on the basis of authentication, it can judge whether the user has Read permission to a directory based on IP, subnet, specified user or environment variable. Of course, authorization and authentication are not necessarily linked, even without certification, you can set up a separate authorization. Next, let's take a look at how HTTPd's authentication and authorization are configured.

First of all to talk about certification, HTTPD certification has clear authentication and digest authentication two, clear authentication is in clear text to the user name and password sent to the server, the server received the user name and password in the authentication file or database in order to determine whether the success. Because it is sent in clear text, there is a certain risk in the case of non-SSL links. Abstract authentication, is the user input password hashing algorithm sent to the server, to a certain extent, improve the security of user passwords, but Digest authentication is not supported by every browser, so in the use of the digest algorithm under multiple browsers to test.

The specific authentication process, HTTPD provides the text, the database two kinds of ways. That is, we can put a valid user name password in a text file or database. Here are some examples of how these certifications are configured.

Scenario 1: Clear certificate + text authentication

First, we need to create our "password book", created by the htpasswd script. It is located in the/bin directory under your httpd installation directory, together with the httpd command. Created by the./htpasswd-c "Password This path" user name method. If I want to create the password book as/usr/local/httpd/users/auth_basic, set the user name to Wangwei, then the command format is as follows:./htpasswd-c/usr/local/httpd/users/u_basic Wangwei. A command prompt will pop up asking you to enter your password and set the password you want.

If we want to set up authentication under the server document root, we will configure the following:

LoadModule Unixd_module modules/mod_unixd.so
LoadModule Alias_module modules/mod_alias.so
LoadModule Mime_module modules/mod_mime.so
LoadModule Cgid_module modules/mod_cgid.so
LoadModule Authz_core_module modules/mod_authz_core.so
LoadModule Authn_core_module modules/mod_authn_core.so
LoadModule Auth_basic_module modules/mod_auth_basic.so
LoadModule Authn_file_module modules/mod_authn_file.so
LoadModule Authz_user_module modules/mod_authz_user.so
LoadModule Auth_digest_module modules/mod_auth_digest.so
LoadModule Authn_dbm_module modules/mod_authn_dbm.so
LoadModule Dbd_module modules/mod_dbd.so
LoadModule Authn_dbd_module modules/mod_authn_dbd.so

#mod_unixd.so mod_mime.so is the core module for httpd and must be loaded. The authentication module is prefixed with MOD_AUTHZ,MOD_AUTHN.

#使用文本认证, we only need to do general compilation, but if you use database authentication,

#则需要重新编译apr-util, it generates a dynamic-link library named apr_dbd_mysql.so.
Listen 80
ServerName localhost
DocumentRoot "/usr/local/httpd/htdocs"
<directory "/usr/local/httpd/htdocs" > #要在文档根目录下设置认证, then authentication settings under the root directory container
AuthName Auth #认证名, can be a casual English character, in the browser pop-up certification box will display this name
AuthType Basic #设置认证类型为基本认证
Authbasicprovider file #设置为文本认证
AuthUserFile /usr/local/httpd/users/u_basic #Location of the password book
Require Valid-user #指定只有正确的用户才能进入此目录
</Directory>

My server address is 192.168.1.11, after configuration, after the browser input http://192.168.1.11/index.html, the Authentication box pops up: 650) this.width=650; "Src="/e/u261/themes /default/images/spacer.gif "style=" Background:url ("/e/u261/lang/zh-cn/images/localimage.png") no-repeat Center; border:1px solid #ddd; "alt=" Spacer.gif "/>

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/59/D8/wKioL1TtOJuSwMXGAAFHltBwbrk169.jpg "title=" 123. PNG "alt=" wkiol1ttojuswmxgaafhltbwbrk169.jpg "/>

Isn't it simple? Enter the page after entering the username password that you just set.

Scenario 2: Clear Certification +SDBM Certification

SDBM is a file-based database provided by Linux, and if you do not want to install MySQL, more users will need to deploy it. Then using SDBM is a good choice. SDBM's password could not be used.HTPASSWD script generation, HTTPD also provided its password to this generator, named HTDBM. You can find it in the htpasswd sibling directory. Use./htdbm-C "Password This path" "User Name" method is created. If I want to create a password book as/usr/local/httpd/users/auth_sdbm , set the user name to Wangwei, then the command format is as follows:./htdbm-c/usr/local/httpd/users/auth_sdbm Wangwei. A command prompt will pop up asking you to enter your password and set the password you want.

If you want to achieve the purpose of scenario 1 and use SDBM authentication, you can simply change the configuration under the directory container:

<directory "/usr/local/httpd/htdocs" >
AuthName Auth
AuthType Basic
Authbasicprovider dbm #使用dbm认证
AUTHDBMUSERFILE/USR/LOCAL/HTTPD/USERS/AUTH_SDBM #密码本位置
Require Valid-user
</Directory>

again, if you want to use database authentication, you must compile the apr_dbd_mysql.so dynamic link library via Apr and place it in the Lib directory that Linux can automatically search for.

Scenario 3: Clear Certification +mysql Certification

To use MySQL authentication, you must first install the MySQL server. So how do you set up MySQL's "Password book"? That is to build databases and tables. The basic steps are provided below. First create a database, named Auth, in the Auth library to establish a table, named Users,users has 3 fields, an ID is a self-growth number, a user column, to hold the username. A password column that is used to store the password. Then store the user name password you want to set in the table. The password must be encrypted by the crypt function and can be obtained through the htpasswd script, such as through/usr/local/httpd/bin/htpasswd-c/usr/local/httpd/users/auth_mysql Wangwei Create a password for the user named Wangwei, after entering the password 123456, generated a file named Auth_mysql, after viewing auth_mysql found there is a record for Wangwei: $APR 1$fxx0wpmp$ Zr4ot39ef0qk1tdovmnjr0, then Wangwei: After the encrypted password, the string is stored in the password column.

The configuration in the httpd configuration file is as follows:

#方案1中的loadmodule instructions are loaded in first .

Dbdriver MySQL #DB驱动为mysql
Dbdparams "host=192.168.1.11 port=3306 dbname=auth user=root pass=123456" #连接字符串, I know MySQL.
Dbdmin 1
Dbdkeep 2
Dbdmax 10
Dbdexptime 60
Listen 80
ServerName localhost
DocumentRoot "/usr/local/httpd/htdocs"
<directory "/usr/local/httpd/htdocs" >
AuthName Auth
AuthType Basic
Authbasicprovider dbd Setup using DBD authentication
Authdbduserpwquery "Select ' Password ' from the Users WHERE ' user ' =%s" #设置查询SQL
Require Valid-user
</Directory>

Scenario 4: Digest authentication + Text Authentication

Abstract authentication configuration and basic certification almost the same, only two points, one is the digest certification needs to create a htdigest password, and the second is the summary authentication need to configure an authentication domain. the Htdigest script is at the same directory level as the htpasswd script. The creation method is as follows:./htdigest-c "Password This path" "Domain Name" "User name". such as./htdigest-c/usr/local/httpd/users/auth_digest auth Wangwei. The domain name must be consistent with the authname instruction set within the configuration. While the authentication domain is a URI, as per scenario 1, we set it to/.

The configuration method is as follows:

<directory "/usr/local/httpd/htdocs" >
AuthName Auth
AuthType Digest #设置为摘要认证
Authdigestprovider file
authdigestdomain/#摘要认证域为/
Authuserfile/usr/local/httpd/users/auth_digest
Require Valid-user
</Directory>

HTTPD's Authorization

In addition to using usernames and passwords for browser authentication, we can further restrict access to users via IP and subnet. This requires the authorization of the httpd. To illustrate the user, we design the following scenarios.

Scenario 1, the user is IP restricted, so that users in the 192.168.1.0 network segment access, but do not let 192.168.1.254 users access. The configuration scenarios are as follows:

LoadModule Unixd_module modules/mod_unixd.so
LoadModule Alias_module modules/mod_alias.so
LoadModule Mime_module modules/mod_mime.so
LoadModule Cgid_module modules/mod_cgid.so
LoadModule Authz_core_module modules/mod_authz_core.so
LoadModule Authz_host_module modules/mod_authz_host.so
LoadModule Access_compat_module modules/mod_access_compat.so #使用授权时必须加载的库
LoadModule Authn_core_module modules/mod_authn_core.so
LoadModule Auth_basic_module modules/mod_auth_basic.so
LoadModule Authn_file_module modules/mod_authn_file.so
LoadModule Authz_user_module modules/mod_authz_user.so
LoadModule Auth_digest_module modules/mod_auth_digest.so
LoadModule Authn_dbm_module modules/mod_authn_dbm.so
LoadModule Dbd_module modules/mod_dbd.so
LoadModule Authn_dbd_module modules/mod_authn_dbd.so
Listen 80
ServerName localhost
DocumentRoot "/usr/local/httpd/htdocs"
<directory "/usr/local/httpd/htdocs" >
Allow from 192.168.1.0
Deny from 192.168.1.254
Order Allow,deny #验证顺序, first allow, then reject.
</Directory>

Scenario 2, authorization on the basis of authentication, requires both browser authentication and IP restrictions. The configuration scenarios are as follows:

<directory "/usr/local/httpd/htdocs" >

allow from 192.168.1.0
deny from 192.168.1.254
order Allow,deny
authname auth
AuthType Digest
authdigestprovider file
authdigestdomain/
authuserfile/usr/local/httpd/users/auth_digest
require Valid-user

Satisfy All #认证与授权需同时满足条件才能通过
</Directory>

This article is from the architect's path blog, so be sure to keep this source http://wangweiak47.blog.51cto.com/2337362/1615146

Authentication and authorization of Apache httpd server