Authentication and authorization for Apache Httpd servers

Authentication and authorization for Apache Httpd servers

This article focuses on Httpd server authentication and authorization.

The so-called authentication means that the user enters the server through a credential, and authorization means whether the user has the permission to obtain a resource on the server. Certification is the whole, and authorization is partial.

Httpd provides the browser authentication function, that is, after a user enters the desired URL in the browser, the browser displays an authentication box asking the user to enter the user name and password, after you enter the correct user name and password, you can access the website to obtain resources. This function can be used to authenticate the application logic without the need to write a dedicated authentication program at the application layer. If you are too lazy to write special authentication code and want to implement the authentication function, you can use this function to steal the code. =

The authorization function provided by Httpd can continue to protect server resources based on authentication, it can determine whether a user has read permission on a directory based on the IP address, subnet, specified user, or environment variable. Of course, authorization is not necessarily related to authentication. Even if authentication is not required, authorization can be set separately. Next, let's take a look at how Httpd authentication and authorization are configured.

First of all, let's talk about the authentication. There are two types of Httpd authentication: plaintext authentication and digest authentication. plaintext authentication sends the user name and password to the server in plaintext mode, after receiving the user name and password, the server compares them in the authentication file or database to determine whether the authentication is successful. Because plain text transmission is used, non-SSL connections pose a certain risk. Digest authentication is to send the hash algorithm of the password entered by the user to the server, which improves the security of the user's password to a certain extent. However, digest authentication is not supported by every browser, therefore, you must test the Digest algorithm in multiple browsers.

For the specific authentication process, Httpd provides two methods: Text and database. That is, we can store valid user names and passwords in text files or databases. The following describes the authentication configuration methods.

Solution 1: plaintext authentication + TEXT Authentication

First, we need to create our "password book" created by the htpasswd script. It is located in the/bin directory of your Httpd installation directory, together with the httpd command. Use the./htpasswd-c "password path" "User Name" method to create a password. If you want to create a cipher book as/usr/local/httpd/users/auth_basic and set the username to wangwei, the command format is as follows :. /htpasswd-c/usr/local/httpd/users/u_basic wangwei. A command prompt will pop up asking you to enter the password and set the password you want.

If we want to set authentication under the root directory of the server document, we will perform the following Configuration:

LoadModule unixd_module modules/mod_unixd.so
LoadModule alias_module modules/mod_alias.so
LoadModule mime_module modules/mod_mime.so
LoadModule cgid_module modules/mod_cgid.so
LoadModule authz_core_module modules/mod_authz_core.so
LoadModule authn_core_module modules/mod_authn_core.so
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule auth_digest_module modules/mod_auth_digest.so
LoadModule authn_dbm_module modules/mod_authn_dbm.so
LoadModule dbd_module modules/mod_dbd.so
LoadModule authn_dbd_module modules/mod_authn_dbd.so
# Mod_unixd.so mod_mime.so is the core module of Httpd and must be loaded. The authentication module is prefixed with mod_authz and mod_authn.
# Using text authentication, we only need to perform general compilation, but if you use database authentication,
# Re-compile apr-util to generate a dynamic link library named apr_dbd_mysql.so.
Listen 80
ServerName localhost
DocumentRoot "/usr/local/httpd/htdocs"
<Directory "/usr/local/httpd/htdocs"> # To set authentication under the root Directory of the document, set authentication under the root Directory container.
AuthName auth # The Authentication Name, which can be an English character at will, will be displayed in the authentication box popped up in the browser
AuthType Basic # Set the authentication type to Basic Authentication
AuthBasicProvider file # Set to text Authentication
AuthUserFile/usr/local/httpd/users/u_basic # location of the cipher book
Require valid-user # specify that only the correct user can access this directory
</Directory>

My server address is 192.168.1.11. After configuration, enter http: // 192.168.1.11/index.html in the browser and the authentication box is displayed:

Is it easy? Enter the username and password you just set to go to the page.

 

Solution 2: plaintext authentication + SDBM Authentication
SDBM is a file-type database provided by Linux. If you do not want to install MySQL, many users need to deploy it. Using SDBM is a good choice. The SDBM cipher book cannot be generated using the htpasswd script. Httpd also provides its cipher book generator named htdbm. You can find it in the directory of the same level as htpasswd. Use the./htdbm-c "password path" "User Name" method to create a password. If you want to create a cipher book as/usr/local/httpd/users/auth_sdbm and set the username to wangwei, the command format is as follows :. /htdbm-c/usr/local/httpd/users/auth_sdbm wangwei. A command prompt will pop up asking you to enter the password and set the password you want.

If you want to achieve solution 1 and use SDBM authentication, you only need to modify the configuration in the Directory container:

<Directory "/usr/local/httpd/htdocs">
AuthName auth
AuthType Basic
AuthBasicProvider dbm # Use dbm Authentication
AuthDBMUserFile/usr/local/httpd/users/auth_sdbm # password location
Require valid-user
</Directory>

Again, if you want to use database authentication, you must compile apr_dbd_mysql.so dynamic link library through apr and put it in the lib directory that can be automatically searched in linux.

Solution 3: plaintext authentication + MySQL Authentication
To use MySQL authentication, you must first install the MySQL server. How can I set the MySQL "password book? That is, creating databases and tables. The basic steps are as follows. First, create a database named auth. Create a table named users in the auth database. There are three fields in users, one id is a self-increasing number, and the other is a user column used to store the user name. A password column used to store passwords. Then, store the username and password you want to set in the table. The password must be encrypted by the CRYPT function and can be obtained through the htpasswd script, for example, you can use/usr/local/httpd/bin/htpasswd-c/usr/local/httpd/users/auth_mysql wangwei to create a password for wangwei. after entering the password 123456, A file named auth_mysql is generated. Check auth_mysql and find that there is a record in it that is wangwei: $ apr1 $ FXx0wpMP $ zr4ot39Ef0qK1TdoVMNjR0. Then wangwei: the password after encryption, store the string in the password column.

The configuration in the Httpd configuration file is as follows:

# Load the LoadModule command in solution 1 first
DBDriver mysql # the DB driver is mysql
DBDParams "host = 192.168.1.11 port = 3306 dbname = auth user = root pass = 123456" # connection string, understand mysql
DBDMin 1
DBDKeep 2
DBDMax 10
DBDExptime 60
Listen 80
ServerName localhost
DocumentRoot "/usr/local/httpd/htdocs"
<Directory "/usr/local/httpd/htdocs">
AuthName auth
AuthType Basic
AuthBasicProvider dbd settings use dbd Authentication
AuthDBDUserPWQuery "SELECT 'Password' FROM users WHERE 'user' = % s" # Set query SQL
Require valid-user
</Directory>

Solution 4: Digest Authentication + TEXT Authentication
The configuration of digest authentication is almost the same as that of basic authentication. There are only two differences: one is that digest authentication requires htdigest to create a keystore, and the other is that digest authentication requires an authentication domain. The htdigest script and the htpasswd script are at the same directory level. The creation method is as follows:./htdigest-c "password path" "Domain Name" "User Name ". For example,./htdigest-c/usr/local/httpd/users/auth_digest auth wangwei. The domain name must be consistent with the AuthName command set in the configuration. The authentication domain is a URI. For the purpose of solution 1, we set it /.

The configuration method is as follows:

<Directory "/usr/local/httpd/htdocs">
AuthName auth
AuthType Digest # set as Digest Authentication
AuthDigestProvider file
AuthDigestDomain/# digest authentication domain is/
AuthUserFile/usr/local/httpd/users/auth_digest
Require valid-user
</Directory>

Httpd authorization
In addition to browser authentication using user names and passwords, we can further restrict user access through IP addresses and subnets. This requires Httpd authorization. To describe users, we design the following scenarios.
Scenario 1: restrict the IP addresses of users so that users in the 192.168.1.0 CIDR block cannot access 192.168.1.254. The configuration scheme is as follows:

LoadModule unixd_module modules/mod_unixd.so
LoadModule alias_module modules/mod_alias.so
LoadModule mime_module modules/mod_mime.so
LoadModule cgid_module modules/mod_cgid.so
LoadModule authz_core_module modules/mod_authz_core.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule access_compat_module modules/mod_access_compat.so # libraries that must be loaded during authorization
LoadModule authn_core_module modules/mod_authn_core.so
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule auth_digest_module modules/mod_auth_digest.so
LoadModule authn_dbm_module modules/mod_authn_dbm.so
LoadModule dbd_module modules/mod_dbd.so
LoadModule authn_dbd_module modules/mod_authn_dbd.so
Listen 80
ServerName localhost
DocumentRoot "/usr/local/httpd/htdocs"
<Directory "/usr/local/httpd/htdocs">
Allow from 192.168.1.0
Deny from 192.168.1.254
Order Allow, Deny # verify Order. Allow first, and then reject.
</Directory>

Scenario 2: authorization based on authentication requires browser authentication and IP address restriction. The configuration scheme is as follows:

<Directory "/usr/local/httpd/htdocs">
Allow from 192.168.1.0
Deny from 192.168.1.254
Order Allow, Deny
AuthName auth
AuthType Digest
AuthDigestProvider file
AuthDigestDomain/
AuthUserFile/usr/local/httpd/users/auth_digest
Require valid-user
Satisfy All # authentication and authorization must meet both the conditions before they can pass
</Directory>

CentOS 6.5 compile and install httpd-2.4.7

Comparison of working models in httpd

Source code compilation and installation of httpd2.4 and virtual host

Compile and install the latest httpd-2.4

Implementation of httpd2.4 basic functions...

This article permanently updates the link address: