User authentication for Apache servers

apache| Server Author: Xu Hui

Readers who surf the web often experience this: when accessing some resources on some sites, the browser pops up a dialog box asking for a username and password to access the resource. This is a technology of user authentication. User authentication is the first line of defense to protect network system resources, it controls all login and check the legality of access users, the goal is to allow legitimate users to access the network system resources with legitimate privileges. The basic user authentication technology is "username + password".

Apache is the current popular Web server, can run in Linux, Unix, Windows and other operating systems, it can well solve the "username + password" authentication problem. The user name and password required for Apache authentication are stored in two different ways: one is a text file and the other is a database of mSQL, Oracle, and MySQL. The following is the example of the Linux Apache, the two storage methods, respectively, describes how to implement the user authentication function, while the Apache user authentication for Windows is briefly described.

I. Using a text file for storage

The basic idea of this kind of authentication is: After Apache starts authentication function, can establish a file named. htaccess in the directory that needs to restrict access, specify the authentication configuration command. When a user accesses a file for that directory for the first time, the browser displays a dialog box asking for a user name and password to confirm the user's identity. If the legitimate user, then display the content of the page visited, then access each page of the directory, the browser automatically sent the user name and password, no longer entered, until the browser is closed. The following are the specific steps to implement:

Go to Linux with Superuser root, assuming that Apache 1.3.12 has been compiled and installed into the/usr/local/apache directory. By default, when you compile Apache, you automatically join the Mod_auth module, which enables you to implement the authentication function of "username + password" With text file as storage mode.

1. Modify Apache configuration file/usr/local/apache/conf/httpd.conf, set configuration commands for the directory where the authentication resources reside.

The following example is a configuration of the/usr/local/apache/htdocs/members directory:


<Directory/usr/local/apache/htdocs/members>

Options Indexes FollowSymLinks

AllowOverride authconfig

Order Allow,deny

Allow from all

</Directory>


Among them, the allowoverride authconfig line allows for user authentication of files under the/usr/local/apache/htdocs/members directory.

2. Create a file under the Restricted Access directory/usr/local/apache/htdocs/members. htaccess, which reads as follows:

AuthName "Member Area"

AuthType Basic

Authuserfile/usr/local/apache/members.txt

Require Valid-user


Description: The following are some of the common configuration commands in file. htaccess:


1) AuthName command: Specify the name of the authentication zone. The zone name is displayed to the user in a dialog box that prompts for authentication.

2) AuthType command: Specifies the authentication type. In HTTP1.0, there is only one authentication type: Basic. There are several types of authentication in HTTP1.1, such as: MD5.

3 authuserfile Command: Specifies a text file containing a username and password, one pair for each row.

4 authgroupfile Command: Specifies a text file that contains a list of user groups and members of these groups. The members of the group are separated by spaces, such as: Managers:user1 user2.

5 require command: Specifies which users or groups are authorized to access. Such as:

Require user User1 User2 (only users User1 and User2 can access)

Require group managers (only members of group managers can access)

Require Valid-user (accessible to any user in the file specified by AuthUserFile)

3. Use the program htpasswd that comes with Apache to generate a text file containing a username and password:/usr/local/apache/members.txt, each line of content in the format "username: password."


#cd/usr/local/apache/bin

#htpasswd-BC. /members.txt User1 1234

#htpasswd-B. /members.txt User2 5678

Text file Members.txt contains two users: User1, password is 1234;user2, password is 5678. Note that this text file should not be stored in the directory tree of the Web document, lest it be downloaded by the user.

For help with the HTPASSWD program, please perform htpasswd-h.

When the number of users is relatively small, this method of user authentication is convenient, easy, maintenance work is also simple. However, when the number of users has tens of thousands of people, or even hundreds of thousands of, will spend a certain amount of time to find users, thereby reducing the efficiency of the server. In this case, the database approach should be adopted.
Two. Using Database storage

Currently, Apache, PHP4, MySQL are the best partners to build a Web site under Linux, these three software are free software. The combination of the three, through the HTTP protocol, the use of PHP4 and MySQL, the implementation of Apache user authentication function.

User authentication can only be performed when the PHP4 is run in the form of Apache modules. To do this, you need to join the PHP4 module to compile when you compile Apache. Suppose PHP4 as the Apache module, compile, install Apache to/usr/local/apache directory, compile, install MySQL to/usr/local/mysql directory. Then proceed to the following steps:

1. Establish a database member in MySQL, where you can create a table of users to hold the user name and password of the legitimate user.

1) with vi command in the/tmp directory to establish a SQL script file Auth.sql, content is:

Drop database if exists member;

Create database member;

Use member;

CREATE TABLE Users (

Username char (not null),

Password char (not null),

);

Insert into users values ("User1", Password ("1234"));

Insert into users values ("User2", Password ("5678"));

2 start MySQL client program MySQL, execute the above SQL script file Auth.sql command, add two users to the table users record.

#mysql-U root-pmypwd</tmp/auth.sql

2. Write a php script header file Auth.inc, the program content is:

<?php

function Authenticate () {

Header (Www-authenticate:basic realm= "member area");

Header (http/1.0 401 Unauthorized);

echo "You must enter the correct username and password." n ";

Exit

}

function CheckUser ($uname, $pwd) {

if ($uname = = "" | | $pwd = = "") return 0;

$query = "Select Username,password from Users WHERE username= $uname and Password=password ($pwd)";

$db _id = mysql_connect (localhost, oot, mypwd);

mysql_select_db (Member, $db _id);

$result = mysql_query ($query, $db _id);

$num =mysql_num_rows ($result);

Mysql_close ($db _id);

if ($num >0) {

return 1; Valid login

} else {

return 0; Invalid login

}

}

? >

function authenticate () is to use the function header (Www-authenticate:basic realm= "member area"), send a authentication request message to the browser, so that the browser pop-up user name/password dialog box. When the user enters a username and password, the URL containing the PHP script is automatically invoked again, storing the username, password, and authentication types in the PHP4 three special variables: $PHP _auth_user, $PHP _auth_pw, $PHP _auth_type, In the PHP program can be based on these three variable values to determine whether the legitimate user. In the Header () function, basic represents the base authentication type, and the realm value represents the authenticated zone name.

The function header (http/1.0 401 Unauthorized) causes the browser user to receive an HTTP 401 error when entering the wrong user name or password multiple times in succession.

The function checkuser () is used to determine whether the user name sent by the browser, the password is the same as the MySQL database, if the same return 1, otherwise return 0. where mysql_connect (localhost, oot, mypwd) database username root and password mypwd, should be changed according to their MySQL settings.

3. Add the following segment at the beginning of each PHP script that needs to be restricted access:

<?php

Require (AUTH.INC);

if (CheckUser ($PHP _auth_user, $PHP _auth_pw) ==0) {

Authenticate ();

} else {

echo "This is the Web page that legitimate users want to visit. "; Change this row to a Web page that is exported to legitimate users

}

? >

Place the content of the Web page that needs to be displayed to legitimate users in the ELSE clause, replacing one line of the above program segment:

echo "This is the Web page that legitimate users want to visit. ";

This way, when a user accesses the PHP script, it needs to enter a username and password to confirm the user's identity.

Three. Windows Apache user authentication

1. The use of a text file to store the user name and password, the same method as before, but it is necessary to note that the directory name of the path, the directory name and file name are all using slash "/" separate, rather than backslash "".

2. The use of MySQL database storage user name and password, the first in accordance with the following methods PHP 4.0.3 as the Apache module to run, and then according to the above "use database storage user name and password user Authentication" method completed.

1 Download the Windows version of Apache 1.3.12, PHP 4.0.3, MySQL 3.2.32, the three software to extract, install to C:apache, C:PHP4, C:mysql directory.

2 The C:php4sapi directory has several PHP module files for common Web servers, which copy Php4apache.dll to the Apache Modules subdirectory (c:apachemodules).

3 Modify Apache configuration file c:apacheconfhttpd.conf, add the following lines:

LoadModule Php4_module Modules/php4apache.dll

AddType application/x-httpd-php. php3

AddType Application/x-httpd-php-source. Phps

AddType application/x-httpd-php. php

The first exercise PHP4 in Apache module mode, so as to conduct user authentication, the following three lines to define the extension of the PHP script program.

4 in the path command of the Autoexec.bat file, add the PHP4 location "C:PHP4" and restart the computer.