HTTPD Web identity authentication

This article directory:
1.1 htpasswd Command
1.2 Basic instructions for Identity authentication class
1.3 require directive
1.4 Web Identity Authentication Example

HTTPD's support for Web identity authentication is rich and the control provided is very detailed. Undoubtedly, feature-rich means more modules. For a complete module, see http://httpd.apache.org/docs/2.4/mod/ , where mod_authx_xxx are all modules related to certification. To achieve the most basic account authentication access control, just a few common modules: Mod_authz_core,mod_authz_user,mod_authz_host ....

1.1 htpasswd Command

HTPASSWD is used to generate a password based on Web user authentication for a specified user, provided by the Httpd-tools package. Supports 3 encryption algorithms: MD5, Sha, and the Crypt () function on the system, which defaults to MD5 when no algorithm is specified.

HTPASSWD [-c] [-m] [-d] Passwdfile usernamehtpasswd-b [-c] [-M |- D| -P |- S] [-d] passwdfile username passwordhtpasswd-n [-m |- D|- S| -P] usernamehtpasswd-nb [-M |- D|- S| -p] Username password option Description: passwdfile: The user password file that contains the user name and its password. If you use the"-C"option, the file is created or overwritten. Do not use"-N"option, you must specify the Passwdfile parameter. Username: Creates a password for the specified user name. If the user record already exists, it is updated. -C: Creates the user password file Passwdfile, overwriting the existing file if the file already exists. Can't and"-N"Used together. -N: Outputs the result in standard output instead of writing it to the user password file. This option ignores the user password file passwdfile parameter. Can't and"-C"option is used together. -M: Use the MD5 encryption algorithm. Default.- D: Using the Crypt () function to calculate the password is not secure.- S: Use the SHA encryption algorithm. Safety. -P: Force unencrypted password, keep clear text state, not secure. -B: Force bcrypt encryption password, very safe. -D: Removes the specified user and their password from the user password file. -B: Use batch mode, or non-interactive mode, to pass plaintext passwords directly to be encrypted. Password: Specifies the plaintext password to be entered. Can only be used in batch mode, i.e., and"-B"Used together.

For example:

(1). Use the "-n" option to output the result directly to standard output without creating a passwdfile.

[[email protected] ~]# htpasswd -n JimNewnew password: Jim:ZKHud9tziGucY

(2). Use batch mode to pass passwords directly.

[root@xuexi ~]# htpasswd -nb Jim 123456 ; htpasswd -nb Jim 123456Jim:r.BF8RVw56BOAJim:xXoNgOS8nN3LQ

The discovery password is completely random.

(3). Create user password file passwdfile.

[root@xuexi ~]# htpasswd -cb Bobfile Bob 123456[root@xuexi ~]# cat Bobfile Bob:fvUxzB3kcnDPk

(4). Delete a user from the user's file.

[root@xuexi ~]# htpasswd -D Bobfile Bob

(5). Use the SHA and MD5 encryption algorithms to calculate the password.

[root@xuexi ~]# htpasswd -mb Bobfile Bob 123456[root@xuexi ~]# cat Bobfile Bob:$apr1$bllkodFt$GUmeb8hXngOAschs1SBgq0[root@xuexi ~]# htpasswd -sb Bobfile Bob 123456 [root@xuexi ~]# cat Bobfile  Bob:{SHA}fEqNCco3Yq9h5ZUglD3CZJT4lBs=

1.2 Basic instructions for Identity authentication class

AuthType: Specifies the type of Web identity authentication. Valid values are none, basic, Digest, and form. Typically, the most basic authentication uses file authentication, so basic is usually used.
AuthName: Set the prompt for identity authentication.
AuthUserFile file-path: Specifies the Web user authentication list. Generated by the HTPASSWD command.
AuthGroupFile file-path: Specifies the group authentication file in which the grouping format is "Mygroup:jim Bob Alice". If the file path is a relative path, the relative to the ServerRoot

Based on the basic type of authentication for such a few instructions, the most important is the use of require instructions. For more certification methods see the official Manual of the Auth class module.

1.3 require directive

This directive can only be placed in the directory container and is used to control access to the directory. Its main function is provided by the Mod_authz_core module, but some authentication class modules also provide additional functionality, which can be placed in < Directory >, < Files > or < location > containers.

Main functions:

• Require all granted
  Allow everyone to access the directory unconditionally
• Require all denied
  Unconditionally deny everyone access to the directory
• Require env Env-var [Env-var] ...
  Only given environment variable VAR-ENV has been defined to allow access to the directory
• Require method Http-method [Http-method] ...
  Only a given HTTP request method allows access to the directory, such as only allow get access
• Require Expr Expression
  Access to the directory is allowed only if the given expression is true

The Require instruction functions provided by the Authentication class module include:

• Mod_authz_user functions provided for the Require directive:
  • Require user userid [UserID] ... : Only the specified userid in the authentication list can be accessed
  • Require Valid-user: All users in the authentication list can access
• Mod_authz_groupfile functions provided for the Require directive:
  • Require group group1 [group2] ... : Users within the specified group can access
• Local file System Identity reference class:
  • Require File-owner: Requires that the Web user name must match the username of the request file's UID
  • Require File-group: Requires that the Web user name be a member of the GID group requesting the file
• Mod_authz_host provides the IP and host features for the Require directive:
  • Require IP 192.168.1.104 192.168.1.205
  • Require IP 10.1
  • Require IP 10 172.20 192.168.2
  • Require IP 10.1.0.0/255.255.0.0
  • Require IP 10.1.0.0/16
  • Require Host www.example.org
  • Require host example.org
  • Require host. NET example.edu
  • Require Local

You can immediately follow the require instruction with the NOT keyword, which indicates reverse. For example, "Require not group group1", "require not local" and so on.

also supports require conditional containers, including < Requireall >, < requireany > and < Requirenone, when require instructions are not written in any require container. They are implicitly contained in a < Requireany > container.

• < requireall: The require instruction inside the package must all fail, and at least one succeeds when the container succeeds. If all the instructions in it are unsuccessful and fail, the container is neutral. All the rest of the situation will cause the container to fail.
• < requireany: The container is successful if one of the require instructions in the package succeeds. If all the instructions in it are unsuccessful and fail, the container is neutral. All remaining conditions (that is, all failures) cause the container to fail.
• < requirenone: The require instruction inside the package fails if the container succeeds, otherwise it is neutral.

1.4 Web Identity Authentication Example

Take the most common form of basic authentication as an example. Support for user-based authentication and group-based authentication.

1.4.1 User-based authentication

Create a Web user and its password list file first. There are 4 users: Jim, Bob, Alice and Tom.

[root@xuexi ~]# htpasswd -cb /usr/local/apache/a_com.pass Jim 123456[root@xuexi ~]# htpasswd -b /usr/local/apache/a_com.pass Bob 123456[root@xuexi ~]# htpasswd -b /usr/local/apache/a_com.pass Alice 123456[root@xuexi ~]# htpasswd -b /usr/local/apache/a_com.pass Tom 123456

Modify the httpd configuration file, assuming that only the A.com directory in the www.a.com requires authentication and only Jim and Bob can authenticate, while the other directories and www.b.com do not require authentication and other user authentication does not pass.

<virtualhost 192.168.100.14:80>        ServerNameWww.a.comDocumentRoot/usr/local/apache/htdocs/a.com<Directory/usr/local/apache/htdocs/a.com>                allowoverrideAuthconfigAuthTypeBasicAuthName "Please enter your name & passwd"                AuthUserFileA_com.passRequireUser Jim Bob</Directory></VirtualHost><virtualhost 192.168.100.14:80>        ServerNameWww.b.comDocumentRoot/usr/local/apache/htdocs/b.com</VirtualHost>

The relative path used here AuthUserFile, so the file must be placed under serverroot (my test environment ServerRoot to/usr/local/apache). And the Require user line can be replaced with "Require valid-user" to indicate that all users in A_com.pass allow authentication.

Then restart httpd and modify the client hosts file.

192.168.100.14 www.a.com www.b.com

Re-test access.

1.4.2 Group-based authentication

Group-based authentication simply creates a group file that contains the group name and the user members in the group.

For example, add Tom and Alice to the Allow group so that they can also access the A.com directory.

‘allow:Tom Alice‘ >/usr/local/apache/auth_group

Modify the configuration file, for example:

<virtualhost 192.168.100.14:80>        ServerNameWww.a.comDocumentRoot/usr/local/apache/htdocs/a.com<Directory/usr/local/apache/htdocs/a.com>                allowoverrideAuthconfigAuthTypeBasicAuthName "Please enter your name & passwd"                AuthUserFileA_com.passAuthGroupFileAuth_groupRequireUser Jim BobRequireGroup allow</Directory></VirtualHost><virtualhost 192.168.100.14:80>        ServerNameWww.b.comDocumentRoot/usr/local/apache/htdocs/b.com</VirtualHost>

Restart for testing.

back to Linux series article outline: http://www.cnblogs.com/f-ck-need-u/p/7048359.htmlBack to Site Architecture series article outline: http://www.cnblogs.com/f-ck-need-u/p/7576137.htmlback to Database series article outline: http://www.cnblogs.com/f-ck-need-u/p/7586194.htmlReprint Please specify Source: http://www.cnblogs.com/f-ck-need-u/p/7634205.htmlNote: If you think this article is not bad please click on the lower right corner of the recommendation, your support can inspire the author more enthusiasm for writing, thank you very much!

HTTPD Web identity authentication