Old:Basic authentication and redirection: Difference between revisions

Jump to navigation Jump to search
Punctuation and grammatical changes; some clarification. Placed in new category: Archive.
m (Reverted edits by Upazixorys (Talk); changed back to last version by Ric)
(Punctuation and grammatical changes; some clarification. Placed in new category: Archive.)
Line 12: Line 12:
'''Power of htaccess and mod rewrite - 3.5-Apollo'''
'''Power of htaccess and mod rewrite - 3.5-Apollo'''
|}
|}
This write-up looks at extending Apache’s basic authentication allowing users to log-in to individual pages or folders. Each user is allocated a unique name and password, users are validated using Apache’s basic authentication once logged in are redirected using mod rewrite to the appropriate page or folder.
This write-up looks at extending Apache’s basic authentication allowing <span id="top"></span>
<div style="padding:0;margin:0; border-bottom:3px inset #000000">
{|
| [[Image:uc_small_logo.gif | MPG UniCenter]] ||
Extending Apache’s basic authentication using mod rewrite.
|}
</div>
{| cellpadding="2"
|
__TOC__
||
'''Power of htaccess and mod rewrite - 3.5-Apollo'''
|}
This document has been superseded by [[Authentication: Introduction]] which covers password protecting folders and individual files. It also covers how to secure these using SSL so that names, passwords and data are sent encrypted over the Internet.   
 
This write-up looks at extending Apache’s basic authentication, allowing users to log-in to individual pages or folders. Each user is allocated a unique name and password. Users are validated using Apache’s basic authentication, and once logged in are redirected using mod rewrite to the appropriate page or folder.
 
== Private Server ==
Uniform Server already has this authentication mechanism in place.
 
Name-password pairs are stored in the file '''.htpasswd''' located in folder '''<nowiki>*</nowiki>\Uniform Server\udrive\htpasswd\www'''. It has the default pair '''root:root''' (order name:password)
 
To enable Uniform Server as a private server, open the file '''.htaccess''' contained in folder '''www''' and uncomment the following four lines as shown:
 
<pre>
AuthName "Uniform Server - Server Access"
AuthType Basic
AuthUserFile /htpasswd/www/.htpasswd
Require valid-user
</pre>
 
Start the servers, type '''<nowiki>http:/localhost</nowiki>''' into your browser address bar and you will be challenged for a user name and password. To gain access enter '''root''' and '''root'''.
 
The '''htaccess''' file protects the folder it’s contained in and all sub-folders hence if you try to directly access a page anywhere on the server you will be challenged. '''Validation''' is stored meaning you are required to authenticate only once and will not be challenged again.
 
'''''Note 1'':''' When testing this can be a problem because you need to reset the stored validation the only way I know of doing this is to restart the browser. This breaks the server link removing any stored information. Another minor irritation is stored pages in the browser cache; clean this to avoid misleading results. 
 
Generally you would like to have an Internet presence hence do not want to protect the entire server only a small area. On the main index page you would provide a login link to this protected area. Its possible to restrict users to a single page or restrict them to a private folder, I cover these two options below.
 
'''''Note 2'':''' Before continuing restore the above four lines back to their defaults as shown below:
<pre>
#AuthName "Uniform Server - Server Access"
#AuthType Basic
#AuthUserFile /htpasswd/www/.htpasswd
#Require valid-user
</pre>
 
 
== Private page ==
Apache's basic authentication is not very flexible, however you can bend it a little using mod rewrite and create something useful without the need for any scripting, such as PHP or Perl.
 
You must use a secured server so that name/password pair and personal data on a page are encrypted. That said, you can test on a standard Uniform Server installation.
 
This solution uses only a '''.htacces''' file with mode-rewrite performing the redirection. This example demonstrates the concept.
 
# I have created a folder named '''secure''' in the root folder '''www'''.
## Folder secure contains '''John.html''', '''Dave.html''' and '''Mike.html'''. These are the personal data pages.
## This folder also contains an '''index.html''' page which states something like “'''you need to login'''” it's a default should the login fail.
<ol start="2">
<li> My main index page in the root folder '''www''' contains the following link:<br>'''<nowiki><a href="secure/index.html">Secure login</a></nowiki>'''<br>When clicked takes me to the protected folder.
 
<li> Open the file '''.htpasswd''' located in folder '''<nowiki>*</nowiki>\Uniform Server\udrive\htpasswd\www''' delete its content and add name/password pairs e.g.
<pre>
John:21
Dave Smith:22
Mike:23
</pre>
 
Yu should use real passwords, e.g. '''Mst23Xfrs'''; 21,22,23 makes it easier to test.
 
'''''Note'':''' You can use spaces in the name.
 
<li> Copy '''.htaccess'''  from the root folder '''www''' to folder '''secure''' (this saves the pain of creating one under Windows). Once copied, open the file, delete its contents and add the following:
 
<pre>
AuthUserFile /htpasswd/www/.htpasswd
Require valid-user
 
Options +FollowSymLinks
#Options +Indexes
RewriteEngine On
RewriteBase /
 
RewriteCond $1 !^John\.html
RewriteCond %{REMOTE_user} ^John$
RewriteRule (.*) /secure/John.html [R,L]
 
RewriteCond $1 !^Dave\.html
RewriteCond %{REMOTE_user} ^Dave\ Smith$
RewriteRule (.*) /secure/Dave.html [R,L]
 
RewriteCond $1 !^Mike\.html
RewriteCond %{REMOTE_user} ^Mike$
RewriteRule (.*) /secure/Mike.html [R,L]
</pre>
</ol>
*Each page to be protected requires three lines:
:* After a mod rewrite the URL is passed to the rewrite engine and reprocessed. To prevent an infinite loop the first line tests for an individual file, if present it means the URL was processed and the rewrite engine should now perform the actual rewrite.
:* The second line checks user name (all names must be unique, limitation of using this method, a user will have been validated with password however this is not accessible by the rewrite engine hence redirection on name only.) If this is valid the rewrite rule will be executed.
:* Third line accepts any uri and maps it to a single page. [R,L] R informs a browser this is a redirect (updates the address bar to display new page) L last rule no need to process any others.
*If for whatever reason no match is found it drops out of this and picks up the index page.
 
'''''Note 1'':'''  The space between '''Dave Smith''' needs to be escaped using a backslash '''“\ “''' (without the quotes)
 
'''''Note 2'':''' You will need to restart your browser to re-login.
 
I stress the need for encryption because when using '''http''', name/password is sent in '''plain text'''.
 
 
== Private folder ==
The above restricts a user to a single page all links within that page will map back to itself. Its very restrictive in that each page can contain only pure text (html) no images or access to other pages other than the non-restricted area.
 
The following removes these restrictions by allocating a folder to a user it can include sub-folders images and download files.
 
You must use a secured server so name/password pair and personal data on pages are encrypted. That said you can test on a standard Uniform Server installation.
 
Again this solution uses only a '''.htacces''' file with mode-rewrite performing the redirection this example demonstrates the concept.
 
# I have created a folder named '''secure2''' in the root folder '''www'''.
# Folder ''secure2'' contains three sub-folders '''mpg1''', '''mpg2''' and '''mpg3''' these will be assigned to three users '''Jane''', '''Dawn''' and '''Ruth Smith''' respectively.
# Folder '''secure2''' also contains an '''index.html''' page which states something like “'''you need to login'''” its a default should the login fail.
# My main index page in the root folder '''www''' contains a second login link:<br>'''<nowiki><a href="secure2/index.html">Secure login 2</a></nowiki>'''<br>When clicked takes me to the protected folder (secure2).
<ol start="5">
<li> Open the file '''.htpasswd''' located in folder '''<nowiki>*</nowiki>\Uniform Server\udrive\htpasswd\www''' and add name/password pairs for our three new users e.g
 
<pre>
John:21
Dave Smith:22
Mike:23
Jane:41
Dawn:42
Ruth Smith:43
</pre>
 
Use real passwords e.g '''X78Mst23Xfrs''' (41,42,43 makes it easier to test).
 
'''''Note'':''' Remember as previously stated you can use spaces in names.
 
<li> Copy '''.htaccess''' from the root folder '''www''' to folder '''secure2''' once copied open the file and delete its contents, add the following:
 
<pre>
AuthName "Private area Please Login"
AuthType Basic
AuthUserFile /htpasswd/www/.htpasswd
Require valid-user
 
Options +FollowSymLinks
RewriteEngine On
RewriteBase /
 
RewriteEngine on
 
RewriteCond $1 !^mpg1/
RewriteCond %{REMOTE_user} ^Jane$
RewriteRule  ^(.*) secure2/mpg1/$1 [R,L]
 
RewriteCond $1 !^mpg2/
RewriteCond %{REMOTE_user} ^Dawn$
RewriteRule  ^(.*) secure2/mpg2/$1 [R,L]
 
RewriteCond $1 !^mpg3/
RewriteCond %{REMOTE_user} ^Ruth\ Smith$
RewriteRule  ^(.*) secure2/mpg3/$1 [R,L]
</pre>
</ol>
*Each page to be protected requires three lines:
:* After a mod rewrite the URL is passed to the rewrite engine and reprocessed. To prevent an infinite loop the first line tests for a sub folder name, if present it means the URL was processed and the rewrite engine should now perform the actual rewrite.
:* The second line checks user name (all names must be unique, limitation of using this method, a user will have been validated with password however this is not accessible by the rewrite engine hence redirection on name only.) If this is valid the rewrite rule will be executed.
:* Third line takes the complete uri (.*) and stores it in ($1) this is added to the end of the specified path to complete the new page request. [R,L] R informs a browser this is a redirect (updates the address bar to display new page) L last rule no need to process any others.
*If for whatever reason no match is found it drops out of this and picks up the index page.
 
'''''Note 1'':'''  The space between '''Ruth Smith''' needs to be escaped using a backslash '''“\ “''' (without the quotes)
 
'''''Note 2'':''' You will need to restart your browser to re-login.
 
Again I stress the need for encryption, because when using '''http''', name/password is sent in '''plain text'''.
 
 
== Practical Examples ==
One of the most difficult things to do is take the information given and try to implement it. From bitter experience, sometimes cut and past introduces additional characters which prevent things working. Even worst the instructions are difficult to follow or a crutial pieces of information are missing.
 
I like working examples that can be hacked around hence the above have been integrated into two mini-servers you can download and experiment with these.
 
*'''[[Mini Servers: Apache 2.2.9 Portable - Authentication|Mini Server 3]]:''' Shows how to add basic authentication and mod rewrite to a mini Apache server. This server is very insure regarding authentication because the data is transmitted unencrypted.
 
*'''[[Mini Servers: Apache 2.2.9 Portable - Authentication SSL|Mini Servers 4 - SSL]]:''' Shows how to add SSL encryption to a mini Apache server. This server is based on Server 3 hence automatically includes basic authentication. In terms of security its about as best as it gets. Passwords and data are transmitted over the Internet encrypted. One minor irritation it uses self-signed certificates which produce alarming pop-ups in a browser, for personal use this really is not a problem at lease you known your data is secure. Check out page [[Mini Servers: Browsers dislike self-signed certificates|Browsers dislike self-signed certificates]] for details.
 
 
== Conclusion ==
I have shown how to enhance basic authentication using mod rewrite, it does not use any fancy scripts hence can be applied to a basic Apache server. Security is of prime importance either [[Mini Servers: Server 1d - SSL|enable SSL]] on the server or use [[Stunnel: Install 4.24|Stunnel]] to encrypt data if using a basic server. 
 
----
 
{|
| [[Image:uc_small_logo.gif]] || [[User:Ric|Ric]]
|}
 
[[Category: UniCenter]]
[[Category: Support]]
users to log-in to individual pages or folders. Each user is allocated a unique name and password, users are validated using Apache’s basic authentication once logged in are redirected using mod rewrite to the appropriate page or folder.


This document has been superseded by [[Authentication: Introduction | Basic Authentication]] which covers password protecting folders and individual files. It also covers how to secure these using SSL hence names, passwords and data are sent encrypted over the Internet.     
This document has been superseded by [[Authentication: Introduction | Basic Authentication]] which covers password protecting folders and individual files. It also covers how to secure these using SSL hence names, passwords and data are sent encrypted over the Internet.     
Line 202: Line 401:
[[Category: UniCenter]]
[[Category: UniCenter]]
[[Category: Support]]
[[Category: Support]]
[[Category: Archive]]

Navigation menu