Views
 |
Extending Apache’s basic authentication using mod rewrite. |
|
Power of htaccess and mod rewrite - 3.5-Apollo |
This write-up looks at extending Apache’s basic authentication allowing users to log-in to individual pages or folders. Each user is allocated a unique name and password, users are validated using Apache’s basic authentication once logged in are redirected using mod rewrite to the appropriate page or folder.
This document has been superseded by Basic Authentication which covers password protecting folders and individual files. It also covers how to secure these using SSL hence names, passwords and data are sent encrypted over the Internet.
Private Server
Uniform Server already has this authentication mechanism in place.
Name-password pairs are stored in the file .htpasswd located in folder *\Uniform Server\udrive\htpasswd\www it has the default pair root:root (order name:password)
To enable Uniform Server as a private server open the file .htaccess contained in folder www and uncomment the following four lines as shown:
AuthName "Uniform Server - Server Access" AuthType Basic AuthUserFile /htpasswd/www/.htpasswd Require valid-user
Run the servers, type http:/localhost into your browser address bar and you will be challenged for a user name and password, to gain access enter root and root.
The htaccess file protects the folder it’s contained in and all sub-folders hence if you try to directly access a page anywhere on the server you will be challenged. Validation is stored meaning you are required to authenticate only once and will not be challenged again.
Note 1: When testing this can be a problem because you need to reset the stored validation the only way I know of doing this is to restart the browser. This breaks the server link removing any stored information. Another minor irritation is stored pages in the browser cache; clean this to avoid misleading results.
Generally you would like to have an Internet presence hence do not want to protect the entire server only a small area. On the main index page you would provide a login link to this protected area. Its possible to restrict users to a single page or restrict them to a private folder, I cover these two options below.
Note 2: Before continuing restore the above four lines back to their defaults as shown below:
#AuthName "Uniform Server - Server Access" #AuthType Basic #AuthUserFile /htpasswd/www/.htpasswd #Require valid-user
Private page
Apache's basic authentication is not very flexible however you can bend it a little using mod rewrite and create something usful without the need for any scripting such as PHP or Perl.
You must use a secured server so name/password pair and personal data on a page are encrypted. That said you can test on a standard Uniform Server installation.
This solution uses only a .htacces file with mode-rewrite performing the redirection this example demonstrates the concept.
- I have created a folder named secure in the root folder www.
- Folder secure contains John.html, Dave.html and Mike.html these are the personal data pages.
- This folder also contains an index.html page which states something like “you need to login” its a default should the login fail.
- My main index page in the root folder www contains the following link:
<a href="secure/index.html">Secure login</a>
When clicked takes me to the protected folder. - Open the file .htpasswd located in folder *\Uniform Server\udrive\htpasswd\www delete its content and add name/password pairs e.g
John:21 Dave Smith:22 Mike:23
Use real passwords e.g Mst23Xfrs (21,22,23 makes it easier to test).
Note: You can use spaces in the name.
- Copy .htaccess from the root folder www to folder secure (this saves the pain of creating one) once copied open the file delete its contents and add the following:
AuthUserFile /htpasswd/www/.htpasswd Require valid-user Options +FollowSymLinks #Options +Indexes RewriteEngine On RewriteBase / RewriteCond $1 !^John\.html RewriteCond %{REMOTE_user} ^John$ RewriteRule (.*) /secure/John.html [R,L] RewriteCond $1 !^Dave\.html RewriteCond %{REMOTE_user} ^Dave\ Smith$ RewriteRule (.*) /secure/Dave.html [R,L] RewriteCond $1 !^Mike\.html RewriteCond %{REMOTE_user} ^Mike$ RewriteRule (.*) /secure/Mike.html [R,L]
- Each page to be protected requires three lines:
- After a mod rewrite the URL is passed to the rewrite engine and reprocessed. To prevent an infinite loop the first line tests for an individual file, if present it means the URL was processed and the rewrite engine should now perform the actual rewrite.
- The second line checks user name (all names must be unique, limitation of using this method, a user will have been validated with password however this is not accessible by the rewrite engine hence redirection on name only.) If this is valid the rewrite rule will be executed.
- Third line accepts any uri and maps it to a single page. [R,L] R informs a browser this is a redirect (updates the address bar to display new page) L last rule no need to process any others.
- If for whatever reason no match is found it drops out of this and picks up the index page.
Note 1: The space between Dave Smith needs to be escaped using a backslash “\ “ (without the quotes)
Note 2: You will need to restart your browser to re-login.
I stress the need for encryption because when using http, name/password is sent in plain text.
Private folder
The above restricts a user to a single page all links within that page will map back to itself. Its very restrictive in that each page can contain only pure text (html) no images or access to other pages other than the non-restricted area.
The following removes these restrictions by allocating a folder to a user it can include sub-folders images and download files.
You must use a secured server so name/password pair and personal data on pages are encrypted. That said you can test on a standard Uniform Server installation.
Again this solution uses only a .htacces file with mode-rewrite performing the redirection this example demonstrates the concept.
- I have created a folder named secure2 in the root folder www.
- Folder secure2 contains three sub-folders mpg1, mpg2 and mpg3 these will be assigned to three users Jane, Dawn and Ruth Smith respectively.
- Folder secure2 also contains an index.html page which states something like “you need to login” its a default should the login fail.
- My main index page in the root folder www contains a second login link:
<a href="secure2/index.html">Secure login 2</a>
When clicked takes me to the protected folder (secure2).
- Open the file .htpasswd located in folder *\Uniform Server\udrive\htpasswd\www and add name/password pairs for our three new users e.g
John:21 Dave Smith:22 Mike:23 Jane:41 Dawn:42 Ruth Smith:43
Use real passwords e.g X78Mst23Xfrs (41,42,43 makes it easier to test).
Note: Remember as previously stated you can use spaces in names.
- Copy .htaccess from the root folder www to folder secure2 once copied open the file and delete its contents, add the following:
AuthName "Private area Please Login" AuthType Basic AuthUserFile /htpasswd/www/.htpasswd Require valid-user Options +FollowSymLinks RewriteEngine On RewriteBase / RewriteEngine on RewriteCond $1 !^mpg1/ RewriteCond %{REMOTE_user} ^Jane$ RewriteRule ^(.*) secure2/mpg1/$1 [R,L] RewriteCond $1 !^mpg2/ RewriteCond %{REMOTE_user} ^Dawn$ RewriteRule ^(.*) secure2/mpg2/$1 [R,L] RewriteCond $1 !^mpg3/ RewriteCond %{REMOTE_user} ^Ruth\ Smith$ RewriteRule ^(.*) secure2/mpg3/$1 [R,L]
- Each page to be protected requires three lines:
- After a mod rewrite the URL is passed to the rewrite engine and reprocessed. To prevent an infinite loop the first line tests for a sub folder name, if present it means the URL was processed and the rewrite engine should now perform the actual rewrite.
- The second line checks user name (all names must be unique, limitation of using this method, a user will have been validated with password however this is not accessible by the rewrite engine hence redirection on name only.) If this is valid the rewrite rule will be executed.
- Third line takes the complete uri (.*) and stores it in ($1) this is added to the end of the specified path to complete the new page request. [R,L] R informs a browser this is a redirect (updates the address bar to display new page) L last rule no need to process any others.
- If for whatever reason no match is found it drops out of this and picks up the index page.
Note 1: The space between Ruth Smith needs to be escaped using a backslash “\ “ (without the quotes)
Note 2: You will need to restart your browser to re-login.
Again I stress the need for encryption because when using http, name/password is sent in plain text.
Practical Examples
One of the most difficult things to do is take the information given and try to implement it. From bitter experience, sometimes cut and past introduces additional characters which prevent things working. Even worst the instructions are difficult to follow or a crutial pieces of information are missing.
I like working examples that can be hacked around hence the above have been integrated into two mini-servers you can download and experiment with these.
- Mini Server 3: Shows how to add basic authentication and mod rewrite to a mini Apache server. This server is very insure regarding authentication because the data is transmitted unencrypted.
- Mini Servers 4 - SSL: Shows how to add SSL encryption to a mini Apache server. This server is based on Server 3 hence automatically includes basic authentication. In terms of security its about as best as it gets. Passwords and data are transmitted over the Internet encrypted. One minor irritation it uses self-signed certificates which produce alarming pop-ups in a browser, for personal use this really is not a problem at lease you known your data is secure. Check out page Browsers dislike self-signed certificates for details.
Conclusion
I have shown how to enhance basic authentication using mod rewrite, it does not use any fancy scripts hence can be applied to a basic Apache server. Security is of prime importance either enable SSL on the server or use Stunnel to encrypt data if using a basic server.
| | Ric |
