Mini Servers: Apache 2.2.9 Portable - Authentication

From The Uniform Server Wiki
Revision as of 14:24, 17 August 2008 by Ric (talk | contribs) (New page: {{Uc nav mini servers}} Apache 2.2.9 Portable - Authentication|right'''Mini Server 3 using Apache 2.2.9 Core''' This mini server uses mini-server 1 as a starting ...)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Mini Servers:  Introduction | Support | Server 1 - Portable | Server 2 - Service | Server 3 - Portable Authentication | Server 4 - Portable Authen. SSL | Server 5 - SSL Standalone | Browsers dislike self-signed certificates | Server 6 - PHP 5.2.6 Portable | Server 7 - PHP 5.2.6 Service | Server 8 - MySQL Support | Guest Book | Server 9 - Perl 5.2.6 Portable | Server 10 - Perl 5.2.6 Service | Server 11 - MySQL 5.0.67 Portable | Server 12 - MySQL 5.0.67 Service | Server 13 - MySQL 4.1.22 Portable | Server 14 - MySQL 4.1.22 Service | phpMyAdmin - Mini support | MySQL - General problems

Mini Servers:
Compact but fully functional.
Apache 2.2.9 Portable - Authentication
Apache 2.2.9 Portable - Authentication

Mini Server 3 using Apache 2.2.9 Core

This mini server uses mini-server 1 as a starting point it shows how to increase this basic servers functionality. Being a demo server I have moved it to port 8083. Each additional piece of functionality is independent however where there are module dependencies I have highlighted these.

The following shows how to enable .htaccess, basic authentication and mod rewrite. Mod rewrite is used to enhance basic authentication.

Top

Moving the Server

If you need to run the server on a different port or virtual drive this is straight forward:

Change virtual drive

The server automatically detects the first free drive letter and uses that to run the server on. You can override this in one of two ways:

  1. Start the server using a drive parameter for example: server_start.bat z this forces the server to use drive z
  2. Edit server_start.bat, locate the following line:
      rem set Disk=w
    Remove the rem and replace w with the letter you want to use for example:
      set Disk=x  Forces the server to use drive letter x

Change server default port

  • Edit httpd.conf located in folder *\udrive\usr\local\apache2\conf locate these lines:
  • Listen 8083
  • ServerName localhost:8083
Change them as follows:
  • Listen 8080
  • ServerName localhost:8080

To access the server type http://localhost:8080/ into your browser address bar.

If port already in use try any value above 2000

Top

How to enable htaccess

Apache uses additional configuration files these either override or add directives to the main configuration. Any changes made in these files unlike httpd.conf do not require a server re-start.

Add the directive AllowOverride All to the root folder. This directive means all Apache directives can be overridden or added.

<Directory "/www"> 
  AllowOverride All
  Order allow,deny 
  Allow from all 
</Directory> 

Note: I have not added this directive to the main directory because putting it in the web root gives a slight speed advantage.

File name:

Apache needs to know the file name of the designated additional configuration file. The name can be anything thing you like however by tradition its named .htacces its a good idea to stick with this. The directive to add the file name is AccessFileName .htaccess.

This file along with a similarly named password file shall not be viewable to restrict Internet user access add the following file restrictions.

AccessFileName .htaccess

<Files ~ "^\.ht">
    Order allow,deny
    Deny from all
</Files>

Note: The password file will not be accessible since it is located outside of the root folder www. In this situation the above code is belt and braces however third party scripts may be using password files within the root folder hence keep the code as is.

That's all there is to enabling htaccess files, before you can use them the server must be restarted to pick up the new main configuration file. At this stage if you place either authentication or mode rewrite directives in the htaccess file andrun the server it will cause Apache to spit out misconfiguration errors. To use these directives the appropriate modules must be included in the main configuration file httpd.conf these are covered in the following sections.

Top

How to add authentication

Basic authentication is dependent on three modules add the following directives to the modules section in httpd.conf.

LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authz_user_module modules/mod_authz_user.so

The directives on their own are of little use unless you copy the three modules to folder *\udrive\usr\local\apache2\modules hence the reason for downloading a full copy of Apache allows you to pick the modules you require.

Note: After adding modules always restart the server otherwise Apache will not be able to pick up the new configuration..

Top

Add password folder

Basic authentication uses name and password pairs these are stored in a text file named .htpasswd however you can use any name you like again convention dictates .htpasswd hence best to use that.

For security this file must be located outside of the server web root (folder www). Uniform server uses the following folder:

  • *\udrive\htpasswd\www

You can change this to suite your own requirements I will stick with this only because it keeps commoality between the mini servers and Uniform Server 3.5-Apollo.

Edit the file .htpasswd and add the following name:password pair:

root:root

Note: Name may include spaces the password shall be something long and random e.g:

  • John Smith:x5Wl8df6a29
  • Mike:Qn67sG8k2

Top

htaccess file

Before we can test copy an .htaccess file to folder www the one from Uniform Server will do.

Edit the file to look like this:

AuthName "Uniform Server - Server Access"
AuthType Basic
AuthUserFile /htpasswd/www/.htpasswd
Require valid-user

Note: AuthName the text between quotes will be displayed in the browser popup box

Top

Testing

Testing is straight forward restart the server and type http:/localhost:8083/ into your browsers address bar.

You will be challenged for a name and password enter root and root to display the index page.

Before moving onto mod rewrite edit the .htacces file to look like

#AuthName "Uniform Server - Server Access"
#AuthType Basic
#AuthUserFile /htpasswd/www/.htpasswd
#Require valid-user

with the lines commented out authentication is disabled.

Alternatively delete the file its not required since we are going to protect specific folders.

Top

How to add mod rewrite

Mod rewrite has no dependencies add the following line to the modules section in httpd.conf.

LoadModule rewrite_module modules/mod_rewrite.so

The directive instructs Apache to load mod rewrite when the server is restarted. Remember to copy the module mod_rewrite.so from the full download into folder *\udrive\usr\local\apache2\modules. Mod rewrite is extremely powerful and weights in at only 57K.

Top

Mini server httpd.conf

Our complete configuration file is shown below some modules are inter dependent because of this their order is important.

Tip: When adding modules check the downloaded full package httpd.conf configuration file it lists the correct order for all modules.

# ================================================= 
# Modules 
# =================================================
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authz_user_module modules/mod_authz_user.so

LoadModule authz_host_module modules/mod_authz_host.so
LoadModule dir_module modules/mod_dir.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule mime_module modules/mod_mime.so

LoadModule rewrite_module modules/mod_rewrite.so

# ================================================= 
# Basic settings 
# ================================================= 
  Listen 8083 
  ServerName localhost:8083
  ServerAdmin fred@www.somedomain.com 
  UseCanonicalName Off 
  ServerSignature Off 
  HostnameLookups Off 
  ServerTokens Prod 
  ServerRoot "/usr/local/apache2"
  DocumentRoot "/www" 
  PidFile /usr/local/apache2/logs/httpd.pid 
<IfModule mod_dir.c> 
   DirectoryIndex index.html index.htm
</IfModule> 

# ================================================= 
# HTTP and performance settings 
# ================================================= 
  Timeout 300 
  KeepAlive On 
  MaxKeepAliveRequests 100 
  KeepAliveTimeout 15 
<IfModule mpm_winnt.c>
   ThreadsPerChild 64
   MaxRequestsPerChild  0
</IfModule>

# ================================================= 
# Access control 
# ================================================= 
<Directory />
  Options None 
  AllowOverride None 
  Order deny,allow 
  Deny from all 
</Directory> 

<Directory "/www"> 
  AllowOverride All
  Order allow,deny 
  Allow from all 
</Directory> 

AccessFileName .htaccess
# The following lines prevent .htaccess and .htpasswd
# files from being viewed by Web clients.

<Files ~ "^\.ht">
    Order allow,deny
    Deny from all
</Files>
# ================================================= 
# MIME encoding 
# ================================================= 
DefaultType text/plain 
  TypesConfig /usr/local/apache2/conf/mime.types 

# ================================================= 
# Logs: debug, info, notice, warn, error, crit
# ================================================= 
  LogLevel warn 
  LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined 
  LogFormat "%h %l %u %t \"%r\" %>s %b" common 
  LogFormat "%{Referer}i -> %U" referer 
  LogFormat "%{User-agent}i" agent 
  ErrorLog "logs/error_log" 
  CustomLog "logs/access.log" combined
# ================================================= 

Top

Support files

Each mini server is complete and zipped into a single self-extracting archive file.

Download

Download this server from SourceForge Project Page save the file mini_server_3.exe to any folder of your choice.

Note: Check out the mini server's support and download page detailing how to obtain full binaries for Apache, PHP and Perl.

Top

Extract files

Double click on mini_server_3.exe, starts the extraction process. No need to change the folder destination, click extract, this creates a new folder mini_server_3 containing two files and one folder.

  1. server_start.bat - Double click to start the server
  2. server_stop.bat - Double click to stop server
  3. udrive - Folder containing server and your web site.

Top

Test

Testing is straight forward.

  1. Start the server by double clicking on server_start.bat (automatically detects free drive letter creates new virtual drive and runs the server.)
  2. Start a web browser.
  3. Type http://localhost:8083/ into the browser address bar.
  4. An index page is displayed, check out the secure areas by clicking links secure1 or secure2.
  5. Stop the server by double clicking on server_stop.bat

Note 1: If you need to change the server port from 8083 edit httpd.conf accordingly..

Top

Authentication

I have added two examples to demonstrate the use of htaccess files to protect folders using basic authentication which in turn are enhanced by mod rewrite. A full write-up of this concept can be found on this page Basic authentication and redirection

Top

Secure1

From the main index page click on the secure1 link. This takes you to a protected folder where you will be challenged for a name and password. Enter one of the name/password pairs shown, you will be able to view a single personal page. Each page contain cross links to other personal pages see what happens when you click one of these links.

Note: To re-log in you must restart your browser.

Folder secure1 is protected by the the following .htaccess file:

AuthName "To give you a clue the following are the name:password pairs: John:21,
 Dave Smith:22 and Mike:23 these will take you to the private pages."
AuthType Basic
AuthUserFile /htpasswd/www/.htpasswd
Require valid-user

Options +FollowSymLinks
#Options +Indexes
RewriteEngine On
RewriteBase /

RewriteCond $1 !^John\.html
RewriteCond %{REMOTE_user} ^John$
RewriteRule (.*) /secure/John.html [R,L]

RewriteCond $1 !^Dave\.html
RewriteCond %{REMOTE_user} ^Dave\ Smith$
RewriteRule (.*) /secure/Dave.html [R,L]

RewriteCond $1 !^Mike\.html
RewriteCond %{REMOTE_user} ^Mike$
RewriteRule (.*) /secure/Mike.html [R,L]

Note: Make sure to change the line AuthName to something like "Please login to your secure page" I included name/password pairs to make it easier to test.

Top

Secure2

From the main index page click on the secure2 link. This takes you to a protected folder where you will be challenged for a name and password. Enter one of the name/password pairs shown, you will be able to view the contents of a personal folder. Each personal index page contain cross links to other personal folders see what happens when you click one of these links.

Note: To re-log in you must restart your browser.

Folder secure2 is protected by the the following htaccess file:

AuthName "To give you a clue the following are the name:password pairs: Jane:41,
 Dawn:42 and Ruth Smith:43 these will take you to the private folders."
AuthType Basic
AuthUserFile /htpasswd/www/.htpasswd
Require valid-user

Options +FollowSymLinks
RewriteEngine On
RewriteBase /

RewriteEngine on
RewriteCond $1 !^mpg1/
RewriteCond %{REMOTE_user} ^Jane$
RewriteRule  ^(.*) secure2/mpg1/$1 [R,L]

RewriteCond $1 !^mpg2/
RewriteCond %{REMOTE_user} ^Dawn$
RewriteRule  ^(.*) secure2/mpg2/$1 [R,L]

RewriteCond $1 !^mpg3/
RewriteCond %{REMOTE_user} ^Ruth\ Smith$
RewriteRule  ^(.*) secure2/mpg3/$1 [R,L]

Note: Make sure to change the line AuthName to something like "Please login to your secure folder" I included name/password pairs to make it easier to test.

Top

Multi Servers

If you wish to run several mini servers at the same time create a new folder for each server and copy folder mini_server_3 into each of these.

Change the server port for each server to be unique. The servers may be started in any order.

Note: You can run the mini servers alongside Uniform Server 3.5-Apollo however you must start Uniform Server first.

Top

Summary

These mini-servers are indented to show you how to build in functionality as and when required, primarily to remove bloat and increase security. You now have a basic server with the capability of of mod rewrite and basic authentication to protect individual folders.

The real problem with this protection it is not secure, name/password pairs including pages are sent unencrypted. This plain text can easily be intercepted exposing your passwords. The next server (Mini Server 4) in this series addresses this major issue by adding SSL.

Top


Ric