Old:Basic authentication and redirection: Difference between revisions

From The Uniform Server Wiki
Jump to navigation Jump to search
mNo edit summary
No edit summary
Line 1: Line 1:
<span id="top"></span>
=[http://ecoquvejoz.co.cc UNDER COSTRUCTION, PLEASE SEE THIS POST IN RESERVE COPY]=
<div style="padding:0;margin:0; border-bottom:3px inset #000000">
&lt;span id=&quot;top&quot;&gt;&lt;/span&gt;
&lt;div style=&quot;padding:0;margin:0; border-bottom:3px inset #000000&quot;&gt;
{|  
{|  
| [[Image:uc_small_logo.gif | MPG UniCenter]] ||
| [[Image:uc_small_logo.gif | MPG UniCenter]] ||
Extending Apache’s basic authentication using mod rewrite.  
Extending Apache’s basic authentication using mod rewrite.  
|}
|}
</div>
&lt;/div&gt;
{| cellpadding="2"
{| cellpadding=&quot;2&quot;
|
|
__TOC__
__TOC__
Line 19: Line 20:
Uniform Server already has this authentication mechanism in place.
Uniform Server already has this authentication mechanism in place.


Name-password pairs are stored in the file '''.htpasswd''' located in folder '''<nowiki>*</nowiki>\Uniform Server\udrive\htpasswd\www''' it has the default pair '''root:root''' (order name:password)
Name-password pairs are stored in the file '''.htpasswd''' located in folder '''&lt;nowiki&gt;*&lt;/nowiki&gt;\Uniform Server\udrive\htpasswd\www''' it has the default pair '''root:root''' (order name:password)


To enable Uniform Server as a private server open the file '''.htaccess''' contained in folder '''www''' and uncomment the following four lines as shown:
To enable Uniform Server as a private server open the file '''.htaccess''' contained in folder '''www''' and uncomment the following four lines as shown:


<pre>
&lt;pre&gt;
AuthName "Uniform Server - Server Access"
AuthName &quot;Uniform Server - Server Access&quot;
AuthType Basic
AuthType Basic
AuthUserFile /htpasswd/www/.htpasswd
AuthUserFile /htpasswd/www/.htpasswd
Require valid-user
Require valid-user
</pre>
&lt;/pre&gt;


Run the servers, type '''<nowiki>http:/localhost</nowiki>''' into your browser address bar and you will be challenged for a user name and password, to gain access enter '''root''' and '''root'''.
Run the servers, type '''&lt;nowiki&gt;http:/localhost&lt;/nowiki&gt;''' into your browser address bar and you will be challenged for a user name and password, to gain access enter '''root''' and '''root'''.


The '''htaccess''' file protects the folder it’s contained in and all sub-folders hence if you try to directly access a page anywhere on the server you will be challenged. '''Validation''' is stored meaning you are required to authenticate only once and will not be challenged again.
The '''htaccess''' file protects the folder it’s contained in and all sub-folders hence if you try to directly access a page anywhere on the server you will be challenged. '''Validation''' is stored meaning you are required to authenticate only once and will not be challenged again.
Line 39: Line 40:


'''''Note 2'':''' Before continuing restore the above four lines back to their defaults as shown below:
'''''Note 2'':''' Before continuing restore the above four lines back to their defaults as shown below:
<pre>
&lt;pre&gt;
#AuthName "Uniform Server - Server Access"
#AuthName &quot;Uniform Server - Server Access&quot;
#AuthType Basic
#AuthType Basic
#AuthUserFile /htpasswd/www/.htpasswd
#AuthUserFile /htpasswd/www/.htpasswd
#Require valid-user
#Require valid-user
</pre>
&lt;/pre&gt;


'''''[[#top | Top]]'''''
'''''[[#top | Top]]'''''
Line 58: Line 59:
## Folder secure contains '''John.html''', '''Dave.html''' and '''Mike.html''' these are the personal data pages.
## Folder secure contains '''John.html''', '''Dave.html''' and '''Mike.html''' these are the personal data pages.
## This folder also contains an '''index.html''' page which states something like “'''you need to login'''” its a default should the login fail.
## This folder also contains an '''index.html''' page which states something like “'''you need to login'''” its a default should the login fail.
<ol start="2">
&lt;ol start=&quot;2&quot;&gt;
<li> My main index page in the root folder '''www''' contains the following link:<br>'''<nowiki><a href="secure/index.html">Secure login</a></nowiki>'''<br>When clicked takes me to the protected folder.
&lt;li&gt; My main index page in the root folder '''www''' contains the following link:&lt;br&gt;'''&lt;nowiki&gt;&lt;a href=&quot;secure/index.html&quot;&gt;Secure login&lt;/a&gt;&lt;/nowiki&gt;'''&lt;br&gt;When clicked takes me to the protected folder.


<li> Open the file '''.htpasswd''' located in folder '''<nowiki>*</nowiki>\Uniform Server\udrive\htpasswd\www''' delete its content and add name/password pairs e.g
&lt;li&gt; Open the file '''.htpasswd''' located in folder '''&lt;nowiki&gt;*&lt;/nowiki&gt;\Uniform Server\udrive\htpasswd\www''' delete its content and add name/password pairs e.g
<pre>
&lt;pre&gt;
John:21
John:21
Dave Smith:22
Dave Smith:22
Mike:23
Mike:23
</pre>
&lt;/pre&gt;


Use real passwords e.g '''Mst23Xfrs''' (21,22,23 makes it easier to test).
Use real passwords e.g '''Mst23Xfrs''' (21,22,23 makes it easier to test).
Line 72: Line 73:
'''''Note'':''' You can use spaces in the name.
'''''Note'':''' You can use spaces in the name.


<li> Copy '''.htaccess'''  from the root folder '''www''' to folder '''secure''' (this saves the pain of creating one) once copied open the file delete its contents and add the following:
&lt;li&gt; Copy '''.htaccess'''  from the root folder '''www''' to folder '''secure''' (this saves the pain of creating one) once copied open the file delete its contents and add the following:


<pre>
&lt;pre&gt;
AuthUserFile /htpasswd/www/.htpasswd
AuthUserFile /htpasswd/www/.htpasswd
Require valid-user
Require valid-user
Line 94: Line 95:
RewriteCond %{REMOTE_user} ^Mike$
RewriteCond %{REMOTE_user} ^Mike$
RewriteRule (.*) /secure/Mike.html [R,L]
RewriteRule (.*) /secure/Mike.html [R,L]
</pre>
&lt;/pre&gt;
</ol>
&lt;/ol&gt;
*Each page to be protected requires three lines:
*Each page to be protected requires three lines:
:* After a mod rewrite the URL is passed to the rewrite engine and reprocessed. To prevent an infinite loop the first line tests for an individual file, if present it means the URL was processed and the rewrite engine should now perform the actual rewrite.
:* After a mod rewrite the URL is passed to the rewrite engine and reprocessed. To prevent an infinite loop the first line tests for an individual file, if present it means the URL was processed and the rewrite engine should now perform the actual rewrite.
Line 122: Line 123:
# Folder ''secure2'' contains three sub-folders '''mpg1''', '''mpg2''' and '''mpg3''' these will be assigned to three users '''Jane''', '''Dawn''' and '''Ruth Smith''' respectively.
# Folder ''secure2'' contains three sub-folders '''mpg1''', '''mpg2''' and '''mpg3''' these will be assigned to three users '''Jane''', '''Dawn''' and '''Ruth Smith''' respectively.
# Folder '''secure2''' also contains an '''index.html''' page which states something like “'''you need to login'''” its a default should the login fail.
# Folder '''secure2''' also contains an '''index.html''' page which states something like “'''you need to login'''” its a default should the login fail.
# My main index page in the root folder '''www''' contains a second login link:<br>'''<nowiki><a href="secure2/index.html">Secure login 2</a></nowiki>'''<br>When clicked takes me to the protected folder (secure2).
# My main index page in the root folder '''www''' contains a second login link:&lt;br&gt;'''&lt;nowiki&gt;&lt;a href=&quot;secure2/index.html&quot;&gt;Secure login 2&lt;/a&gt;&lt;/nowiki&gt;'''&lt;br&gt;When clicked takes me to the protected folder (secure2).
<ol start="5">
&lt;ol start=&quot;5&quot;&gt;
<li> Open the file '''.htpasswd''' located in folder '''<nowiki>*</nowiki>\Uniform Server\udrive\htpasswd\www''' and add name/password pairs for our three new users e.g
&lt;li&gt; Open the file '''.htpasswd''' located in folder '''&lt;nowiki&gt;*&lt;/nowiki&gt;\Uniform Server\udrive\htpasswd\www''' and add name/password pairs for our three new users e.g


<pre>
&lt;pre&gt;
John:21
John:21
Dave Smith:22
Dave Smith:22
Line 133: Line 134:
Dawn:42
Dawn:42
Ruth Smith:43
Ruth Smith:43
</pre>
&lt;/pre&gt;


Use real passwords e.g '''X78Mst23Xfrs''' (41,42,43 makes it easier to test).
Use real passwords e.g '''X78Mst23Xfrs''' (41,42,43 makes it easier to test).
Line 139: Line 140:
'''''Note'':''' Remember as previously stated you can use spaces in names.
'''''Note'':''' Remember as previously stated you can use spaces in names.


<li> Copy '''.htaccess''' from the root folder '''www''' to folder '''secure2''' once copied open the file and delete its contents, add the following:
&lt;li&gt; Copy '''.htaccess''' from the root folder '''www''' to folder '''secure2''' once copied open the file and delete its contents, add the following:


<pre>
&lt;pre&gt;
AuthName "Private area Please Login"
AuthName &quot;Private area Please Login&quot;
AuthType Basic
AuthType Basic
AuthUserFile /htpasswd/www/.htpasswd
AuthUserFile /htpasswd/www/.htpasswd
Line 164: Line 165:
RewriteCond %{REMOTE_user} ^Ruth\ Smith$
RewriteCond %{REMOTE_user} ^Ruth\ Smith$
RewriteRule  ^(.*) secure2/mpg3/$1 [R,L]
RewriteRule  ^(.*) secure2/mpg3/$1 [R,L]
</pre>
&lt;/pre&gt;
</ol>
&lt;/ol&gt;
*Each page to be protected requires three lines:
*Each page to be protected requires three lines:
:* After a mod rewrite the URL is passed to the rewrite engine and reprocessed. To prevent an infinite loop the first line tests for a sub folder name, if present it means the URL was processed and the rewrite engine should now perform the actual rewrite.
:* After a mod rewrite the URL is passed to the rewrite engine and reprocessed. To prevent an infinite loop the first line tests for a sub folder name, if present it means the URL was processed and the rewrite engine should now perform the actual rewrite.

Revision as of 01:04, 24 November 2010

UNDER COSTRUCTION, PLEASE SEE THIS POST IN RESERVE COPY

<span id="top"></span> <div style="padding:0;margin:0; border-bottom:3px inset #000000">

MPG UniCenter

Extending Apache’s basic authentication using mod rewrite.

</div>

Power of htaccess and mod rewrite - 3.5-Apollo

This write-up looks at extending Apache’s basic authentication allowing users to log-in to individual pages or folders. Each user is allocated a unique name and password, users are validated using Apache’s basic authentication once logged in are redirected using mod rewrite to the appropriate page or folder.

This document has been superseded by Basic Authentication which covers password protecting folders and individual files. It also covers how to secure these using SSL hence names, passwords and data are sent encrypted over the Internet.

Private Server

Uniform Server already has this authentication mechanism in place.

Name-password pairs are stored in the file .htpasswd located in folder <nowiki>*</nowiki>\Uniform Server\udrive\htpasswd\www it has the default pair root:root (order name:password)

To enable Uniform Server as a private server open the file .htaccess contained in folder www and uncomment the following four lines as shown:

<pre> AuthName "Uniform Server - Server Access" AuthType Basic AuthUserFile /htpasswd/www/.htpasswd Require valid-user </pre>

Run the servers, type <nowiki>http:/localhost</nowiki> into your browser address bar and you will be challenged for a user name and password, to gain access enter root and root.

The htaccess file protects the folder it’s contained in and all sub-folders hence if you try to directly access a page anywhere on the server you will be challenged. Validation is stored meaning you are required to authenticate only once and will not be challenged again.

Note 1: When testing this can be a problem because you need to reset the stored validation the only way I know of doing this is to restart the browser. This breaks the server link removing any stored information. Another minor irritation is stored pages in the browser cache; clean this to avoid misleading results.

Generally you would like to have an Internet presence hence do not want to protect the entire server only a small area. On the main index page you would provide a login link to this protected area. Its possible to restrict users to a single page or restrict them to a private folder, I cover these two options below.

Note 2: Before continuing restore the above four lines back to their defaults as shown below: <pre>

  1. AuthName "Uniform Server - Server Access"
  2. AuthType Basic
  3. AuthUserFile /htpasswd/www/.htpasswd
  4. Require valid-user

</pre>

Top

Private page

Apache's basic authentication is not very flexible however you can bend it a little using mod rewrite and create something usful without the need for any scripting such as PHP or Perl.

You must use a secured server so name/password pair and personal data on a page are encrypted. That said you can test on a standard Uniform Server installation.

This solution uses only a .htacces file with mode-rewrite performing the redirection this example demonstrates the concept.

  1. I have created a folder named secure in the root folder www.
    1. Folder secure contains John.html, Dave.html and Mike.html these are the personal data pages.
    2. This folder also contains an index.html page which states something like “you need to login” its a default should the login fail.

<ol start="2"> <li> My main index page in the root folder www contains the following link:<br><nowiki><a href="secure/index.html">Secure login</a></nowiki><br>When clicked takes me to the protected folder.

<li> Open the file .htpasswd located in folder <nowiki>*</nowiki>\Uniform Server\udrive\htpasswd\www delete its content and add name/password pairs e.g <pre> John:21 Dave Smith:22 Mike:23 </pre>

Use real passwords e.g Mst23Xfrs (21,22,23 makes it easier to test).

Note: You can use spaces in the name.

<li> Copy .htaccess from the root folder www to folder secure (this saves the pain of creating one) once copied open the file delete its contents and add the following:

<pre> AuthUserFile /htpasswd/www/.htpasswd Require valid-user

Options +FollowSymLinks

  1. Options +Indexes

RewriteEngine On RewriteBase /

RewriteCond $1 !^John\.html RewriteCond %{REMOTE_user} ^John$ RewriteRule (.*) /secure/John.html [R,L]

RewriteCond $1 !^Dave\.html RewriteCond %{REMOTE_user} ^Dave\ Smith$ RewriteRule (.*) /secure/Dave.html [R,L]

RewriteCond $1 !^Mike\.html RewriteCond %{REMOTE_user} ^Mike$ RewriteRule (.*) /secure/Mike.html [R,L] </pre> </ol>

  • Each page to be protected requires three lines:
  • After a mod rewrite the URL is passed to the rewrite engine and reprocessed. To prevent an infinite loop the first line tests for an individual file, if present it means the URL was processed and the rewrite engine should now perform the actual rewrite.
  • The second line checks user name (all names must be unique, limitation of using this method, a user will have been validated with password however this is not accessible by the rewrite engine hence redirection on name only.) If this is valid the rewrite rule will be executed.
  • Third line accepts any uri and maps it to a single page. [R,L] R informs a browser this is a redirect (updates the address bar to display new page) L last rule no need to process any others.
  • If for whatever reason no match is found it drops out of this and picks up the index page.

Note 1: The space between Dave Smith needs to be escaped using a backslash “\ “ (without the quotes)

Note 2: You will need to restart your browser to re-login.

I stress the need for encryption because when using http, name/password is sent in plain text.

Top

Private folder

The above restricts a user to a single page all links within that page will map back to itself. Its very restrictive in that each page can contain only pure text (html) no images or access to other pages other than the non-restricted area.

The following removes these restrictions by allocating a folder to a user it can include sub-folders images and download files.

You must use a secured server so name/password pair and personal data on pages are encrypted. That said you can test on a standard Uniform Server installation.

Again this solution uses only a .htacces file with mode-rewrite performing the redirection this example demonstrates the concept.

  1. I have created a folder named secure2 in the root folder www.
  2. Folder secure2 contains three sub-folders mpg1, mpg2 and mpg3 these will be assigned to three users Jane, Dawn and Ruth Smith respectively.
  3. Folder secure2 also contains an index.html page which states something like “you need to login” its a default should the login fail.
  4. My main index page in the root folder www contains a second login link:<br><nowiki><a href="secure2/index.html">Secure login 2</a></nowiki><br>When clicked takes me to the protected folder (secure2).

<ol start="5"> <li> Open the file .htpasswd located in folder <nowiki>*</nowiki>\Uniform Server\udrive\htpasswd\www and add name/password pairs for our three new users e.g

<pre> John:21 Dave Smith:22 Mike:23 Jane:41 Dawn:42 Ruth Smith:43 </pre>

Use real passwords e.g X78Mst23Xfrs (41,42,43 makes it easier to test).

Note: Remember as previously stated you can use spaces in names.

<li> Copy .htaccess from the root folder www to folder secure2 once copied open the file and delete its contents, add the following:

<pre> AuthName "Private area Please Login" AuthType Basic AuthUserFile /htpasswd/www/.htpasswd Require valid-user

Options +FollowSymLinks RewriteEngine On RewriteBase /

RewriteEngine on

RewriteCond $1 !^mpg1/ RewriteCond %{REMOTE_user} ^Jane$ RewriteRule ^(.*) secure2/mpg1/$1 [R,L]

RewriteCond $1 !^mpg2/ RewriteCond %{REMOTE_user} ^Dawn$ RewriteRule ^(.*) secure2/mpg2/$1 [R,L]

RewriteCond $1 !^mpg3/ RewriteCond %{REMOTE_user} ^Ruth\ Smith$ RewriteRule ^(.*) secure2/mpg3/$1 [R,L] </pre> </ol>

  • Each page to be protected requires three lines:
  • After a mod rewrite the URL is passed to the rewrite engine and reprocessed. To prevent an infinite loop the first line tests for a sub folder name, if present it means the URL was processed and the rewrite engine should now perform the actual rewrite.
  • The second line checks user name (all names must be unique, limitation of using this method, a user will have been validated with password however this is not accessible by the rewrite engine hence redirection on name only.) If this is valid the rewrite rule will be executed.
  • Third line takes the complete uri (.*) and stores it in ($1) this is added to the end of the specified path to complete the new page request. [R,L] R informs a browser this is a redirect (updates the address bar to display new page) L last rule no need to process any others.
  • If for whatever reason no match is found it drops out of this and picks up the index page.

Note 1: The space between Ruth Smith needs to be escaped using a backslash “\ “ (without the quotes)

Note 2: You will need to restart your browser to re-login.

Again I stress the need for encryption because when using http, name/password is sent in plain text.

Top

Practical Examples

One of the most difficult things to do is take the information given and try to implement it. From bitter experience, sometimes cut and past introduces additional characters which prevent things working. Even worst the instructions are difficult to follow or a crutial pieces of information are missing.

I like working examples that can be hacked around hence the above have been integrated into two mini-servers you can download and experiment with these.

  • Mini Server 3: Shows how to add basic authentication and mod rewrite to a mini Apache server. This server is very insure regarding authentication because the data is transmitted unencrypted.
  • Mini Servers 4 - SSL: Shows how to add SSL encryption to a mini Apache server. This server is based on Server 3 hence automatically includes basic authentication. In terms of security its about as best as it gets. Passwords and data are transmitted over the Internet encrypted. One minor irritation it uses self-signed certificates which produce alarming pop-ups in a browser, for personal use this really is not a problem at lease you known your data is secure. Check out page Browsers dislike self-signed certificates for details.

Top

Conclusion

I have shown how to enhance basic authentication using mod rewrite, it does not use any fancy scripts hence can be applied to a basic Apache server. Security is of prime importance either enable SSL on the server or use Stunnel to encrypt data if using a basic server.

Top


Ric