1,478
edits
Old:Basic authentication and redirection: Difference between revisions
Jump to navigation
Jump to search
Old:Basic authentication and redirection (view source)
Revision as of 19:36, 20 July 2008
, 20 July 2008no edit summary
m (→Private page) |
mNo edit summary |
||
| Line 13: | Line 13: | ||
|} | |} | ||
This write-up looks at extending Apache’s basic authentication allowing users to log-in to individual pages or folders. Each user is allocated a unique name and password, users are validated using Apache’s basic authentication once logged in are redirected using mod rewrite to the appropriate page or folder . | This write-up looks at extending Apache’s basic authentication allowing users to log-in to individual pages or folders. Each user is allocated a unique name and password, users are validated using Apache’s basic authentication once logged in are redirected using mod rewrite to the appropriate page or folder . | ||
== Private Server == | |||
Uniform Server already has this authentication mechanism in place. | |||
Name-password pairs are stored in the file '''.htpasswd''' located in folder '''<nowiki>*</nowiki>\Uniform Server\udrive\htpasswd\www''' it has the default pair '''root:root''' (order name:password) | |||
To enable Uniform Server as a private server open the file '''.htaccess''' contained in folder '''www''' and uncomment the following four lines as shown: | |||
<pre> | |||
AuthName "Uniform Server - Server Access" | |||
AuthType Basic | |||
AuthUserFile /htpasswd/www/.htpasswd | |||
Require valid-user | |||
</pre> | |||
Run the servers, type '''<nowiki>http:/localhost</nowiki>''' into your browser address bar and you will be challenged for a user name and password, to gain access enter '''root''' and '''root'''. | |||
The '''htaccess''' file protects the folder it’s contained in and all sub-folders hence if you try to directly access a page anywhere on the server you will be challenged. '''Validation''' is stored meaning you are required to authenticate only once and will not be challenged again. | |||
'''''Note 1'':''' When testing this can be a problem because you need to reset the stored validation the only way I know of doing this is to restart the browser. This breaks the server link removing any stored information. Another minor irritation is stored pages in the browser cache; clean this to avoid misleading results. | |||
Generally you would like to have an Internet presence hence do not want to protect the entire server only a small area. On the main index page you would provide a login link to this protected area. Its possible to restrict users to a single page or restrict them to a private folder, I cover these two options below. | |||
'''''Note 2'':''' Before continuing restore the above four lines back to their defaults as shown below: | |||
<pre> | |||
#AuthName "Uniform Server - Server Access" | |||
#AuthType Basic | |||
#AuthUserFile /htpasswd/www/.htpasswd | |||
#Require valid-user | |||
</pre> | |||
'''''[[#top | Top]]''''' | |||
== Private page == | == Private page == | ||
| Line 61: | Line 93: | ||
RewriteRule (.*) /secure/Mike.html [R,L] | RewriteRule (.*) /secure/Mike.html [R,L] | ||
</pre> | </pre> | ||
</ol> | |||
*Each page to be protected requires three lines: | *Each page to be protected requires three lines: | ||
:* After a mod rewrite the URL is passed to the rewrite engine and reprocessed. To prevent an infinite loop the first line tests for an individual file, if present it means the URL was processed and the rewrite engine should now perform the actual rewrite. | :* After a mod rewrite the URL is passed to the rewrite engine and reprocessed. To prevent an infinite loop the first line tests for an individual file, if present it means the URL was processed and the rewrite engine should now perform the actual rewrite. | ||
| Line 76: | Line 108: | ||
'''''[[#top | Top]]''''' | '''''[[#top | Top]]''''' | ||
== Private folder == | |||
The above restricts a user to a single page all links within that page will map back to itself. Its very restrictive in that each page can contain only pure text (html) no images or access to other pages other than the non-restricted area. | |||
The following removes these restrictions by allocating a folder to a user it can include sub-folders images and download files. | |||
== Private folder | You must use a secured server so name/password pair and personal data on pages are encrypted. That said you can test on a standard Uniform Server installation. | ||
Again this solution uses only a '''.htacces''' file with mode-rewrite performing the redirection this example demonstrates the concept. | |||
# I have created a folder named '''secure2''' in the root folder '''www'''. | |||
# Folder ''secure2'' contains three sub-folders '''mpg1''', '''mpg2''' and '''mpg3''' these will be assigned to three users '''Jane''', '''Dawn''' and '''Ruth Smith''' respectively. | |||
# Folder '''secure2''' also contains an '''index.html''' page which states something like “'''you need to login'''” its a default should the login fail. | |||
# My main index page in the root folder '''www''' contains a second login link:<br>'''<nowiki><a href="secure2/index.html">Secure login 2</a></nowiki>'''<br>When clicked takes me to the protected folder (secure2). | |||
<ol start="5"> | |||
<li> Open the file '''.htpasswd''' located in folder '''<nowiki>*</nowiki>\Uniform Server\udrive\htpasswd\www''' and add name/password pairs for our three new users e.g | |||
<pre> | |||
John:21 | |||
Dave Smith:22 | |||
Mike:23 | |||
Jane:41 | |||
Dawn:42 | |||
Ruth Smith:43 | |||
</pre> | |||
Use real passwords e.g '''X78Mst23Xfrs''' (41,42,43 makes it easier to test). | |||
'''''Note'':''' Remember as previously stated you can use spaces in names. | |||
<li> Copy '''.htaccess''' from the root folder '''www''' to folder '''secure2''' once copied open the file and delete its contents, add the following: | |||
<pre> | |||
AuthName "Private area Please Login" | |||
AuthType Basic | |||
AuthUserFile /htpasswd/www/.htpasswd | |||
Require valid-user | |||
Options +FollowSymLinks | |||
RewriteEngine On | |||
RewriteBase / | |||
RewriteEngine on | |||
RewriteCond $1 !^mpg1/ | |||
RewriteCond %{REMOTE_user} ^Jane$ | |||
RewriteRule ^(.*) secure2/mpg1/$1 [R,L] | |||
RewriteCond $1 !^mpg2/ | |||
RewriteCond %{REMOTE_user} ^Dawn$ | |||
RewriteRule ^(.*) secure2/mpg2/$1 [R,L] | |||
RewriteCond $1 !^mpg3/ | |||
RewriteCond %{REMOTE_user} ^Ruth\ Smith$ | |||
RewriteRule ^(.*) secure2/mpg3/$1 [R,L] | |||
</pre> | |||
</ol> | |||
*Each page to be protected requires three lines: | |||
:* After a mod rewrite the URL is passed to the rewrite engine and reprocessed. To prevent an infinite loop the first line tests for a sub folder name, if present it means the URL was processed and the rewrite engine should now perform the actual rewrite. | |||
:* The second line checks user name (all names must be unique, limitation of using this method, a user will have been validated with password however this is not accessible by the rewrite engine hence redirection on name only.) If this is valid the rewrite rule will be executed. | |||
:* Third line takes the complete uri (.*) and stores it in ($1) this is added to the end of the specified path to complete the new page request. [R,L] R informs a browser this is a redirect (updates the address bar to display new page) L last rule no need to process any others. | |||
*If for whatever reason no match is found it drops out of this and picks up the index page. | |||
'''''Note 1'':''' The space between '''Ruth Smith''' needs to be escaped using a backslash '''“\ “''' (without the quotes) | |||
'''''Note 2'':''' You will need to restart your browser to re-login. | |||
Again I stress the need for encryption because when using '''http''', name/password is sent in '''plain text'''. | |||
''''' | '''''[[#top | Top]]''''' | ||
== Practical Examples == | |||
One of the most difficult things to do is take the information given and try to implement it. From bitter experience, sometimes cut and past introduces additional characters which prevent things working. Even worst the instructions are difficult to follow or a crutial pieces of information are missing. | |||
I like working examples that can be hacked around hence the above have been integrated into two mini-servers you can download and experiment with these. | |||
*'''[[Mini Servers: Server 1c|Server 1c]]:''' Shows how to add basic authentication and mod rewrite to a mini Apache server. This server is very insure regarding authentication because the data is transmitted unencrypted. | |||
*'''[[Mini Servers: Server 1d - SSL|Mini Servers: Server 1d - SSL]]:''' Shows how to add SSL encryption to a mini Apache server. This server is based on Server 1c hence automatically includes basic authentication. In terms of security its about as best as it gets. Passwords and data are transmitted over the Internet encrypted. One minor irritation it uses self-signed certificates which produce alarming pop-ups in a browser, for personal use this really is not a problem at lease you known your data is secure. | |||
'''''[[#top | Top]]''''' | '''''[[#top | Top]]''''' | ||
== Conclusion == | |||
I have shown how to enhance basic authentication using mod rewrite, it does not use any fancy scripts hence can be applied to a basic Apache server. Security is of prime importance either [[Mini Servers: Server 1d - SSL|enable SSL]] on the server or use [[Stunnel: Install 4.24|Stunnel]] to encrypt data if using a basic server. | |||
'''''[[#top | Top]]''''' | |||
---- | ---- | ||
{| | {| | ||
| [[Image:uc_small_logo.gif]] || [[User:Ric|Ric]] | | [[Image:uc_small_logo.gif]] ||[[User:Ric|Ric]] | ||
|} | |} | ||