Authentication: Secure Directories

From The Uniform Server Wiki
Revision as of 15:58, 23 April 2009 by Ric (talk | contribs) (→‎Summary)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
Basic Authentication

Authentication Secure Directories (Folders)

The previous page covered authenticating directories using Apache's Basic authentication. Easy to use and setup however there is a real security issue, all data sent over the Internet including passwords is in plain text. One solution is to run the entire site on a secure server and encrypt everything.

We are protecting only a few folders if the remainder of the site is large a significant performance hit would result. Users tend to get confused as to why a site should be encrypted in addition when typing a web address rarely use https! This can be resolved using mod_rewrite however it is error prone.

This page looks at a solution that overcomes the above issues I take no credit for the solution, I found it on Apache's web site. It removes the need for mode_rewrite.

Top

Mapping folders to SSL

One advantage of this method our folders can remain in the insecure root folder www no need to move anything.

In reality they are mapped over to the secure server section. You need to make sure both paths match in secure and insecure sections of the server for example.

  •  http://localhost/dave_smith
  • https://localhost/dave_smith

All that really means is use root "/" and create an identical path to the folder. We only have one level hence is easy to implement.

We use the alias directive to map our folder dave_smith into the secure servers root and add a folder directive

#== Example mapping
Alias /dave_smith "/www/dave_smith"
<Directory "/www/dave_smith/">
</Directory>

Repeat the above for each of our folders

Top

Edit ssl.conf

Edit file: UniServer\udrive\usr\local\apache2\conf\ssl.conf

Add the above four sections just below Server Root folder section as shown below:

#== Server Root folder:
<Directory "/ssl"> 
  AllowOverride All
  Order allow,deny 
  Allow from all
  SSLRequireSSL
</Directory> 

#== Example mapping 1
Alias /dave_smith "/www/dave_smith"
<Directory "/www/dave_smith/">
</Directory>

#== Example mapping 2
Alias /dawn "/www/dawn"
<Directory "/www/dawn/">
</Directory>

#== Example mapping 3 
Alias /john "/www/john"
<Directory "/www/john/">
</Directory>

#== Example mapping 4
Alias /ruth_smith "/www/ruth_smith"
<Directory "/www/ruth_smith/">
</Directory>

Top

Test 1

Confirm server is working correctly run the following tests:

Note: Assumes you have already generated a server certificate.

  • Restart servers - Allows new configuration to be picked up.
  • Restart browser.
  • Type each of these addresses into a browser:
    • https://localhost/john/
    • https://localhost/dave_smith/
    • https://localhost/dawn/
    • https://localhost/ruth_smith/

You will be challenged to make a certificate exception do so but DO NOT permanently save it (we are only testing and want to be challenged for it in other tests). Its only requested once during these tests. Important point to note, you are challenged to make a certificate exception before a log-in request is issued. This means your name and password will be encrypted before being sent over the Internet.

At each address you will be challenged for a name and password.

Now run this test:

  • Restart servers - Allows new configuration to be picked up.
  • Restart browser.
  • Type each of these addresses into browser:
    • http://localhost/john/
    • http://localhost/dave_smith/
    • http://localhost/dawn/
    • http://localhost/ruth_smith/
  • You will be challenged for a name and password.

Top

Security problem

Only reason for running the above tests was to highlight a serious security issue. Folders are accessible using http hence data is NOT ENCRYPTED.

Top

Solution

The following really is a neat and robust solution, it consists of four lines you add to each .htaccess file.

SSLOptions +StrictRequire There can be no deviation must meet all require directives that follow otherwise a 403 error is produced
SSLRequireSSL Must be using SSL communication. Not a chance on an insecure server hence produces an error
SSLRequire %{HTTP_HOST} eq "domain" Domain name must match (e.g. my_domain.com). A bit of belt and braces
ErrorDocument 403 {URL to secure folder} For http:// the above condition are not met, hence this line redirects to https://
The above conditions are rechecked on the secure server.
They now pass and a log-in is requested over a secure htpps:// connection.

What may not be apparent the above prevents dual logins. In addition an htaccess file protects the folder it is located in and all sub-folders, if a user attempts to access any file within this structure they will be challenged for a name and password if not already logged in.

After logging in from any location within this structure a user is forced to the top-level folder and a index page is displayed. A powerful feature the index can be a static page index.htm or index.html however if it’s a dynamic page such as index.php you can perform further verification.

Top

Update .htacces files

Add the above four lines to each .htaccess file as shown:

John

  • Edit file as shown UniServer\udrive\www\john\.htaccess
SSLOptions +StrictRequire
SSLRequireSSL
SSLRequire %{HTTP_HOST} eq "localhost"
ErrorDocument 403 https://localhost/john/

AuthName "Uniform Server - Server Access"
AuthType Basic
AuthUserFile /htpasswd/www/.htpasswd
Require user John

Top

Dave Smith

  • Edit file as shown UniServer\udrive\www\dave_smith\.htaccess
SSLOptions +StrictRequire
SSLRequireSSL
SSLRequire %{HTTP_HOST} eq "localhost"
ErrorDocument 403 https://localhost/dave_smith/

AuthName "Uniform Server - Server Access"
AuthType Basic
AuthUserFile /htpasswd/www/.htpasswd
Require user "Dave Smith"

Top

Dawn

  • Edit file as shown UniServer\udrive\www\dawn\.htaccess
SSLOptions +StrictRequire
SSLRequireSSL
SSLRequire %{HTTP_HOST} eq "localhost"
ErrorDocument 403 https://localhost/dawn/

AuthName "Uniform Server - Server Access"
AuthType Basic
AuthUserFile /htpasswd/www/.htpasswd
Require user Dawn

Top

Ruth Smith

  • Edit file as shown UniServer\udrive\www\ruth_smith.htaccess
SSLOptions +StrictRequire
SSLRequireSSL
SSLRequire %{HTTP_HOST} eq "localhost"
ErrorDocument 403 https://localhost/ruth_smith/

AuthName "Uniform Server - Server Access"
AuthType Basic
AuthUserFile /htpasswd/www/.htpasswd
Require user "Ruth Smith" "Dave Smith"

Top

Note: Moved Servers

If you moved the servers see Multi-Servers remember to add the correct port numbers.

  • This line: SSLRequire %{HTTP_HOST} eq "localhost" is checking the incoming request if a mismatch occurs an infinite redirection loop is set up.
  • Suppose the server was moved to ports Apache 81 Apache SSL 444 the .htaccess file for Dave Smith looks like this:
SSLOptions +StrictRequire
SSLRequireSSL
SSLRequire %{HTTP_HOST} eq "localhost:444"
ErrorDocument 403 https://localhost:444/ruth_smith/

AuthName "Uniform Server - Server Access"
AuthType Basic
AuthUserFile /htpasswd/www/.htpasswd
Require user "Ruth Smith" "Dave Smith"
  • To access the folder type the following http://localhoat:81 into a browser

Note: The above applies to all the .htaccess files.

Top

Test 2

Repeat the above test:

  • Restart servers - Allows new configuration to be picked up.
  • Restart browser.
  • Type each of these addresses into browser:
    • https://localhost/john/
    • https://localhost/dave_smith/
    • https://localhost/dawn/
    • https://localhost/ruth_smith/
  • You will be challenged to make a certificate exception do so but do not permanently save it (remember you will only be challange once). You will be challenged for a name and password for each folder.

Now run this test:

  • Restart browser.
  • Type each of these addresses into browser:
    • http://localhost/john/
    • http://localhost/dave_smith/
    • http://localhost/dawn/
    • http://localhost/ruth_smith/
  • The links are redirected to the secure server. You will be challenged to make a certificate exception do so but do not permanently save it. You will be challenged for a name and password for each folder.

Communication is performed over a secure link for both https:// and http://. Using http:// it is redirected to the secure server hence secure communication.

Summary

The above wraps it up for password protecting folders using Apache’s Basic Authentication. If running an Intranet you probably don’t need to use encryption however some folders may contain sensitive data and do require secure protection the above technique is suitable for this scenario.

On the next page I cover groups this may be of use if you wish to have a hierarchical approach to users who can access certain areas.

Top


Ric