Apache 2.4 – mod_auth_form

Still a ‘wordpress  draft’, but published already.
It should bring you to an working solution.

I prefer webserver authentication above and php/coded authentication script. This because the webserver can also protect stylesheets, javascript files and, more important, images or other attachments. Within php you can only protect the called page.

Of course, in apache, you can easily use basic authentication. But then the browser shows you an ‘static’ login window. Apache2 has now an module which helps you with form authentication. You can make in now more fancy :).

Please leave comments if necessary 🙂
note… in my test setup this is compiled and running next to system default Apache2 instance.
so 2 apache-bin directories are on the system.

Downloading and extracting Apache 2.4

# cd /opt/src/
# wget http://ftp.tudelft.nl/apache/httpd/httpd-2.4.10.tar.gz
# tar xf httpd-2.4.10.tar.gz
# cd httpd-2.4.10/

Downloaden and extracting Apache 2.4 requirements. Check requirements here

# cd srclib
# wget http://apache.mirror.triple-it.nl/apr/apr-1.5.1.tar.gz
# wget http://apache.mirror.triple-it.nl/apr/apr-util-1.5.3.tar.gz
# tar xf apr-1.5.1.tar.gz
# tar xf apr-util-1.5.3.tar.gz
# mv apr-1.5.1 apr
# mv apr-util-1.5.3 apr-util
# cd .. (/opt/src/httpd-2.4.10/)
# apt-get install libpcre3 libpcre3-dev (if not already installed)

Configuring source tree. (option –with-ssl is optional, decide for yourself if needed)

# ./configure --prefix=/opt/apache2 --with-included-apr --with-ssl --enable-auth-form

Building and installing

# make
# make install

Configure Apache2 (note, our ServerRoot is at /opt/apache2)

# cd /opt/apache2
# vi conf/httpd.conf
... omitted
Listen 82   #changed to 82, because 80 is used already
... omitted
# uncomment the next lines
LoadModule auth_form_module modules/mod_auth_form.so
... omitted
LoadModule request_module modules/mod_request.so
... omitted
LoadModule session_module modules/mod_session.so
LoadModule session_cookie_module modules/mod_session_cookie.so
... omitted
# add include
Include conf/httpd-secured.conf

Create a directory structure.
Our secured content should be placed at myapp/www/.
Fancy login pages should be placed at myapp/www-auth/. This is an ‘open’, not secured, directory.

# cd /opt
# mkdir myapp
# mkdir myapp/www
# mkdir myapp/www-auth

Create a configuration file for our secured directories.
Create the file /opt/apache2/conf/httpd-secured.conf

Alias /secured/ /opt/myapp/www/
# Below is the configuration of our secured directory
<Directory /opt/myapp/www/>
 AuthFormProvider file
 AuthUserFile /opt/myapp/.htpasswd
 AuthType form
 AuthName realm
 # When login is required, redirect to:
 AuthFormLoginRequiredLocation /auth/login.html
 Session On
 SessionCookieName session path=/
 Require valid-user
</Directory>

# This is an 'open', unsecured, directory.
# place here your fance login html and css files.
Alias /auth/ /opt/myapp/www-auth/
<Directory /opt/myapp/www-auth/>
 Require all granted
 Session On
 SessionCookieName session path=/
</Directory>

# Our login form should reference to this location
<Location /auth/dologin.html>
 SetHandler form-login-handler
 AuthFormLoginSuccessLocation /
 AuthFormProvider file
 AuthUserFile /opt/myapp/.htpasswd
 AuthType form
 AuthName realm
 Session On
 SessionCookieName session path=/
</Location>

# Refer to /auth/logout to reset
<Location /auth/logout>
 SetHandler form-logout-handler
 AuthType form
 AuthName realm
 AuthFormLogoutLocation /auth/loggedout.html
 Session On
 SessionCookieName session path=/
</Location>

Create a user file

# htpasswd -c /opt/myapp/.htpasswd [username]

for additional users type:
# htpasswd /opt/myapp/.htpasswd [next-username]

Create a login form at /opt/myapp/www-auth/login.html

<html>
<head><title>Login</title></head>
<body>
<form method="POST" action="/auth/dologin.html">
Username: <input type="text" name="httpd_username" value=""/><br/>
Password: <input type="password" name="httpd_password" value=""/><br/>
<input type="submit" name="submit" value="Login"/>
</form>
</body>
</html>

Create a loggedout page, where you will be redirected after logout.

<html>
<head><title>Loggedout</title></head>
<body>
<h1>Loggedout</h1>
<p>
You are now logged out.<br/>
<a href="/myapp/">Open my secured directory</a>
</p>
</body>
</html>

Create a demo page in our ‘myapp’ directory

<html>
<head><title>Secured directory</title></head>
<body>
<h1>Secured</h1>
<p>This is a secured directory. Al other files, such as .css and .js are also protected.</p>
<a href="/auth/logout">Click here to logout</a>
</body>
</html>

ToDo:
Security

The cookie is not crypted. It shows your username and password in plaintext.

I’ve read that it is possible to replace this with an session id, or just simply encrypt the cookie.

Currently i have troubles with compiling apache24 to support crypted cookies.
Edit 2014-09-16: To compile apache24/apr-util with crypto support, you need OpenSSL version 1.0.1i. Compile, make, install this one first. Then add 2 parameters to apache24 ./configure.

# ./configure --prefix=/opt/apache2 --with-included-apr --with-ssl --enable-auth-form --with-crypto --with-openssl=/opt/openssl1.0.1i/lib

5 gedachten over “Apache 2.4 – mod_auth_form

    1. Robin Bericht auteur

      Hi Nicolas,

      I hope you didn’t spend to much time on it.
      Thanks for leaving a reply and notifying about the typo.

  1. Ronald

    Thanks, it took me a while before I saw the dologin.html is only a location and login.html is the simple html file containing the form …..
    Now find a way to make the browser return to the original location that initiated the login action since in my config it protects a directory with multiple applications in it. Would be nice if /secured/appA would be served if that triggered the login and if the login is successfully completed …..

  2. Ronald

    And here I found a nice example that uses the 401 error code for a redirect that just comes in-between and redirects the browser back to the intended – protected – url that caused to login

Laat een antwoord achter aan Thomas Reactie annuleren

Het e-mailadres wordt niet gepubliceerd.

Deze site gebruikt Akismet om spam te verminderen. Bekijk hoe je reactie-gegevens worden verwerkt.