{"id":543,"date":"2014-07-20T22:04:12","date_gmt":"2014-07-20T21:04:12","guid":{"rendered":"http:\/\/www.mb200d.nl\/wordpress\/?p=543"},"modified":"2017-04-26T19:47:38","modified_gmt":"2017-04-26T18:47:38","slug":"apache-2-4-mod_auth_form","status":"publish","type":"post","link":"http:\/\/www.mb200d.nl\/wordpress\/2014\/07\/apache-2-4-mod_auth_form\/","title":{"rendered":"Apache 2.4 – mod_auth_form"},"content":{"rendered":"

Still a ‘wordpress  draft’, but published already.
\nIt should bring you to an working solution.<\/p>\n

I prefer webserver authentication above and php\/coded authentication script. This because the webserver can also protect stylesheets, javascript files and, more important, images or other attachments. Within php you can only protect the called page.<\/p>\n

Of course, in apache, you can easily use basic authentication. But then the browser shows you an ‘static’ login window. Apache2 has now an module which helps you with form authentication. You can make in now more fancy :).<\/p>\n

Please leave comments if necessary \ud83d\ude42
\nnote… in my test setup this is compiled and running next to system default Apache2 instance.
\nso 2 apache-bin directories are on the system.<\/p>\n

Downloading and extracting Apache 2.4<\/p>\n

# cd \/opt\/src\/\r\n# wget http:\/\/ftp.tudelft.nl\/apache\/httpd\/httpd-2.4.10.tar.gz\r\n# tar xf httpd-2.4.10.tar.gz\r\n# cd httpd-2.4.10\/\r\n<\/pre>\n
Downloaden and extracting Apache 2.4 requirements. Check requirements here<\/a><\/p>\n
# cd srclib\r\n# wget http:\/\/apache.mirror.triple-it.nl\/apr\/apr-1.5.1.tar.gz\r\n# wget http:\/\/apache.mirror.triple-it.nl\/apr\/apr-util-1.5.3.tar.gz\r\n# tar xf apr-1.5.1.tar.gz\r\n# tar xf apr-util-1.5.3.tar.gz\r\n# mv apr-1.5.1 apr\r\n# mv apr-util-1.5.3 apr-util\r\n# cd .. (\/opt\/src\/httpd-2.4.10\/)\r\n# apt-get install libpcre3 libpcre3-dev (if not already installed)<\/code><\/pre>\n
Configuring source tree. (option –with-ssl is optional, decide for yourself if needed)<\/p>\n
# .\/configure --prefix=\/opt\/apache2 --with-included-apr --with-ssl --enable-auth-form\r\n<\/pre>\n
Building and installing<\/p>\n
# make\r\n# make install\r\n<\/pre>\n
Configure Apache2 (note, our ServerRoot is at \/opt\/apache2)<\/p>\n
# cd \/opt\/apache2\r\n# vi conf\/httpd.conf<\/pre>\n
... omitted\r\nListen 82   #changed to 82, because 80 is used already\r\n... omitted\r\n# uncomment the next lines\r\nLoadModule auth_form_module modules\/mod_auth_form.so\r\n... omitted\r\nLoadModule request_module modules\/mod_request.so\r\n... omitted\r\nLoadModule session_module modules\/mod_session.so\r\nLoadModule session_cookie_module modules\/mod_session_cookie.so\r\n... omitted\r\n# add include\r\nInclude conf\/httpd-secured.conf\r\n<\/pre>\n
Create a directory structure.
\nOur secured content should be placed at myapp\/www\/.
\nFancy login pages should be placed at myapp\/www-auth\/. This is an ‘open’, not secured, directory.<\/p>\n
# cd \/opt\r\n# mkdir myapp\r\n# mkdir myapp\/www\r\n# mkdir myapp\/www-auth\r\n<\/pre>\n
Create a configuration file for our secured directories.
\nCreate the file \/opt\/apache2\/conf\/httpd-secured.conf<\/p>\n
Alias \/secured\/ \/opt\/myapp\/www\/\r\n# Below is the configuration of our secured directory\r\n<Directory \/opt\/myapp\/www\/>\r\n AuthFormProvider file\r\n AuthUserFile \/opt\/myapp\/.htpasswd\r\n AuthType form\r\n AuthName realm\r\n # When login is required, redirect to:\r\n AuthFormLoginRequiredLocation \/auth\/login.html\r\n Session On\r\n SessionCookieName session path=\/\r\n Require valid-user\r\n<\/Directory>\r\n\r\n# This is an 'open', unsecured, directory.\r\n# place here your fance login html and css files.\r\nAlias \/auth\/ \/opt\/myapp\/www-auth\/\r\n<Directory \/opt\/myapp\/www-auth\/>\r\n Require all granted\r\n Session On\r\n SessionCookieName session path=\/\r\n<\/Directory>\r\n\r\n# Our login form should reference to this location\r\n<Location \/auth\/dologin.html>\r\n SetHandler form-login-handler\r\n AuthFormLoginSuccessLocation \/\r\n AuthFormProvider file\r\n AuthUserFile \/opt\/myapp\/.htpasswd\r\n AuthType form\r\n AuthName realm\r\n Session On\r\n SessionCookieName session path=\/\r\n<\/Location>\r\n\r\n# Refer to \/auth\/logout to reset\r\n<Location \/auth\/logout>\r\n SetHandler form-logout-handler\r\n AuthType form\r\n AuthName realm\r\n AuthFormLogoutLocation \/auth\/loggedout.html\r\n Session On\r\n SessionCookieName session path=\/\r\n<\/Location>\r\n<\/pre>\n
Create a user file<\/p>\n
# htpasswd -c \/opt\/myapp\/.htpasswd [username]\r\n\r\nfor additional users type:\r\n# htpasswd \/opt\/myapp\/.htpasswd [next-username]\r\n<\/pre>\n
Create a login form at \/opt\/myapp\/www-auth\/login.html<\/p>\n
<html>\r\n<head><title>Login<\/title><\/head>\r\n<body>\r\n<form method=\"POST\" action=\"\/auth\/dologin.html\">\r\nUsername: <input type=\"text\" name=\"httpd_username\" value=\"\"\/><br\/>\r\nPassword: <input type=\"password\" name=\"httpd_password\" value=\"\"\/><br\/>\r\n<input type=\"submit\" name=\"submit\" value=\"Login\"\/>\r\n<\/form>\r\n<\/body>\r\n<\/html>\r\n<\/pre>\n
Create a loggedout page, where you will be redirected after logout.<\/p>\n
<html>\r\n<head><title>Loggedout<\/title><\/head>\r\n<body>\r\n<h1>Loggedout<\/h1>\r\n<p>\r\nYou are now logged out.<br\/>\r\n<a href=\"\/myapp\/\">Open my secured directory<\/a>\r\n<\/p>\r\n<\/body>\r\n<\/html>\r\n<\/pre>\n
Create a demo page in our ‘myapp’ directory<\/p>\n
<html>\r\n<head><title>Secured directory<\/title><\/head>\r\n<body>\r\n<h1>Secured<\/h1>\r\n<p>This is a secured directory. Al other files, such as .css and .js are also protected.<\/p>\r\n<a href=\"\/auth\/logout\">Click here to logout<\/a>\r\n<\/body>\r\n<\/html>\r\n<\/pre>\n
ToDo:
\nSecurity<\/b><\/p>\n
The cookie is not crypted. It shows your username and password in plaintext.<\/p>\n
I’ve read that it is possible to replace this with an session id, or just simply encrypt the cookie.<\/p>\n
Currently i have troubles with compiling apache24 to support crypted cookies.<\/del>
\nEdit 2014-09-16: To compile apache24\/apr-util with crypto support, you need OpenSSL version 1.0.1i. Compile, make, install this one first. Then add 2 parameters to apache24 .\/configure.<\/p>\n
# .\/configure --prefix=\/opt\/apache2 --with-included-apr --with-ssl --enable-auth-form --with-crypto --with-openssl=\/opt\/openssl1.0.1i\/lib<\/strong><\/pre>\n","protected":false},"excerpt":{"rendered":"
Still a ‘wordpress  draft’, but published already. It should bring you to an working solution. I prefer webserver authentication above and php\/coded authentication script. This because the webserver can also protect stylesheets, javascript files and, more important, images or other attachments. Within php you can only protect the called page. Of course, in apache, you […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[13,5,16,1],"tags":[129,130,128,137,135,131,132,133,136,134],"class_list":["post-543","post","type-post","status-publish","format-standard","hentry","category-english","category-it-related","category-projects","category-robin","tag-apache","tag-apache-2","tag-apache-2-4","tag-authentication","tag-cookie","tag-form-auth","tag-form-authentication","tag-mod_auth_form","tag-security","tag-session"],"_links":{"self":[{"href":"http:\/\/www.mb200d.nl\/wordpress\/wp-json\/wp\/v2\/posts\/543","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.mb200d.nl\/wordpress\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.mb200d.nl\/wordpress\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.mb200d.nl\/wordpress\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.mb200d.nl\/wordpress\/wp-json\/wp\/v2\/comments?post=543"}],"version-history":[{"count":15,"href":"http:\/\/www.mb200d.nl\/wordpress\/wp-json\/wp\/v2\/posts\/543\/revisions"}],"predecessor-version":[{"id":694,"href":"http:\/\/www.mb200d.nl\/wordpress\/wp-json\/wp\/v2\/posts\/543\/revisions\/694"}],"wp:attachment":[{"href":"http:\/\/www.mb200d.nl\/wordpress\/wp-json\/wp\/v2\/media?parent=543"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.mb200d.nl\/wordpress\/wp-json\/wp\/v2\/categories?post=543"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.mb200d.nl\/wordpress\/wp-json\/wp\/v2\/tags?post=543"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}