Deploying Suse Linux Enterprise Server
 |
Purchase "Deploying Suse Linux Enterprise Server" at Lulu.com |
Apache Web Server
- SLES Configuration Layout
- The Yast Apache Wizard and Configuring Apache
- Creating Virtual Hosts
- Apache Authentication Techniques
- Using MySQL with Apache
Apache Authentication Techniques
In some Apache deployments, you may wish to enable authentication for some of your sites. This is usually done to either remove anonymous access to certain sites or to ensure that a Username gets passed to a web application so it will function properly. In either case, here are some examples of how to enable various Authentication Techniques with Suse Linux Enterprise Server.
Authentication Using the .htaccess file
Probably the easiest way to enable authentication is by the use of the ".htaccess" file. Unfortunately this is the most wasteful way (in server resources) to enable authentication because the server must look for this file within every directory for every file that is being served. Added to this performance hit is the fact that Apache must also look at every parent directory for this file. This can become a huge performance hit if the site is categorized into various directories.
Nevertheless, if you do not want to adjust the main configuration files to configure authentication, this is an easy way for you, or your users, to enable authentication.
The first step to configure ".htaccess" authorization is to ensure that you enable it for the sites that you want to. To do this you must allow "AuthConfig" authentication to your site by adding the following directive to the site's configuration or <Directory > section.
AllowOverride AuthConfig
Once that is done you can now create the actual .htaccess file to protect the site or a directory within the site. This file should contain something similar to:
AuthName "Something Meaningful" Require valid-user AuthUserFile /srv/www/passwds/secure1.pwd AuthType basic
This configuration will check the password file at /srv/www/passwds/secure1.pwd for the username and password entered by the user to see if they can have access to the site. To create this password file you must enter the following command
htpasswd2 -c /srv/www/passwds/secure1.pwd username
It will then create the secure1.pwd file and ask for a password for the username that you entered. Once this file is created you will no longer need the "-c" option when running the command to add additional usernames to the password file.
Once all of these steps are taken, when a user tries to access any file within the directory that you put the .htaccess file into, they will be prompted with a "Authentication Required" box to enter their username and password to access the file/directory.
Authentication Within the <Directory > Specification
To avoid using ".htaccess" files, you can also configure authentication directly within the apache configuration files. The most popular way to do this is to configure authentication with a <Directory > specification.
This example I simply add another directory specification to the site's configuration block. For example you can add this directory spec below the main directory spec.
<Directory /srv/www/site1/secure/> AllowOverride AuthConfig Order deny,allow Require valid-user AuthType basic AuthUserFile /srv/www/passwds/secure.pwd AuthName "Something Meaningful" </Directory>
You would then create the secure.pwd file and add any users to it with the htpasswd2 command as shown in the previous section.
Authentication Using the LDAP Server
Now that you know how to setup basic authentication for your web server, I will now cover how you can utilize an LDAP Server for Authentication to avoid having to manually create a password file for your server. This will allow you to utilize an existing "database" of username/passwords to utilize to grant access to your site(s).
The first step that must be done to authenticate against an LDAP directory is to enable the "ldap" and "authnz_ldap" apache modules. You can do this by finding them within the "Server Modules" tab of the Yast HTTP Server module and enabling it. Alternatively you can add the following lines to the "/etc/apache2/sysconfig.d/loadmodule.conf" file:
LoadModule ldap_module /usr/lib/apache2-prefork/mod_ldap.so LoadModule authnz_ldap_module /usr/lib/apache2-prefork/mod_authnz_ldap.so
Once that is done, you can start authenticating against your LDAP directory through either the .htaccess file or directly within a Directory statement. For example, a Directory statement that will allow access to any user that is listed within the LDAP tree would look something like this:
<Directory /srv/www/site1/secure/> AllowOverride AuthConfig Order deny,allow Require valid-user AuthType basic AuthName "Something Meaningful" AuthBasicProvider ldap AuthzLDAPAuthoritative off AuthLDAPUrl ldap://127.0.0.1/ou=people,dc=private,dc=lan?uid </Directory>
As you can see, this is very similar to all the above examples, with the main exception being the AuthLDAPUrl statement (as well as the other LDAP statements). Adjusting both the AuthLDAPUrl and the Require statements you can adjust what apache will look for in your LDAP database to allow access. For further information on LDAP authentication with Apache you should take a look at the mod_auth_ldap information within the Apache Documentation.
|
Purchase "Deploying Suse Linux Enterprise Server" at Lulu.com |
