Still a ‘wordpress draft’, but published already.
It should bring you to an working solution.
I prefer webserver authentication above and php/coded authentication script. This because the webserver can also protect stylesheets, javascript files and, more important, images or other attachments. Within php you can only protect the called page.
Of course, in apache, you can easily use basic authentication. But then the browser shows you an ‘static’ login window. Apache2 has now an module which helps you with form authentication. You can make in now more fancy :).
Please leave comments if necessary 🙂
note… in my test setup this is compiled and running next to system default Apache2 instance.
so 2 apache-bin directories are on the system.
Downloading and extracting Apache 2.4
# cd /opt/src/ # wget http://ftp.tudelft.nl/apache/httpd/httpd-2.4.10.tar.gz # tar xf httpd-2.4.10.tar.gz # cd httpd-2.4.10/
Downloaden and extracting Apache 2.4 requirements. Check requirements here
# cd srclib
# wget http://apache.mirror.triple-it.nl/apr/apr-1.5.1.tar.gz
# wget http://apache.mirror.triple-it.nl/apr/apr-util-1.5.3.tar.gz
# tar xf apr-1.5.1.tar.gz
# tar xf apr-util-1.5.3.tar.gz
# mv apr-1.5.1 apr
# mv apr-util-1.5.3 apr-util
# cd .. (/opt/src/httpd-2.4.10/)
# apt-get install libpcre3 libpcre3-dev (if not already installed)
Configuring source tree. (option –with-ssl is optional, decide for yourself if needed)
# ./configure --prefix=/opt/apache2 --with-included-apr --with-ssl --enable-auth-form
Building and installing
# make # make install
Configure Apache2 (note, our ServerRoot is at /opt/apache2)
# cd /opt/apache2 # vi conf/httpd.conf
... omitted Listen 82 #changed to 82, because 80 is used already ... omitted # uncomment the next lines LoadModule auth_form_module modules/mod_auth_form.so ... omitted LoadModule request_module modules/mod_request.so ... omitted LoadModule session_module modules/mod_session.so LoadModule session_cookie_module modules/mod_session_cookie.so ... omitted # add include Include conf/httpd-secured.conf
Create a directory structure.
Our secured content should be placed at myapp/www/.
Fancy login pages should be placed at myapp/www-auth/. This is an ‘open’, not secured, directory.
# cd /opt # mkdir myapp # mkdir myapp/www # mkdir myapp/www-auth
Create a configuration file for our secured directories.
Create the file /opt/apache2/conf/httpd-secured.conf
Alias /secured/ /opt/myapp/www/ # Below is the configuration of our secured directory <Directory /opt/myapp/www/> AuthFormProvider file AuthUserFile /opt/myapp/.htpasswd AuthType form AuthName realm # When login is required, redirect to: AuthFormLoginRequiredLocation /auth/login.html Session On SessionCookieName session path=/ Require valid-user </Directory> # This is an 'open', unsecured, directory. # place here your fance login html and css files. Alias /auth/ /opt/myapp/www-auth/ <Directory /opt/myapp/www-auth/> Require all granted Session On SessionCookieName session path=/ </Directory> # Our login form should reference to this location <Location /auth/dologin.html> SetHandler form-login-handler AuthFormLoginSuccessLocation / AuthFormProvider file AuthUserFile /opt/myapp/.htpasswd AuthType form AuthName realm Session On SessionCookieName session path=/ </Location> # Refer to /auth/logout to reset <Location /auth/logout> SetHandler form-logout-handler AuthType form AuthName realm AuthFormLogoutLocation /auth/loggedout.html Session On SessionCookieName session path=/ </Location>
Create a user file
# htpasswd -c /opt/myapp/.htpasswd [username] for additional users type: # htpasswd /opt/myapp/.htpasswd [next-username]
Create a login form at /opt/myapp/www-auth/login.html
<html> <head><title>Login</title></head> <body> <form method="POST" action="/auth/dologin.html"> Username: <input type="text" name="httpd_username" value=""/><br/> Password: <input type="password" name="httpd_password" value=""/><br/> <input type="submit" name="submit" value="Login"/> </form> </body> </html>
Create a loggedout page, where you will be redirected after logout.
<html> <head><title>Loggedout</title></head> <body> <h1>Loggedout</h1> <p> You are now logged out.<br/> <a href="/myapp/">Open my secured directory</a> </p> </body> </html>
Create a demo page in our ‘myapp’ directory
<html> <head><title>Secured directory</title></head> <body> <h1>Secured</h1> <p>This is a secured directory. Al other files, such as .css and .js are also protected.</p> <a href="/auth/logout">Click here to logout</a> </body> </html>
ToDo:
Security
The cookie is not crypted. It shows your username and password in plaintext.
I’ve read that it is possible to replace this with an session id, or just simply encrypt the cookie.
Currently i have troubles with compiling apache24 to support crypted cookies.
Edit 2014-09-16: To compile apache24/apr-util with crypto support, you need OpenSSL version 1.0.1i. Compile, make, install this one first. Then add 2 parameters to apache24 ./configure.
# ./configure --prefix=/opt/apache2 --with-included-apr --with-ssl --enable-auth-form --with-crypto --with-openssl=/opt/openssl1.0.1i/lib
Thank you !
Typo “SesssionCookieName” contains one ‘s’ too much 😉
Hi Nicolas,
I hope you didn’t spend to much time on it.
Thanks for leaving a reply and notifying about the typo.
Hi,
your article helped me very much….
it is complete and just what needed for me.
thanks 🙂
regards
Thomas
Thanks, it took me a while before I saw the dologin.html is only a location and login.html is the simple html file containing the form …..
Now find a way to make the browser return to the original location that initiated the login action since in my config it protects a directory with multiple applications in it. Would be nice if /secured/appA would be served if that triggered the login and if the login is successfully completed …..
And here I found a nice example that uses the 401 error code for a redirect that just comes in-between and redirects the browser back to the intended – protected – url that caused to login