I tried to protect my application (the test environment) to hide it from curious with a htpasswd. Here is my architecture:
[AngularJS] -> [Apache Proxy] -> [Service]
The aim is to block people who has no password.
I tried first to add a htpasswd on my Apache Proxy at the highest level:
<Location "/">
AuthUserFile /etc/apache2/passwords
AuthName "Forbidden"
AuthType Basic
require valid-user
</Location>
Problem: the prompt was fired at each time a request was made (don't know why).
I tried after to reduce the scope:
<Location "/modules/user/">
AuthUserFile /etc/apache2/passwords
AuthName "Forbidden"
AuthType Basic
require valid-user
</Location>
It works because the call to this route is made at each request. Fine.
But now I created a new route : /modules/user/account. I fell in the first problem I have but worse: a prompt is always displayed, and never accepted. Apache in the logs says:
[Mon Nov 23 11:51:55.510434 2015] [authz_core:debug] [pid 3043:tid 139650316363520] mod_authz_core.c(809): [client 164.177.43.41:55888] AH01626: authorization result of Require valid-user : denied (no authenticated user yet), referer: https://test.mysite.com/
htpasswd is maybe the wrong way to protect my application, what should I do?
Thanks
Related
To serve files, I set up a readonly WebDAV with Apache2 serving from davs://dav.example.com/. However, I want a subdirectory (davs://dav.example.com/uploads/) that is writable by the logged in user.
To make my site readonly, I used the following:
...
<Directory /var/www/dav>
Options +Indexes
DAV On
Order allow,deny
AuthType Basic
AuthName "Not for public access! Login only"
AuthUserFile /var/www/htpasswd
<Limit GET OPTIONS PROPFIND>
Require valid-user
Deny from all
</Limit>
<Limit PUT POST DELETE PROPPATCH MKCOL COPY MOVE LOCK UNLOCK>
Require host dav.example.com
Deny from all
</Limit>
Satisfy Any
</Directory>
...
I've tried making <Directory /var/www/dav/upload>, copying the <Limit PUT... with Require valid-user in it, but that didn't work. When creating a file in the /upload/ dir, the server responded with a 500 error.
Is this possible? I have access to the site.conf file.
Make a <Directory /var/www/dav/upload> block with this in it:
<LimitExcept GET OPTIONS PROPFIND PUT POST DELETE PROPPATCH MKCOL COPY MOVE LOCK UNLOCK>
Require valid-user
Deny from all
</LimitExcept>
This also works in .htaccess files, if needed.
I want to use mod_auth_openidc for authentication only, by using what is set in REMOTE_USER.
Currently, I have this:
<Location />
# reverse proxy to app
# authorization not controlled by web server, but by app
Require all granted
</Location>
The user accesses an url hosted by the app that logs them in. When logged in, there's additional info on every page, and access is allowed to some urls that otherwise return 401.
Now I want to add OIDC to this, so I tried adding the following:
OIDCRedirectURI https://<hostname>/oidc/redirect_uri
<Location /oidc>
ProxyPass "!"
AuthType openid-connect
Require valid-user
</Location>
Accessing "/oidc" successfully redirects to the provider, then redirects back to /oidc, which doesn't exist in the app, so apache goes 404.
If I go anywhere else, no REMOTE_USER is set and so the user is not authenticated. (I have a debug-page that dumps headers and environment variables and other sundry for this.)
I found this question: Optional or anonymous authentication with mod_auth_openidc, which mentions OIDCUnAuthAction, but it is unclear how to use it.
If I change the first location-block to:
<Location />
# reverse proxy to app
# authorization not controlled by web server, but by app
Require all granted
OIDCUnAuthAction pass
</Location>
.. then the user is no longer redirected.
If I in addition add OIDCUnAuthAction auth to the second Location-block, the redirect is back and the user is back to being redirected to /oidc and not being authenticated anywhere else.
<Location /oidc>
ProxyPass "!"
AuthType openid-connect
Require valid-user
OIDCUnAuthAction auth
</Location>
If I keep the last version of the /oidc-block and change the first block to
<Location />
# reverse proxy to app
# authorization not controlled by web server, but by app
AuthType openid-connect
Require valid-user
OIDCUnAuthAction pass
</Location>
.. that doesn't change anything.
If I do force login everywhere, with
<Location />
# reverse proxy to app
# authorization not controlled by web server, but by app
AuthType openid-connect
Require valid-user
</Location>
then accessing any page redirects me to the provider, which redirects me to where I came from. On the debug-page I see that there are lots of claims headers, but REMOTE_USER is either not set, or set in such a way that it cannot be dumped (it's not visible to the app), so the user is not authenticated.
If I use OIDCAuthNHeader Foo it turns up together with the other http headers, prefixed with HTTP_, but then the app can't find it since it isn't named REMOTE_USER...
I'm at my wits end. How is this supposed to work? Can it work at all?
I have password protected my webpage in Linux Mint by using mod_auth_form in apache2 with the configuration in /etc/apache2/apache2.conf:
<Directory "/var/www/html">
AuthFormProvider file
AuthType form
AuthName "Reserved Area"
Session On
SessionCookieName session path=/
require valid-user
AuthFormLoginRequiredLocation "http://localhost/login.php"
# This is the login page
ErrorDocument 401 /login.php
# This is the file containing users login data
AuthUserFile /var/www/html/users/users
</Directory>
When an unauthorized user tries to access something on the webpage he will be redirected to the login page "login.php", however he won't have access to this page either so I tried adding:
<Location /var/www/html/login.php>
Order Allow,Deny
Allow from all
</Location>
But the problem remains and it just tries to redirect to the login page infinitely. What would enable a user to access only the login page but not anything else on the site?
I found that if I replaced
<Location /var/www/html/login.php>
Order Allow,Deny
Allow from all
</Location>
with
<Directory /var/www/html/login>
Options Indexes
AllowOverride None
Require all granted
</Directory>
and added a folder /var/www/html/login where I placed everything that had to do with the login page it started working. I never figured out why Location didn't work to give access to the login.php file.
I also removed the line
AuthFormLoginRequiredLocation "http://localhost/login.php
as it wasn't needed.
The line:
ErrorDocument 401 /login.php
was also changed to:
ErrorDocument 401 /login/login.php
When I try to access the parent directory, say localhost/parent, it gives me 403 forbidden. However if I access the sub-directory, say localhost/parent/index.html, it goes through.
I believe it's a config issue but could anyone walk me through a bit here?
I tried to change the apache2.conf as many people suggested but it doesn't work.(shown below)
<Directory "your directory here">
Order allow,deny
Allow from all
Require all granted
</Directory>
The following is what error log says:
[Mon Jul 03 11:32:51.028149 2017] [autoindex:error] [pid 4899] [client 127.0.0.1:42462] AH01276: Cannot serve directory /var/www/html/hub/: No matching DirectoryIndex (index.php,index.cgi,index.pl,index.php,index.xhtml,index.htm) found, and server-generated directory index forbidden by Options directive
It turned out to be a config file issue,
sudo nano /etc/apache2/mods-enabled/dir.conf
Make index.php as the first option and it solved the problem
I've configured apache2 to redirect a virtual host (munin) from http to https, I've something like this:
cat /etc/apache2/site-enabled/default
[...]
# 20140619 - munin redirect http to https
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteCond %{REQUEST_URI} ^/munin/.*
RewriteRule ^(.*)$ https://server1.example.com/$1 [R,L]
[...]
munin has its default config
cat /etc/apache2/site-enabled/munin
Alias /munin /var/cache/munin/www
<Directory /var/cache/munin/www>
Order allow,deny
Allow from all ::1
Options None
AuthUserFile /etc/munin/munin-pass
AuthName "server1.example.com"
AuthType Digest
require valid-user
<IfModule mod_expires.c>
ExpiresActive On
ExpiresDefault M310
</IfModule>
</Directory>
So, when I try to connect (using chrome) to http://server1.example.com, browser immediately ask me username and password (I'm connected using http). After inserted mine credentials (browser warn me about not trusted certificate, it's ok: I don't have a trusted certficate). When I force it to connect using https I need re-insert username and password and only now I can see the munin page.
Now, when I insert user and password (the first time), does that credentials can intercepts? or I'm inside SSL tunnel?
If credentials go over HTTP, they can be intercepted. If credentials go over HTTPS with an untrusted certificate, they can be intercepted (if users are in the habbit of just clicking 'ok' on the warning, a bad guy can insert their own cert and defeat the whole purpose of SSL). You're only shot at being safe is HTTPS with a trusted cert.