Apache basic authentication

From RestAuth
Jump to navigation Jump to search

Apache module

This is the Wiki entry for mod_authnz_restauth, an Apache2 Basic Authentication and Authorization provider module designed to work with the RestAuth system.

The module only needs the URL to the RestAuth server to work (and probably also the username/password of your RestAuth server, depending on your configuration). It can optionally perform authorization using RestAuth groups and forward the IP of the client along with the password (a RestAuth extension).

The Apache module depends on CURL.

Also see the project page.

Installation

  • Using apxs2 (this is Apache's module helper utility, you probably want this if you've installed Apache from source):

$ make -f
# make -f install

  • We also provide binary and source packages for some distributions.

Usage

You can secure directories by adding the following directives to the corresponding <Directory>, <Location>, <Files> or <Proxy> configuration, or to the corresponding .htaccess file.

  • Enable Basic authentication and configure the realm (REQUIRED):

AuthType Basic
AuthName "REST based authentication"

  • Use the module as the Basic authentication provider (REQUIRED):

AuthBasicProvider restauth

  • The URL of the RestAuth provider. RestAuth service errors (e.g. if the service is offline, malfunctioning or can't be reached) will result in an "Internal Server Error" being propagated to the client (REQUIRED):

RestAuthAddress http://localhost:5000/

  • Who to authorize. This can be either a mod_authz_user line, like Require user ... or Require valid-user or Require restauth-group <group>, which only authorizes users from the specified RestAuth group (REQUIRED).

Require valid-user

  • Authentication data for the provider (so you can authenticate as a certain service according to the RestAuth specification). These settings are OPTIONAL, you can also specify the user and password as part of the URL (e.g. http://mysite:mysitepassword@localhost:5000/):

RestAuthServiceUser mysite
RestAuthServicePassword mysitepassword

  • If the connection to the server is done via SSL and, for some reason, you don't want to check the certificate, set this to off. Ideally, you should create a self-signed certificate and trust it on the RestAuth server instead of using this option, in case you don't have access to an already-trusted CA. Otherwise, you won't be able to guarantee the authenticity of the server and you may be the victim of a Man-in-the-middle attack (OPTIONAL, defaults to "on").

RestAuthServiceValidateCertificate on

  • Whether to forward the client's IP address. This is a RestAuth extension and the IP may be simply ignored by the server (OPTIONAL, defaults to "off"):

RestAuthForwardIP off

Examples

Allow all users known to the RestAuth server found at https://localhost:5000/ to the "/binaries" location. The service username is user, the service password is pass:

 <Location "/binaries">
  AuthType Basic
  AuthName "The binaries Realm, secured by RestAuth"
  AuthBasicProvider restauth
 
  RestAuthServiceUser user
  RestAuthServicePassword pass
  RestAuthAddress https://localhost:5000/
 
  Require valid-user
 </Location>

Allow only users from the group "admins" access to the "/admin" directory. Use the RestAuth server found at https://localhost:5000/. The service username is user, the service password is pass:

 <Location "/admin">
  AuthType Basic
  AuthName "The admin Realm, secured by RestAuth"
  AuthBasicProvider restauth
 
  RestAuthServiceUser user
  RestAuthServicePassword pass
  RestAuthAddress https://localhost:5000/
 
  Require restauth-group admins
 </Location>

License

Like the Apache HTTP server, this module is licensed under the Apache 2.0 license [1].