This post is meant as lessons learned from setting up Apache HTTPD server with authentication for some backend resources. The goal was to secure the resources with simple password based authentication and allow given list of users to access them. Accounts have been assembed in dbm file on local filesystem.
Configuration that works, but...
<VirtualHost *:80>
ErrorLog /var/log/httpd/http-error.log
CustomLog /var/log/httpd/http-access.log
<Location /myresources>
AuthType basic
AuthName "Authenticate using username and password"
AuthBasicProvider dbm
AuthDBMUserFile "/etc/httpd/authentication.dbm"
AuthGroupFile "/etc/httpd/groups"
<RequireAny>
Require user adam
Require user bob
Require user cecil
</RequireAny>
</Location>
</VirtualHost>
So, what we have here
- Credentials for user accounts are stored in
/etc/httpd/authentication.dbm - Access to
myresourcesis allowed only to usedadam, bob, cecil. This is defined usingRequireAnymeaning that ifanyof these requirements is matched, user is granted with access.
This will work, but you will see disturbing messages in error log. They are disturbing, because they will be naming those users that are allowed! However, at the same time, you will not see any error response in access log. (Log messages are shortened)
/var/log/httpd/http-error.log
[authz_user:error] [client 10.10.10.10:10000] AH01663: access to /myresources failed, reason: user 'bob' does not meet 'require'ments for user to be allowed access
/var/log/httpd/http-access.log
10.10.10.10 - bob "POST /myresources HTTP/1.1" 200 102
Why is that?
The reason for this is that error log will contain error message for each unsatisfied Require directive. For adam there won't be any error message as he is first in list. For bob there will be 1 and for cecil there will be 2 for each request.
Configuration that works, but...
<VirtualHost *:80>
ErrorLog /var/log/httpd/http-error.log
CustomLog /var/log/httpd/http-access.log
<Location /myresources>
AuthType basic
AuthName "Authenticate using username and password"
AuthBasicProvider dbm
AuthDBMUserFile "/etc/httpd/authentication-myresources.dbm"
AuthGroupFile "/etc/httpd/groups"
Require valid-user
</Location>
</VirtualHost>
The difference here is that there is no Require user list. Instead, any valid user is allowed. But, the authentication database can have more users that only those allowed to access myresources. This is why there is changed authentication file and you have to keep there correct list of users.
The latter configuration won't be generating false alarms in error log, but I don't consider it perfect too.
Top comments (0)