Introduction
Apache HTTP Server is a famous open source web server.
Installation
yum install httpd
Default Behavior
- Server instance name: httpd
- Configuration file:
- /etc/httpd/conf/httpd.conf
- /etc/httpd/conf/conf.d/*
- TCP Port: 80
- Log files:
- /var/log/httpd/access_log
- /var/log/httpd/error_log
- Working folder: /var/www/html
Configuration
Configuration: Log Level
Default log level for httpd is “warn”. You may change the log level to debug for more detail log message when you encounter problem with configuration.
For example:
LogLevel debug
Configuration: Server Side Includes (SSI)
SSI (Server Side Includes) are directives that are placed in HTML pages, and evaluated on the server while the pages are being served. They let you add dynamically generated content to an existing HTML page, without having to serve the entire page via a CGI program, or other dynamic technology.
To enable SSI in Apache HTTP, add the following in conf file:
AddType text/html .shtml
AddHandler server-parsed .shtml
<Directory /data/www>
Options +Includes
</Directory>
If the index file is a SSI file, you should add this line too:
DirectoryIndex index.html index.html.var index.shtml
Configuration: Virtual Host
The term Virtual Host refers to the practice of maintaining more than one server on one machine, as differentiated by their apparent hostname. For example, it is often desirable for companies sharing a web server to have their own domains, with web servers accessible as www.company1.com and www.company2.com, without requiring the user to know any extra path information.
In order not to mess up the httpd.conf file, we may store the virtual host configuration in a separate file. (eg: /etc/httpd/conf/httpd-vhosts.conf)
vi /etc/httpd/conf.d/httpd-vhosts.conf
NameVirtualHost *:80
<Directory /data/www>
Options +Includes
</Directory>
<VirtualHost *:80>
DocumentRoot /data/www
ServerName www.company1.com
ScriptAlias /cgi-bin/ /data/www/cgi-bin/
</VirtualHost>
Configuration: HTTPS – Secure HTTP
https is HTTP secure protocol.
Installation:
yum install mod_ssl
You may restart httpd service and verify if secure http service is up and running by:
# netstat -na |grep -i 443
tcp 0 0 :::443 :::* LISTEN
The configuration file for mod_ssl is stored in /etc/httpd/conf.d/ssl.conf.
Remember to exclude port 443 in firewall if you want to publish the service.
Configuration: Basic Authentication
mod_auth_basic is the module for http basic authentication.
The following command will prompt for password and create an entry of user with md5 hashed password:
htpasswd -c password_file username
An example of using the basic password file to protect a folder:
<Location /private/>
AuthType basic
AuthName "private area"
AuthBasicProvider file
AuthUserFile conf.d/password_file
Require valid-user
</Location>
Configuration: Digest Authentication
mod_auth_digest is the module for http digest authentication. It has similar mechanism as basic authentication except the password sent as MD5 hash value instead of plain text. httpd.conf should include mod_auth_digest by default.
The following command will prompt for password and create an entry of user with md5 hashed password:
htdigest -c password_file digest-realm username
An example of using the digest password file to protect a folder:
<Location /private/>
AuthType Digest
AuthName "digest_realm"
AuthDigestProvider file
AuthUserFile conf.d/password_file
Require valid-user
</Location>
Configuration: httpd 2.2 LDAP Authentication and authorisation
httpd 2.2 using a module mod_authnz_ldap to perform ldap authentication and authoisation.
The following example attempt to protect a URL cgi-bin with username/password authentication against a ldap directory server. The LDAP connection is using TLS.
<Location /cgi-bin>
Order deny,allow
Allow from example.com
AuthType Basic
AuthName "CVSweb"
AuthBasicProvider ldap
AuthzLDAPAuthoritative off
AuthLDAPURL ldap://ldap.example.com/ou=user,dc=example,dc=com?uid?sub
?(objectclass=posixAccount) STARTTLS
Require valid-user
</Location>
The above configuration should work if your LDAP server is working.
If debug log level is used, you may notice the error_log shows something like this:
[Tue Sep 14 16:38:18 2010] [debug] mod_authnz_ldap.c(376): [client 192.168.0.107] [32672] auth_ldap authenticate: using URL ldap://ldap.example.com/ou=example,dc=example,dc=com?uid?sub?(objectclass=posixAccount)
[Tue Sep 14 16:38:18 2010] [debug] mod_authnz_ldap.c(475): [client 192.168.0.107] [32672] auth_ldap authenticate: accepting alice
[Tue Sep 14 16:38:18 2010] [debug] mod_authnz_ldap.c(847): [client 192.168.0.107] [32672] auth_ldap authorise: authorisation denied
A log message of “authorisation denied” sounds like the authorisation fail. However, you don’t encounter problem accessing resource from web browser. This message may confuse when checking the log message during troubleshooting session.
The message was a result from a configuration option:
AuthzLDAPAuthoritative off
The httpd security mechanism requires authentication and authorisation processes to be verified before a resource may access by an user. In this case, the user is authenticated with user name and password via LDAP service. And the authorisation process is verified by apache configuration.
Setting AuthzLDAPAuthoritative to off means mod_authnz_ldap let other authorization modules attempt to authorize the user, should authorization with this module fail. That is the reason why the message “authorisation denied” shown in log. The mod_authnz_ldap denied to perform authorisation here due to “AuthzLDAPAuthoritative off”.
Now, next problem raise. If mod_authnz_ldap_ldap denied to perform authorisation, why the resource is accessible after valid credential is supplied via web browser? And why the authorisation seems successfully perform? Who perform the authorisation?
The key is this setting:
Require valid-user
The above clause performs authorisation. It simply means authenticated user of mod_authnz_ldap is always valid and is authorised to use the resource.
What if we attempt to set AuthzLDAPAuthoritative to on? This simply means mod_authnz_ldap will perform authorisation followed by success authentication:
<Location /cgi-bin>
Order deny,allow
Allow from example.com
AuthType Basic
AuthName "CVSweb"
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthLDAPURL ldap://ldap.example.com/ou=user,dc=example,dc=com?uid?sub?(objectclass=posixAccount) STARTTLS
Require valid-user
</Location>
Above configuration will cause browser keep prompt for username and password even correct credential is provided. Log messages something like these will shown:
[Tue Sep 14 16:30:49 2010] [debug] mod_authnz_ldap.c(376): [client 192.168.0.107] [32596] auth_ldap authenticate: using URL ldap://ldap.example.com/ou=user,dc=example,dc=com?uid?sub?(objectclass=posixAccount)
[Tue Sep 14 16:30:50 2010] [debug] mod_authnz_ldap.c(475): [client 192.168.0.107] [32596] auth_ldap authenticate: accepting alice
[Tue Sep 14 16:30:50 2010] [debug] mod_authnz_ldap.c(842): [client 192.168.0.107] [32596] auth_ldap authorise: declining to authorise
The error message is “declining to authorise” as compare to “authorisation denied” in previous case.
In this case, mod_authnz_ldap should attempt to perform authorisation due to “AuthzLDAPAuthoritative on” clause in configuration. Again, the reason it “declining to authorise” was due to this clause:
Require valid-user
In this case, mod_authnz_ldap should perform authorisation but valid-user. However, mod_authnz_ldap do not possess “Require valid-user” and thus it doesn’t know know how to perform authorisation and that lead to “declining to authorise” message logged.
To make mod_authnz_ldap perform authorisation successfully, we may use either:
- Require ldap-user
- Require ldap-group
- Require ldap-dn
- Require ldap-attribute
- Require ldap-filter
for different cases. Refer here for more information.
Configuration: WebDAV
mod_dav is the module for HTTPD WebDAV. it is extremely easy to use WebDAV in Apache HTTPD:
<Location /foo>
Dav On
</Location>
Just include “Dav On” to Location or Directory block will straight turn on WebDAV share.
Reference
- Making Apache 2.2 valid-user work with mod_authnz_ldap.
URL: http://neptune.ashtech.net/~dmarkle/blog/archives/108-Making-Apache-2.2-valid-user-work-with-mod_authnz_ldap.html