Apache authentication and authorizationtutorial

Learninguserauthentication, 访问控制 and permissionmanagement

查看tutoriallist

Apache authentication and authorization

Apacheauthentication and authorization is 保护网站resourcesecurity important mechanism. throughauthentication, 您可以verificationuser 身份; throughauthorization, 您可以控制user for resource 访问permission. 本文将详细介绍Apache authentication and authorizationmechanism, includingbasicauthentication, 摘要authentication, 基于file authentication, 基于datalibrary authentication以及访问控制configuration, helping您构建一个security Apacheserver.

authentication and authorization basicconcepts

  • authentication(Authentication): verificationuser 身份, 确认user is who.
  • authorization(Authorization): 确定已authenticationuser is 否 has 权访问specificresource.
  • 访问控制(Access Control): 根据authentication and authorization结果, 控制user for resource 访问.

authentication and authorization relationships

authentication is authorization before 提, 只 has throughauthentication user才能forauthorization判断. authorization is authentication 延续, authentication after 需要确定user is 否 has 权访问request resource.

Apacheauthenticationmodule

Apacheproviding了 many 种authenticationmodule, 用于implementation不同class型 authenticationmechanism:

  • mod_auth_basic: implementationbasicauthentication, usingBase64编码传输user名 and password.
  • mod_auth_digest: implementation摘要authentication, usingMD5哈希传输authenticationinformation, 比basicauthentication更security.
  • mod_auth_file: using文本filestoreuserinformation.
  • mod_auth_dbm: usingDBMfilestoreuserinformation.
  • mod_authnz_ldap: usingLDAPserverforauthentication.
  • mod_authn_dbd: usingdatalibraryforauthentication.

basicauthenticationconfiguration

步骤1: 启用basicauthenticationmodule

# Ubuntu/Debian sudo a2enmod auth_basic auth_file # 重启Apache sudo systemctl restart apache2 # CentOS/RHEL # 编辑/etc/httpd/conf/httpd.conffile, 取消comment以 under 行 # LoadModule auth_basic_module modules/mod_auth_basic.so # LoadModule auth_file_module modules/mod_auth_file.so # 重启Apache sudo systemctl restart httpd

步骤2: creationpasswordfile

# creationpasswordfile sudo mkdir -p /etc/apache2/auth sudo htpasswd -c /etc/apache2/auth/.htpasswd admin # 添加更 many user sudo htpasswd /etc/apache2/auth/.htpasswd user1 sudo htpasswd /etc/apache2/auth/.htpasswd user2 # 查看passwordfile in 容 sudo cat /etc/apache2/auth/.htpasswd

步骤3: configurationbasicauthentication

# in 虚拟主机configurationin添加以 under in 容 <VirtualHost *:80> ServerName example.com DocumentRoot /var/www/html # configurationbasicauthentication <Directory /var/www/html/secure> AuthType Basic AuthName "Restricted Area" AuthUserFile /etc/apache2/auth/.htpasswd Require valid-user </Directory> # otherconfiguration... </VirtualHost>

各指令 含义:

  • AuthType Basic: usingbasicauthenticationmechanism.
  • AuthName: authentication领域名称, 显示 in 浏览器 authentication for 话框in.
  • AuthUserFile: 指定passwordfile path.
  • Require valid-user: 要求任何 has 效 user都可以访问.

摘要authenticationconfiguration

摘要authentication比basicauthentication更security, 因 for 它usingMD5哈希algorithmsprocessingauthenticationinformation, 而不 is 明文传输.

步骤1: 启用摘要authenticationmodule

# Ubuntu/Debian sudo a2enmod auth_digest # 重启Apache sudo systemctl restart apache2 # CentOS/RHEL # 编辑/etc/httpd/conf/httpd.conffile, 取消comment以 under 行 # LoadModule auth_digest_module modules/mod_auth_digest.so # 重启Apache sudo systemctl restart httpd

步骤2: creation摘要authenticationpasswordfile

# creation摘要authenticationpasswordfile sudo htdigest -c /etc/apache2/auth/.htdigest "Restricted Area" admin # 添加更 many user sudo htdigest /etc/apache2/auth/.htdigest "Restricted Area" user1 sudo htdigest /etc/apache2/auth/.htdigest "Restricted Area" user2 # 查看passwordfile in 容 sudo cat /etc/apache2/auth/.htdigest

步骤3: configuration摘要authentication

# in 虚拟主机configurationin添加以 under in 容 <VirtualHost *:80> ServerName example.com DocumentRoot /var/www/html # configuration摘要authentication <Directory /var/www/html/secure> AuthType Digest AuthName "Restricted Area" AuthDigestProvider file AuthUserFile /etc/apache2/auth/.htdigest Require valid-user </Directory> # otherconfiguration... </VirtualHost>

基于组 authentication and authorization

您可以creationuser组, 然 after 基于组forauthorization, 这样可以更方便地managementuserpermission.

步骤1: creation组file

# creation组file sudo nano /etc/apache2/auth/.htgroup # 添加以 under in 容 admins: admin users: user1 user2 # 保存file

步骤2: configuration基于组 authorization

# in 虚拟主机configurationin添加以 under in 容 <VirtualHost *:80> ServerName example.com DocumentRoot /var/www/html # configuration基于组 authorization <Directory /var/www/html/admin> AuthType Basic AuthName "Admin Area" AuthUserFile /etc/apache2/auth/.htpasswd AuthGroupFile /etc/apache2/auth/.htgroup Require group admins </Directory> <Directory /var/www/html/user> AuthType Basic AuthName "User Area" AuthUserFile /etc/apache2/auth/.htpasswd AuthGroupFile /etc/apache2/auth/.htgroup Require group users </Directory> # otherconfiguration... </VirtualHost>

基于IP 访问控制

除了基于user authentication, Apache还support基于IP地址 访问控制, 可以限制specificIP地址 or IP段 访问.

# in 虚拟主机configurationin添加以 under in 容 <VirtualHost *:80> ServerName example.com DocumentRoot /var/www/html # configuration基于IP 访问控制 <Directory /var/www/html/internal> # 允许specificIP访问 Require ip 192.168.1.100 192.168.1.101 # 允许specificIP段访问 Require ip 192.168.1.0/24 </Directory> # 组合authentication and IP访问控制 <Directory /var/www/html/secure> AuthType Basic AuthName "Restricted Area" AuthUserFile /etc/apache2/auth/.htpasswd # 要求同时满足authentication and IP访问控制 <RequireAll> Require valid-user Require ip 192.168.1.0/24 </RequireAll> </Directory> # otherconfiguration... </VirtualHost>

基于LDAP authentication

LDAP (Lightweight Directory Access Protocol) is aTable of Contentsserviceprotocol, 常用于企业级authenticationsystem. Apachethroughmod_authnz_ldapmodulesupportLDAPauthentication.

步骤1: 启用LDAPauthenticationmodule

# Ubuntu/Debian sudo a2enmod authnz_ldap # 重启Apache sudo systemctl restart apache2 # CentOS/RHEL sudo yum install mod_authnz_ldap # 编辑/etc/httpd/conf/httpd.conffile, 取消comment以 under 行 # LoadModule authnz_ldap_module modules/mod_authnz_ldap.so # 重启Apache sudo systemctl restart httpd

步骤2: configurationLDAPauthentication

# in 虚拟主机configurationin添加以 under in 容 <VirtualHost *:80> ServerName example.com DocumentRoot /var/www/html # configurationLDAPauthentication <Directory /var/www/html/ldap-secure> AuthType Basic AuthName "LDAP Protected Area" AuthBasicProvider ldap AuthLDAPURL "ldap://ldap.example.com:389/dc=example,dc=com?uid" AuthLDAPBindDN "cn=bind_user,dc=example,dc=com" AuthLDAPBindPassword "bind_password" Require valid-user </Directory> # otherconfiguration... </VirtualHost>

基于datalibrary authentication

Apachethroughmod_authn_dbdmodulesupportusingdatalibraryforauthentication, 这样可以更方便地management big 量user.

步骤1: 启用datalibraryauthenticationmodule

# Ubuntu/Debian sudo a2enmod authn_dbd # installation必要 datalibrary驱动 sudo apt install libaprutil1-dbd-mysql # 重启Apache sudo systemctl restart apache2 # CentOS/RHEL sudo yum install mod_authn_dbd # installation必要 datalibrary驱动 sudo yum install apr-util-mysql # 编辑/etc/httpd/conf/httpd.conffile, 取消comment以 under 行 # LoadModule authn_dbd_module modules/mod_authn_dbd.so # 重启Apache sudo systemctl restart httpd

步骤2: configurationdatalibrary连接

# in apache2.conffilein添加以 under in 容 DBDriver mysql DBDParams "host=localhost port=3306 dbname=auth user=db_user pass=db_password" DBDMin 4 DBDKeep 8 DBDMax 20 DBDExptime 300 # in 虚拟主机configurationin添加以 under in 容 <VirtualHost *:80> ServerName example.com DocumentRoot /var/www/html # configurationdatalibraryauthentication <Directory /var/www/html/db-secure> AuthType Basic AuthName "Database Protected Area" AuthBasicProvider dbd AuthDBDUserPWQuery "SELECT password FROM users WHERE username = %s" Require valid-user </Directory> # otherconfiguration... </VirtualHost>

advancedauthorizationconfiguration

1. 组合 many 个authorization条件

# in 虚拟主机configurationin添加以 under in 容 <Directory /var/www/html/secure> AuthType Basic AuthName "Restricted Area" AuthUserFile /etc/apache2/auth/.htpasswd AuthGroupFile /etc/apache2/auth/.htgroup # 允许adminuser or admins组 user访问 <RequireAny> Require user admin Require group admins </RequireAny> </Directory>

2. using访问控制file(.htaccess)

除了 in 主configurationfileinconfigurationauthentication and authorization, Apache还supportusing.htaccessfileforconfiguration, 这样可以 in 不重启Apache circumstances under modifyconfiguration.

# 首先启用.htaccessfile <Directory /var/www/html> AllowOverride AuthConfig </Directory> # creation.htaccessfile sudo nano /var/www/html/secure/.htaccess # 添加以 under in 容 AuthType Basic AuthName "Restricted Area" AuthUserFile /etc/apache2/auth/.htpasswd Require valid-user # 保存file

3. configurationauthentication超时

# in 虚拟主机configurationin添加以 under in 容 <Directory /var/www/html/secure> AuthType Basic AuthName "Restricted Area" AuthUserFile /etc/apache2/auth/.htpasswd Require valid-user # configurationauthentication超时 (秒) Session On SessionMaxAge 3600 </Directory>

authentication and authorization best practices

  • usingHTTPS: in usingbasicauthentication or 摘要authentication时, 应usingHTTPSencryption传输, 防止authenticationinformation被窃取.
  • 选择合适 authentication方式: 根据security性要求选择合适 authentication方式, 摘要authentication比basicauthentication更security.
  • using强password: 要求userusing强password, 定期更换password.
  • 限制authentication尝试次数: 防止暴力破解攻击.
  • 定期updatepasswordfile: 定期clean不需要 user, updatepassword.
  • using组management: for 于 big 量user, using组management可以更方便地managementpermission.
  • 结合IP访问控制: for 于敏感区域, 结合IP访问控制可以improvingsecurity性.
  • 启用log记录: 记录authentication and authorizationevent, 便于audit and failure排查.
  • 最 small permissionprinciples: 只授予user必要 访问permission, 遵循最 small permissionprinciples.
  • 定期backupauthenticationdata: 定期backupuserdata, 防止dataloss.

Notes

in configurationApacheauthentication and authorization时, 应注意以 under 几点:

  • basicauthenticationusingBase64编码传输user名 and password, 不security, 应结合HTTPSusing.
  • 摘要authentication比basicauthentication更security, 但仍不such asusingHTTPS basicauthenticationsecurity.
  • passwordfile应store in 非Web可访问 Table of Contentsin, 防止被 under 载.
  • 定期updatepasswordfile permission, 确保只 has Apacheuser可以读取.
  • for 于 big 量user, 建议usingLDAP or datalibraryauthentication, 而不 is fileauthentication.
  • using.htaccessfile会增加server负担, for 于performance要求 high 网站, 建议 in 主configurationfileinconfigurationauthentication.

实践case: Apacheauthentication and authorizationsystem

步骤1: configurationbasicauthentication

# creationpasswordfile sudo mkdir -p /etc/apache2/auth sudo htpasswd -c /etc/apache2/auth/.htpasswd admin sudo htpasswd /etc/apache2/auth/.htpasswd user1 # configurationbasicauthentication sudo nano /etc/apache2/sites-available/example.com.conf # 添加以 under in 容 <VirtualHost *:80> ServerName example.com DocumentRoot /var/www/html # configurationbasicauthentication <Directory /var/www/html/secure> AuthType Basic AuthName "Restricted Area" AuthUserFile /etc/apache2/auth/.htpasswd Require valid-user </Directory> # otherconfiguration... </VirtualHost> # creationsecurityTable of Contents sudo mkdir -p /var/www/html/secure sudo echo "Secure Content" > /var/www/html/secure/index.html # 启用虚拟主机 sudo a2ensite example.com # 重启Apache sudo systemctl restart apache2

步骤2: configuration基于组 authorization

# creation组file sudo nano /etc/apache2/auth/.htgroup # 添加以 under in 容 admins: admin users: user1 # configuration基于组 authorization sudo nano /etc/apache2/sites-available/example.com.conf # 添加以 under in 容 <VirtualHost *:80> ServerName example.com DocumentRoot /var/www/html # configurationbasicauthentication <Directory /var/www/html/secure> AuthType Basic AuthName "Restricted Area" AuthUserFile /etc/apache2/auth/.htpasswd Require valid-user </Directory> # configuration基于组 authorization <Directory /var/www/html/admin> AuthType Basic AuthName "Admin Area" AuthUserFile /etc/apache2/auth/.htpasswd AuthGroupFile /etc/apache2/auth/.htgroup Require group admins </Directory> <Directory /var/www/html/user> AuthType Basic AuthName "User Area" AuthUserFile /etc/apache2/auth/.htpasswd AuthGroupFile /etc/apache2/auth/.htgroup Require group users </Directory> # otherconfiguration... </VirtualHost> # creationTable of Contents sudo mkdir -p /var/www/html/admin /var/www/html/user sudo echo "Admin Content" > /var/www/html/admin/index.html sudo echo "User Content" > /var/www/html/user/index.html # 重启Apache sudo systemctl restart apache2

步骤3: configuration基于IP 访问控制

# configuration基于IP 访问控制 sudo nano /etc/apache2/sites-available/example.com.conf # 添加以 under in 容 <VirtualHost *:80> ServerName example.com DocumentRoot /var/www/html # configurationbasicauthentication <Directory /var/www/html/secure> AuthType Basic AuthName "Restricted Area" AuthUserFile /etc/apache2/auth/.htpasswd Require valid-user </Directory> # configuration基于组 authorization <Directory /var/www/html/admin> AuthType Basic AuthName "Admin Area" AuthUserFile /etc/apache2/auth/.htpasswd AuthGroupFile /etc/apache2/auth/.htgroup Require group admins </Directory> <Directory /var/www/html/user> AuthType Basic AuthName "User Area" AuthUserFile /etc/apache2/auth/.htpasswd AuthGroupFile /etc/apache2/auth/.htgroup Require group users </Directory> # configuration基于IP 访问控制 <Directory /var/www/html/internal> Require ip 192.168.1.0/24 </Directory> # 组合authentication and IP访问控制 <Directory /var/www/html/combined> AuthType Basic AuthName "Combined Protected Area" AuthUserFile /etc/apache2/auth/.htpasswd <RequireAll> Require valid-user Require ip 192.168.1.0/24 </RequireAll> </Directory> # otherconfiguration... </VirtualHost> # creationTable of Contents sudo mkdir -p /var/www/html/internal /var/www/html/combined sudo echo "Internal Content" > /var/www/html/internal/index.html sudo echo "Combined Protected Content" > /var/www/html/combined/index.html # 重启Apache sudo systemctl restart apache2

步骤4: configurationHTTPS

# installationLet's Encryptcertificate sudo apt install certbot python3-certbot-apache sudo certbot --apache -d example.com # configurationHTTPS虚拟主机 sudo nano /etc/apache2/sites-available/example.com-le-ssl.conf # 确保configurationpackage含authentication设置 <VirtualHost *:443> ServerName example.com DocumentRoot /var/www/html # SSLconfiguration SSLEngine on SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem Include /etc/letsencrypt/options-ssl-apache.conf # configurationauthentication <Directory /var/www/html/secure> AuthType Basic AuthName "Restricted Area" AuthUserFile /etc/apache2/auth/.htpasswd Require valid-user </Directory> # otherconfiguration... </VirtualHost> # 重启Apache sudo systemctl restart apache2

互动练习

练习1: basicauthenticationconfiguration

configurationApachebasicauthentication, 保护一个Table of Contents, 要求:

  • creationpasswordfile, 添加至 few 两个user
  • configurationbasicauthentication, 保护/var/www/html/secureTable of Contents
  • testauthentication is 否正常工作

练习2: 基于组 authorizationconfiguration

configurationApache基于组 authorization, 要求:

  • creation组file, 定义admins and users两个组
  • configuration/adminTable of Contents只允许admins组访问
  • configuration/userTable of Contents只允许users组访问
  • test不同user 访问permission

练习3: 摘要authenticationconfiguration

configurationApache摘要authentication, 保护一个Table of Contents, 要求:

  • creation摘要authenticationpasswordfile
  • configuration摘要authentication, 保护/var/www/html/digest-secureTable of Contents
  • test摘要authentication is 否正常工作

练习4: 组合authentication and IP访问控制

configurationApache组合authentication and IP访问控制, 要求:

  • configuration一个Table of Contents, 要求user既throughauthentication, 又来自specificIP地址
  • test来自允许IP authenticationuser is 否可以访问
  • test来自非允许IP authenticationuser is 否被拒绝访问

推荐链接

on 一篇: Apache 反向proxytutorial under 一篇: Apache advanced主题tutorial