-------------------------------------------------------------------------------
Important: First read the introduction in "apache_auth_basic.txt"
-------------------------------------------------------------------------------
Set up apache server so only file owners can access files in a sub-directory
Install modules
authz_owner file owner authorization (standard install)
mod_authnz_external external program authentication
pwauth provide PAM password authentication
mod_ssl enable SSL and the SSLRequireSSL (forbiden if not)
mod_pam authenticate local users using pam
=======8<--------CUT HERE----------
# Require SSL connection for password protection.
SSLRequireSSL
# Set up use of external authentication (via pam)
AuthType Basic
AuthName "User Secure Area"
AuthBasicProvider external
AuthExternal pwauth
# Access Control (who can access)
#require valid-user
require file-owner
require user test
=======8<--------CUT HERE----------
This allow only the owner, or user 'test' to access the files in that
sub-directory.
NOTE only works for files, it does not work for virtual information
such as PHP or CGI access thru that URI.
-------------------------------------------------------------------------------
Adjust to auto redirect HTTP to HTTPS
Note that this must happen BEFORE the authentication is requested as such the
redirection must be in HTTP Virtual host, while the authentication must ONLY
be done in the HTTPS virtual host. NOTE: this restriction means ".htaccess"
files can NOT be used as they are looked at by BOTH virtual hosts.
In "userdir.conf"
=======8<--------CUT HERE----------
# Require SSL connection for password protection.
#SSLRequireSSL
# Map HTTP to HTTPS
RewriteEngine On
# check it not https
RewriteCond %{HTTPS} !=on
# redirect users using http to https with same URI
RewriteRule . https://%{SERVER_NAME}%{REQUEST_URI} [R,L]
=======8<--------CUT HERE----------
In "ssl.conf"
=======8<--------CUT HERE----------
...
DefineExternalAuth pwauth pipe /usr/bin/pwauth
# Set up use of external authentication (via pam)
AuthType Basic
AuthName "User Secure Area"
AuthBasicProvider external
AuthExternal pwauth
# Access Control (who can access)
#require valid-user
require user test
require file-owner
=======8<--------CUT HERE----------
NOTE: the separation is to ensure that authentication only occurs after
the user is redirected to use the HTTPS protocol
-------------------------------------------------------------------------------
Authorize users to access a 'secure' sub-directory of there home.
NOTE: The Group is being used as autherizor to test if this user is allowed to
access a specific URI. This seems to have some caching, if you try to access
the same URI immediately after a previous try, but does seem to be working.
Expand the "ssl.conf" section above...
=======8<--------CUT HERE----------
...
DefineExternalAuth pwauth pipe /usr/bin/pwauth
DefineExternalGroup authhome pipe /path/to/authorize_home
# Set up use of external authentication (via pam)
AuthType Basic
AuthName "User Secure Area"
AuthBasicProvider external
AuthExternal pwauth
GroupExternal authhome
# Access Control (who can access)
#Require valid-user
#Require file-owner
Require user test
Require external-group access_to_home_secure
=======8<--------CUT HERE----------
Note the script does not check the given group "access_to_home_secure"
Instead the URI (from the passed environment) is being checked instead,
to determine if the user is allowed access.
The Authenticator "authorize_home"...
=======8<--------CUT HERE----------
#!/bin/perl
#
# Authorize access to home directory (URI) of an authenticated user (USER)
#
# Called from apache configuration using mod_authnz_external as a group
# authenticator (misused for authorization).
#
# Anthony Thyssen, 3 Feb 2014
#
chomp($USER=);
exit 0 if $ENV{URI} =~ m|/~$USER/|; # true if it is this users home
exit 1; # false -- user is denied group access
=======8<--------CUT HERE----------
NOTE: This is just checking that the authenticated user matches the users home,
and not the specific sub-directory of the users home, which is defined by the
SSL configuration.
-------------------------------------------------------------------------------