apache用户验证
mod_authz_user 对用户访问的控制
Require user john
Require valid-user
File - 用户名密码验证
使用apache 文件验证:
模块确认
mod_authn_core 和 mod_authz_core
创建passwd file:
htpasswd -c /usr/local/apache/passwd/passwdfile username //-c 创建文件 //输入密码 htpasswd /usr/local/apache/passwd/passwdfile username2 //添加用户 //输入密码
配置需要验证服务
<Directory "/var/www/cgi-bin"> AuthType Basic //Basic由mod_auth_basic实现 AuthName "apache auth" AuthBasicProvider file AuthUserFile "/usr/local/apache/passwd/passwdfile" #Require valid-user //所有passwdfile中定义的用户都可以访问 Require user username //指定具体访问用户 </Directory> 注:Basic验证是是非加密从客户端传输密码,不能用在敏感地方。除非使用mod_ssl
Group
指定group中的用户访问模块 : mod_authz_groupfile 扩展了 group、 group-file: Require group admin Require file-group 1. 创建Group File: file: "/usr/local/apache/passwd/groups" 定义group: GroupTest: user1 user2 user3 2. 配置Group: <Directory "/var/www/cgi-bin"> AuthType Basic AuthName "apache auth" AuthBasicProvider file AuthUserFile "/usr/local/apache/passwd/passwdfile" AuthGroupFile "/usr/local/apache/passwd/groups" Require group GroupTest </Directory>
这种认证访方式每次访问都需要验。每次验证都需要读取passwdfile,passwdfile越大效率越低。
Databse -
模块
mod_authn_dbm or mod_authn_dbd
mod_autgn_dbd
通过查询SQL表验证 依赖 mod_dbd 指定数据库驱动,连接参数,连接管理 如果网页加载过多需要验证的对象(e.g. images, scripts, etc),可能出现访问问题。需要使用 mod_authn_socache 缓存证书.
地址限制
ip/host 限制
模块 : mod_authz_hostRequire ip address Require host domain_name <Directory "/var/www/html"> <RequireAll> Require ip 192.168.2.64 //只允许 192.168.2.64 访问 </RequireAll> </Directory> <Directory "/var/www/html"> <RequireAll> Require all granted Require not ip 192.168.2.64 //不允许 192.168.2.64 访问 </RequireAll> </Directory>
自定义
自定义模块:authz_external
编译:
动态加载模块:
1. 确保能动态加载:
$ httpd -l #包含 mod_so.c
2. apxs -c mod_authnz_external.c #apxs扩展工具
# apache2.4 中conn_rec->remote_ip and conn_rec->remote_addr 修改为:
# conn_rec->client_ip and conn_rec->client_addr
# 执行命令的时候可能出现remote_id属性不存在问题,需要替换一下3. install module $ apxs -i -a mod_authnz_external.la #生成mod_authnz_external.so文件;
静态链接
1. configure
./configure –prefix=/usr/local/apache \
–with-module=aaa:/usr/local/src/mod_authnz_external/mod_authnz_external.c
2. make & install配置
- 加载模块
LoadModule authnz_external_module modules/mod_authnz_external.so 配置
DefineExternalAuth keyword method location- keyword : 自定义名
- method :
- pipe read newline-terminated strings from stdin. (default)
- environment get args from environment variables.
- checkpassword read null-terminated strings from file descriptor 3.
- function internal authenticator called as function.
eg:
DefineExternalAuth my-defined pipe /var/www/cgi-bin/auth.pyAuthType Basic AuthName "User-defined" AuthBasicProvider external AuthExternal my-defined Require valid-user
脚本
name = sys.stdin.readline();
passwd = sys.stdin.readline();
if name :
name = name.strip();
if passwd :
passwd = passwd.strip();
log(name+”:”+passwd);if len(name) == len(passwd) : log("OK"); exit(0) #login ok else: log("error"); exit(1); #login failed
- 加载模块