Apache basic authentication
This is the Wiki entry for mod_authnz_restauth, an Apache2 Basic Authentication and Authorization provider module designed to work with the RestAuth system.
The module only needs the URL to the RestAuth server to work (and probably also the username/password of your RestAuth server, depending on your configuration). It can optionally perform authorization using RestAuth groups and forward the IP of the client along with the password (a RestAuth extension).
The Apache module depends on CURL.
Also see the project page.
- Using apxs2 (this is Apache's module helper utility, you probably want this if you've installed Apache from source):
$ make -f # make -f install
- We also provide binary and source packages for some distributions.
You can secure directories by adding the following directives to the corresponding <Directory>, <Location>, <Files> or <Proxy> configuration, or to the corresponding .htaccess file.
- Enable Basic authentication and configure the realm (REQUIRED):
AuthType Basic AuthName "REST based authentication"
- Use the module as the Basic authentication provider (REQUIRED):
- The URL of the RestAuth provider. RestAuth service errors (e.g. if the service is offline, malfunctioning or can't be reached) will result in an "Internal Server Error" being propagated to the client (REQUIRED):
- Who to authorize. This can be either a mod_authz_user line, like Require user ... or Require valid-user or Require restauth-group <group>, which only authorizes users from the specified RestAuth group (REQUIRED).
- Authentication data for the provider (so you can authenticate as a certain service according to the RestAuth specification). These settings are OPTIONAL, you can also specify the user and password as part of the URL (e.g. http://mysite:mysitepassword@localhost:5000/):
RestAuthServiceUser mysite RestAuthServicePassword mysitepassword
- If the connection to the server is done via SSL and, for some reason, you don't want to check the certificate, set this to off. Ideally, you should create a self-signed certificate and trust it on the RestAuth server instead of using this option, in case you don't have access to an already-trusted CA. Otherwise, you won't be able to guarantee the authenticity of the server and you may be the victim of a Man-in-the-middle attack (OPTIONAL, defaults to "on").
- Whether to forward the client's IP address. This is a RestAuth extension and the IP may be simply ignored by the server (OPTIONAL, defaults to "off"):
Allow all users known to the RestAuth server found at https://localhost:5000/ to the "/binaries" location. The service username is user, the service password is pass:
<Location "/binaries"> AuthType Basic AuthName "The binaries Realm, secured by RestAuth" AuthBasicProvider restauth RestAuthServiceUser user RestAuthServicePassword pass RestAuthAddress https://localhost:5000/ Require valid-user </Location>
Allow only users from the group "admins" access to the "/admin" directory. Use the RestAuth server found at https://localhost:5000/. The service username is user, the service password is pass:
<Location "/admin"> AuthType Basic AuthName "The admin Realm, secured by RestAuth" AuthBasicProvider restauth RestAuthServiceUser user RestAuthServicePassword pass RestAuthAddress https://localhost:5000/ Require restauth-group admins </Location>
Like the Apache HTTP server, this module is licensed under the Apache 2.0 license .