On: Apache and Auth

Pic not relevant to the discussion, admittedly. >_>

So, I’m a bit behind on posts this month because of dealing with landlord and contract negotiations, as well as studying for my boat safety certificate exam. Sorry about that!

Today we bring the question about apache and auth: why is it peculiar?

Specifically, this is the situation I ran into today: I rolled out a new Ubuntu LAMP server so we could have a Linux distribution hosting web forms not just a Windows box (I am admittedly biased against IIS).  I was setting up LDAP auth and I figured I would be able to setup global authorization by dumping my auth configuration into the root VirtualHost declaration.

Apache, obviously, through an error, basically saying “AuthBasicProvider command not allowed here.” which was, admittedly, very confusing.

The structure of my file was as such:

ServerName NixForms
<AuthnProviderAlias ldap district-ldap>
    AuthLDAPBindDN "DNOFAUTHORIZEDUSER"
    AuthLDAPBindPassword AUTHORIZEDUSERPASSWORD
    AuthLDAPURL "ldap://district-dc:389/TECHDEPARTMENTOU?sAMAccountName"
</AuthnProviderAlias>

<VirtualHost *:80>
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    ServerName NixForms
    RewriteEngine on
    RewriteRule ^/(.*)$ https://nixforms.district/$1 [R,L]
</VirtualHost>

<VirtualHost NixForms:443>
    ServerAdmin me
    DocumentRoot /var/www/html

    SSLEngine on
    SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2
    SSLHonorCipherOrder On
    SSLCipherSuite EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!MEDIUM:!SEED:!3DES:!CAMELLIA:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4
    SSLCertificateChainFile /ssl/district-bundle
    SSLCertificateFile /ssl/district.cer
    SSLCertificateKeyFile /ssl/district.key

    LogLevel warn

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    AuthBasicProvider distrct-ldap
    AuthType Basic
    AuthName "Please Use AD Credentials to Login."
    Require valid-user
</VirtualHost>

This did not work, and I was surprised by it.  What I had to do was move all the lines:

AuthBasicProvider distrct-ldap
AuthType Basic
AuthName "Please Use AD Credentials to Login."
Require valid-user

into a <Directory> tag.

<Directory "/var/www/html">
    AuthBasicProvider distrct-ldap
    AuthType Basic
    AuthName "Please Use AD Credentials to Login."
    Require valid-user
</Directory>

Now, I’m pretty sure that modifying that means any folders in /var/www/html will be protected by the same AuthBasicProvider (p.s. it does, I just confirmed it) but I don’t really understand the requirement for explicitly defining it.  If I wanted all Directories in this VirtualHost to be protected by the same AuthBasicProvider it should just be a simple declaration in the VirtualHost, right?

As it stands, now I have to explicitly define those protections for each directory that ISN’T in /var/www/html (for example, PHPMyAdmin, which is /usr/share/phpmyadmin does not get the AuthBasicProvider settings provided by /var/www/html until I explicitly add the lines to that specific Directory declaration).

I can’t seem to find any requests or people asking for VirtualHost declarations of security methods, so I may be way off base here.  I’m just curious as to why people wouldn’t want global security for everything the setup in the VirtualHost.

Maybe that’s just me though.

Admittedly, it’s simple enough to declare the folders and add the four lines, but it seems… Wasteful.  Thoughts?

Leave a Reply