I'm running an Apache web server with a basic authentication, like as follows:
AuthType Basic
AuthName "Authentication required"
AuthUserFile "/usr/local/apache2/conf/.htpasswd"
Require valid-user
Actually the Authentication/Authorization configuration is a little more complex because I'm querying an LDAP server.
I would like to be able to use a custom web page instead of the traditional pop-up that comes with the 401 that Apache sends to the web browser.
Two questions:
Is Apache capable of doing so? (AFAIK, no);
Which alternative product would be a good option given that I'm running everything inside Docker containers and it has to be able to do LDAP Authentication/Authorization.
You can add custom 401 error page as described in Apache documentation here.
But you should consider using your structure in Location (or some other) structure
ErrorDocument 401 /error/error401.html
<Location />
AuthType Basic
AuthName "Authentication required"
AuthUserFile "/usr/local/apache2/conf/.htpasswd"
Require valid-user
</Location>
Related
I have a host where authenticated users need to be in a certain ldap group. This worked perfectly. Afterwards I needed an external user that I put locally in a file and this one doesn't work.
When I comment out all the ldap lines that user works, so the file is created correctly and accessible by Apache 2.2, but when I add ldap, everything work for the ldap users but not for the file user.
When I try to log in with the local in file user with a bad password I get the log in pop-up again, as usual, but when I insert the correct credentials I get "Authorization Required
This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required."
Below is my set upon Apache 2.2
<Location "/">
Deny from all
AuthType Basic
AuthName "My Auth"
AuthBasicProvider ldap file
AuthLDAPURL LDAP_URL
AuthUserFile "path/to/pass/file"
Require user file_user
Require ldap-group cn=LDAP Group,cn=Groups,dc=DC,dc=org
Require ldap-user ldap_user_outside_group
Satisfy any
</Location>
You likely need AuthzLDAPAuthoritative to allow the failure to match the ldap-based Require directives to not be fatal. This kind of directive was made obsolete in later releases by internal improvements in 2.4.
I am working in ColdFusion 11 with apache web server in windows hosting I have not more knowledge about basic authenticate and so I have little bit confuse about this
why does basic authentication type store password in
.htpasswd file so
not necessary to store database?
how to redirect request HTTP to https before entering in
password
prompt?
.htaccess file code which is working fine first authenticate completely then this redirect on HTTP to https but I want to set HTTP to https before entering a password here my httpd.config file virtual host code
<VirtualHost 112.192.12.16>
DocumentRoot C:/Apache24/htdocs/enovis53
ServerName test.example.com
ErrorLog logs/enovis-inc.com-error_log
CustomLog logs/enovis-inc.com-access_log common
</VirtualHost>
my .htaccess file code
AuthName "Example CLMS Production (v5.3.0.0)"
AuthType Basic
AuthUserFile "C:\Apache24\htdocs\enovis53\.htpasswd"
require valid-user
if anybody knows this then guide me I don't know this right thing to ask community all suggestion is acceptable thanks in advance
why does basic authentication type store password in .htpasswd file so not necessary to store database?
This is determined by AuthBasicProvider
Syntax: AuthBasicProvider provider-name [provider-name] ...
Default: AuthBasicProvider file
The AuthBasicProvider directive sets which provider is used to authenticate the users for this location. The default file provider is implemented by the mod_authn_file module.
So in your case, no provider is defined, and the default (file) is applied. If you want another provider, e.g. some db, specify dbm, ldap, ...
how to redirect request HTTP to https before entering in password prompt?
Usually, some directive is applied unconditionally, unless restricted somehow. To have the password requested only when HTTPS is active, you may try to enclose the Auth directives or at least the Require inside an If
<If "%{HTTPS} == 'on'">
AuthName "Example CLMS Production (v5.3.0.0)"
AuthType Basic
AuthUserFile "C:\Apache24\htdocs\enovis53\.htpasswd"
require valid-user
</If>
But now, all content is accessible without password, when requested via http://test.example.com. Don't forget to force https!
Unrelated, but note the security warning from AuthUserFile
Security
Make sure that the AuthUserFile is stored outside the document tree of the web-server. Do not put it in the directory that it protects. Otherwise, clients may be able to download the AuthUserFile.
I have a site hosted on hostgator that I've set up with a directory to use htaccess/htpasswd for authentication. It's working fine but only for a user named test.
Here's the relevant htaccess
<filesMatch "(-priv)">
AuthType Basic
AuthName "Private Area"
AuthUserFile /home/username/public_html/site/test/.htpasswd
Require user test
</filesMatch>
and the htpasswd has 2 users
test:ovCvloB9kYgBQ
admin:RxvCRMqtdryys
I can log in using the test user but if I use any other name authentication fails. I can change the password for the test user and authentication reflects the change. The behavior is consistent across browsers and IPs.
Is there any way to debug this?
And before you say it, I know not to put the .htpasswd file above webroot, this is a test setup.
You have Require user test
Change to Require valid-user
I'm trying to run Artifactory behind an Apache proxy with basic auth. I've done this for a few other webapps (Jira, Jenkins, AnthillOS), but am having a problem with Artifactory. The Apache config proxies /artifactory to the stand-alone Artifactory server, and defines basic auth for the /artifactory path:
<Location "/artifactory">
AuthUserFile /prod/data/apachePasswords
AuthName "My Realm"
AuthGroupFile /dev/null
AuthType Basic
Require valid-user
</Location>
Anonymous browsing is activated in Artifactory.
When I attempt access via a web browser, I first receive the authentication dialog from Apache. After successfully entering those credentials, I'm given another authentication dialog, this one for the "Artifactory Realm". After entering credentials for an Artifactory acccount, I'm re-presented the first authentication dialog and the cycle continues.
I'd like to get just the first dialog, then go directly to Artifactory for anonymous browsing. If I disable the authentication in Apache, I can anonymously browse Artifactory, but when I enable basic auth in Apache, I get two separate circular authentication dialogs. Any ideas how I can kill that second dialog?
I ran into the same problem this week. The login for the "Artifactory Realm" is the same as the default login for the Artifactory (admin/password). When you login to the "Artifactory Realm" it will log you into the Artifactory gui. I'm using Artifactory 2.6.5
I had the same issue and fixed it by unsetting the authorization header in the Apache proxy. It looks like the Artifactory is getting upset by this authorization header (from the first dialog) and requires a "good" Artifactory password in the second dialog. Here is my config:
<Location / >
AuthType basic
AuthName "Apache authenticate"
AuthUserFile /var/www/repo.domain.com/.htpasswd
AuthGroupFile /dev/null
Require valid-user
RequestHeader unset Authorization
ProxyPass http://repo.company.local:8081/artifactory/repo/
ProxyPassReverse http://repo.company.local:8081/artifactory/repo/
</Location>
To use the unset header feature mod_headers must be enabled.
I've been given a setup in which Apache runs on Windows, and we have two folders that need basic authentication with .htpasswd.
First, I tested that the authentication worked:
AuthUserFile E:/path-to/.htpasswd
AuthType Basic
AuthName "Secure area"
Require valid-user
This worked nicely, but of course did not send the credentials over SSL. I tried using a RewriteRule to send any requests without HTTPS over to HTTPS in either of those folders, and this requires the user to login twice - once over HTTP and once over HTTPS.
I found tons of people with this issue, and the solution most folks use is like this:
SSLOptions +StrictRequire
SSLRequireSSL
SSLRequire %{HTTP_HOST} eq "www.domain.com"
AuthUserFile E:/path-to/.htpasswd
AuthName "Secure area"
AuthType basic
require valid-user
ErrorDocument 403 https://www.domain.com/secure-area
So I put this into an htaccess inside each of the two secure folders. This requires the user to login once, over HTTPS, as it should, but of course it does not send them to the file they have requested. Rather, it sends them to the root of the folder.
We often direct users to specific files inside these directories, and I just can't find anything that will authenticate them with basic auth over HTTPS when trying to do this. Is this possible on Apache?
Thanks,
Jonathan
If its for a particular file, you could wrap it in
<files *.php>
</files>
</pre></code>
or whatever, see if that makes a difference, as it'll be authenticating for a requested file rather than the directory that file is in?