Apache Web Server Topics

SSL Certificate - Web Authentication

Make a self-signed key for a HTTPS web site

All in one step:

cd /etc/httpd/conf
openssl req -new -newkey rsa:1024 -keyout 2008.key -nodes -x509 -days 965 -out 2008.crt 

For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Virginia
Locality Name (eg, city) []:Charlottesville
Organization Name (eg, company) [Internet Widgits Pty Ltd]:University of Virginia
Organizational Unit Name (eg, section) []:XXX Department
Common Name (eg, your name or your server's hostname) []: server.dept.virginia.edu
Email Address []:zzxxss@virginia.edu
[root@xxxx conf]#

Edit Apache config files


You then go to /etc/httpd/conf.d

and edit 2 lines in the the file ssl.conf

SSLCertificateFile        /etc/httpd/conf/2008.crt
SSLCertificateKeyFile     /etc/httpd/conf/2008.key

Then edit the section

##
## SSL Virtual Host Context
##

# General setup for the virtual host, inherited from global configuration
DocumentRoot "/home/www/secure"

in the same file to turn on the HTTPS server

Then restart the web server with 

/etc/rc.d/init.d/httpd restart

Four Methods of Web Authentication

  1. .htaccess file with password file

    2. 
AuthName TEST
AuthUserFile /home/xxxx/.htpasswd
AuthGroupFile /dev/null
AuthType Basic
order deny,allow
deny from all
require valid-user
satisfy any
    The web server saves the username ($_SERVER["REMOTE_USER"] and $_SERVER["PHP_AUTH_USER"]) and password ($_SERVER["PHP_AUTH_PW"]) in PHP global variables.

    ITC has a tutorial page for htaccess control.

  2. PHP Header() Challenge and MySQL Database

    3. Generate a header with PHP that tells the web server to ask for username and password. Both are passed to PHP. The username and password can be used to authenticate the user with MySQL. They are stored in

    $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'].

    See the chapter in the PHP manual titled "HTTP authentication with PHP". You must exit all copies of the browser to logout.

  3. NetBadge with CMS Userid/Password

    4. ITC authenticates you but only passes the username to your web application in the variable $_SERVER['REMOTE_USER']. For security reasons, the password is not available to the web developer for MySQL authentication. You must exit all copies of the browser to logout.

    Use this .htaccess file to manage authentication: 

    AuthType NetBadge
PubcookieAppId AppID
require user user1 user2 user3...


    Read about ITC's implementation.

  4. Authentication via PHP and MySQL

    5. Use a HTML form to collect the username and password. Use the PHP session manager routines to store the username and password from page to page. The developer decides how to store them in the $_SESSION array. This type of login allows you to logout without exiting your browser. You logout by "unsetting" the variable in the $_SESSION array. The username and password can be used to authenticate the user with MySQL.
    Working Example

  5. Change Passwords

    6. In methods 2 and 4, you store the password in the MySQL user table. These methods can allow users to change their password. 
    From within MySQL, you must grant each user update rights on the user
table from the web server with this command:

grant update (password) on mysql.user to user_id@web.server.virginia.edu;
    To change the password, you create a web form that prompts for the old password(once) and new password (twice) and then pass it off to a handler program that makes sure the new password is typed the same way twice and then issue the set password command to MySQL: 
    
set password for user_id@xxxxx.yyy.virginia.edu = password("newpassword");
    Source