Apache chapter of LDAP integration

Original link: https://lisz.me/tech/webmaster/ldap-apache.html

foreword

Apache

Apache HTTP server, as one of several popular HTTP servers today, occupies almost half of the country. Compared with the well-known Nginx (now acquired by F1) and Microsoft’s IIS, Apache has better modular support, whether it is from a server-side programming language or an authentication scheme. Apache supports common server-side languages ​​such as Perl, Python, PHP, etc. It also supports Basic authentication, LDAP authentication, OAuth 2.0, etc. In particular, the LAMP (Linux+Apache+MySQL+PHP) integrated environment has become the first choice for virtual hosts. Of course, there are also ASP virtual hosting environments.

Apache and Blog Development

In fact, in the early days of blogging, most blogs were the simplest static pages. With the development of server-side languages, there are open source blog programs based on ASP.net or PHP. For example, the most popular WordPress is written based on PHP. At the beginning of my blog learning, I also used WordPress and PHP virtual host to build my own blog. Arguably, a PHP or ASP integrated environment is probably the best blogging or website solution for quite some time. However, with the rise of cloud services, serverless computing, Git, etc., Git-centric continuous integration and continuous deployment have increasingly become the first choice for building personal static blogs. This also reflects the dynamic change process of blog development: static blog → dynamic blog → static blog .

The static site deployment methods represented by Github Page, Gitlab Page, Netlify, Vercel, Cloudflare Page, etc. are more and more popular. Now most of the documents of large companies have been converted to this method, such as Azure’s official documents, Official documents of Cloudflare, official documents of Tencent Cloud, etc. Such a method is not only conducive to the rapid iteration of development, but also conducive to attracting the public to participate in the contribution and error correction of the document, which can make the document better and better. Of course, this is actually the idea of ​​”open source”. So does this mean that Apache has become less useful for static websites? of course not. Authentication modules, log modules, rewrite modules, proxy modules, etc. supported by Apache are also very important for static websites.

Apache’s Magical Use of Documentation

Most of the current development documents have been developed and deployed in the way of Git+Markdown+SSG (Static Site Generator). For documents within the team, there may often be permission restrictions and access records. Even if there are shared files, it is desirable to know who downloaded them and when. If you think about it from the perspective of back-end programming, you may need to develop a system to implement functions such as authentication, access records, download records, and data statistics. Even so, this solution is a bit difficult when there are multiple documents that need to be integrated together. So pay a considerable price, but the benefits obtained are not very obvious. For this requirement, there is a simpler solution based on Apache, as shown in the following figure:

Solutions based on Apache

As shown in the figure above, the Apache-based solution mainly includes the following three points:

  1. Leverage Apache to integrate with LDAP or other user systems to verify permissions;
  2. Use Apache’s log function to record all authentication actions and user behavior;
  3. Utilize Apache’s rewrite module and proxy module to centralize all documentation under different subdirectories of a domain name.

practice

In order to implement the Apache-based documentation solution mentioned above as simply as possible, the Docker image is used here.

Environmental preparation

  • Docker environment (Linux or Mac recommended)
  • docker-compose tool installed

Configuration file preparation

To build your own Docker image, place the following three configuration files in the conf subdirectory. If you directly use the zhonger/ldap-apache image built by the author below, you can ignore it.

LDAP Authentication Definition

 # ldap-demo.conf <AuthnProviderAlias ldap demo> AuthLDAPBindDN ${LDAP_BindDN} AuthLDAPBindPassword ${LDAP_BindPass} AuthLDAPURL ${LDAP_URL} Require ldap-group ${LDAP_BindGroup} </AuthnProviderAlias>

Activate LDAP authentication

 # .htaccess AuthBasicProvider demo AuthType Basic AuthName "Protected Area" Require valid-user

Rewrite Apache configuration file

 # apache2.conf DefaultRuntimeDir ${APACHE_RUN_DIR} PidFile ${APACHE_PID_FILE} Timeout 300 KeepAlive On MaxKeepAliveRequests 100 KeepAliveTimeout 5 User ${APACHE_RUN_USER} Group ${APACHE_RUN_GROUP} HostnameLookups Off ErrorLog ${APACHE_LOG_DIR}/error.log LogLevel warn # Include module configuration: IncludeOptional mods-enabled/*.load IncludeOptional mods-enabled/*.conf # Include list of ports to listen on Include ports.conf <Directory /> Options FollowSymLinks AllowOverride None Require all denied </Directory> <Directory /usr/share> AllowOverride None Require all granted </Directory> <Directory /var/www/> Options Indexes FollowSymLinks AllowOverride All Require all granted </Directory> AccessFileName .htaccess <FilesMatch "^\.ht"> Require all denied </FilesMatch> LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined LogFormat "%h %l %u %t \"%r\" %>s %O" common LogFormat "%{Referer}i -> %U" referer LogFormat "%{User-agent}i" agent IncludeOptional conf-enabled/*.conf IncludeOptional sites-enabled/*.conf

Apache subdirectory settings

As mentioned earlier, if multiple documents exist as multiple Git projects, the final compiled static files are also stored or deployed separately. Here are two forms of subdirectories: Alias ​​and Proxy .

directory pseudonym

The directory pseudonym is relatively simple, and we can directly use the following configuration to implement each document directory in the scheme diagram:

 ... Alias "/dvm/" "/var/www/dvm/" Alias "/ds3/" "/var/www/ds3/" Alias "/dgit/" "/var/www/dgit/" Alias "/dml/" "/var/www/dml/" Alias "/dnc/" "/var/www/dnc/" ... <Directory /var/www/> ...

Since the image built below still uses the above Apache configuration file, it does not contain the above directory pseudonym settings. If necessary, you can add the directory pseudonym settings to the new apache2.conf file in the order given above, and mount the new apache2.conf file as shown below in the docker-compose.yml file to take effect.

 ... volumes : - ./data:/var/www/ - ./logs:/var/log/apache2/ - /etc/localtime:/etc/localtime - ./apache2.conf:/etc/apache2/apache2.conf ...

acting

The following build image Dockerfile will pre-enable the proxy module. Since the HTTPS port may be proxied, the HTTP module and the SSL module are also pre-enabled. In addition, if you need to proxy HTTPS sites, you need to open the SSLProxyEngine configuration as follows, otherwise only HTTP proxy can be completed. The second line of the proxy configuration is “ProxyPass + subdirectory + proxy URL”.

hint

It should be noted that the proxy configuration should be placed before the directory configuration .

 ... SSLProxyEngine On ProxyPass /foo https://foo.example.com ... <Directory /var/www/> ...

build image

Building a Docker image actually does a few things:

  • Copy the three configuration files into the container image
  • Enable LDAP authentication module
  • Prepare log directory and default log file
 FROM php:7-apache LABEL maintainer="zhonger [email protected]" # Enable ldap for apache2 COPY conf/ldap-demo.conf /etc/apache2/conf-available/ldap-demo.conf RUN a2enmod authnz_ldap proxy proxy_http ssl && \ ln -s /etc/apache2/conf-available/ldap-demo.conf /etc/apache2/conf-enabled/ldap-demo.conf COPY conf/.htaccess /var/www/html/ COPY conf/apache2.conf /etc/apache2/apache2.conf # Save logs for apache RUN rm /var/log/apache2/ * && \ cd /var/log/apache2/ && \ touch access.log error.log # Remove cache RUN rm -rf /var/lib/apt/lists/ * EXPOSE 80

When the configuration file and the above Dockerfile are ready, execute the docker build . -t zhonger/ldap-apache command to build the Docker image.

run verification

After building the Docker image successfully, create a new docker-compose.yml file and use the docker-compose up -d command to run an instance.

 # docker-compose.yml version : ' 2' services : apache : image : zhonger/ldap-apache:latest volumes : - ./data:/var/www/ - ./logs:/var/log/apache2/ - /etc/localtime:/etc/localtime environment : LDAP_URL : " ldap://ldap.example.com/ou=users,dc=example,dc=com?uid" LDAP_BindDN : " cn=admin,dc=example,dc=com" LDAP_BindPass : " xxxxxxxxxx" LDAP_BindGroup : " ou=people,dc=example,dc=com" APACHE_LOG_DIR : " /var/log/apache2" ports : - 80:80 restart : always

Verify page

To verify that LDAP authentication works, a simple PHP file /var/www/html/p.php is written here. When no .htaccess file is placed, it can be accessed without any authentication. When the .htaccess file is placed in the /var/www/html directory, the following login popup will pop up when the browser accesses it again. Once the username and password allowed by LDAP are entered correctly, the browser will again display what it just saw normally.

 <!-- p.php --> <? php echo phpinfo (); 

Normal Content Normal Page Content
Auth Required

verification log

When looking at Apache’s access log access.log file, you can see the following. The first line is the normal access record when LDAP authentication is not set, the second line is the record that reminds you to log in after LDAP authentication is set, and the third line is the record with the login user name after the login is successful (due to privacy concerns, the following figure covers it login user name).

log file

Verify directory pseudonyms

In order to verify the pseudonym of the directory, a new directory /var/www/dvm is created, and an index.html file with the content of dvm is created in the directory. After configuring the directory pseudonym mentioned above, you can visit the browser to see the following effect, which takes effect normally.

Directory pseudonym Alias

Authentication proxy

Here, in order to verify the proxy effect, the Baidu homepage is directly represented (although this is not very good). As shown below, you can see the Baidu homepage content normally.

Proxy

References

This article is reprinted from: https://lisz.me/tech/webmaster/ldap-apache.html
This site is for inclusion only, and the copyright belongs to the original author.

Leave a Comment