How to configure Virtual Hosts with LDAP and file-based authentication over apache2
Hi all folks. Today I’ll blog about Apache + ssl + VirtualHost and on top of all that I’ll describe how to increase the security based on ldap authentication and password file authentication.
It might be done either installing just the packages which are missing like below,
[root@webserver01 ~]# yum install httpd openssl mod_ssl mod_ldap
or you can try this way.
[root@webserver01 ~]# yum groupinstall WebServer
An Overview of some of the following options.
FollowSymIndex, AllowOverride(None, All, AuthConfig), include, indexoptions, order, allow, deny, DOcumentRoot, ServerAdm, ServerName, AddType, KeepAlive (keep number of conecctions, by default is off.)
FollowSymLinks allows the webserver to use symbolic link.
AllowOverride is related to directory security. It allows you to define a .htaccess to a directory. It can be defined as All, None also Authconfig.
Order defines the access order. it can be Allow and Deny.
include is useful to import others archives. if you wanna import ssl.conf file to httpd.conf, it’s just use include ssl.conf. anything else more than that.
indexoptions is an options that allows you to assign and define an order to index. you can include index.php, index.html. From the moment on a request to some directory and this directory contains one of these ones it will be loaded.
ServerName is a server which responses to this webserver. you can recognize an IP or host named-based.
DocumentRoot means Where are stored the files.
KeepAlive Keep a number of conecctions persistent (more than 1 conecction per user) and by default is off.
Review /etc/hosts, it needs looking like this. I’ll describe to set it up through hosts-based instead of a dns service.
192.168.1.3 webserver01 http://www.test1.com http://www.test2.com
It coud have been set up from the beggining using DNS servers, but don’t be angry, I’ll post something looked like it using bind.
Lets create the directories engaged.
[root@webserver01 ~]# mkdir /var/www/html/test1
[root@webserver01 ~]# mkdir /var/www/html/test2
Let’s do up that.
1– As I know that include=./conf.d/*conf is defined in httpd.conf, it affords me to create a file called test1.conf. Certainlly you can put this into httpd.conf, but if I wanna get some work done fastest and make the troubleshooting easier to deal. More I organize itself much faster I fix the issues which could come up sudenlly.
vi /etc/httpd/conf.d/test1.conf
AuthType Basic
AuthName “Authentication for test1”
AuthUserFile /etc/test.pwd
require user test
You can even try making it from another way.
it’s gonna have to be written an entry like this into httpd.conf
AllowOverride All
– Create .htaccess into /var/www/html/test1
———————————-
#.htaccess
AuthType Basic
AuthName “Authentication for Test1”
AuthUserFile /etc/test.pwd
require user test
———————————————–
Create /etc/test.pwd you need running:
htpasswd -c /etc/test.pwd test
———————————–
Ldap-based Authentication
———————————–
Put this entry into httpd.conf
AllowOverRide All
Create .htaccess int /var/www/html/test2 like this
AuthType Basic
AuthBasicProvider ldap
AuthName “Authentication Ldap for test2”
AuthBasicAuthoritative off
AuthzLdapAuthoritative off
AuthLdapUrl “ldap://192.168.1.2/ou=People,ou=madrid,ou=es,dc=queirozpacheco,dc=com?uid?sub”
require ldap-user juan
AuthBasicAuthoritative – sets whether authentication and authorization are passed to lower level modules
AuthzldapAuthoritative – it can be also defined as either on or off. When you’re loading this module, that means you need or not to using a variable require ldap-user. If you need that one, the phrase will fall back and you catch just the user required by the configuration. Of course, if AuthzldapAuthoritative is set as “off”
If you aren’t familiar with LDAP, I advice you to read an entry into my blog which describes a bit little else about it. That’s https://ibroughtthe.wordpress.com/2010/03/01/step-by-step-how-to-configure-a-ldap-directory-service/
Virtual Hosts:
——————
Edit httpd.conf and at the end of this one, create this entries.
NameVirtualHost *:80
## asterisk for name-based on hostsServerAdm bla@test1.com
ServerName http://www.test1.com
DocumentRoot /var/www/html/test1
Customlog blablabla.log
Errorlog Error-blabla.logServerAdm bla@test2.com
ServerName http://www.test2.com
DocumentRoot /var/www/html/test2
Customlog blablabla.log
Errorlog Error-blabla.log
*************************
SSL support
Edit ../conf.d/ssl.conf
DocumentRoot “/var/www/html/test1”
ServerName http://www.test1.com:443
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.keySSLOptions +StdEnvVars
SSLOptions +StdEnvVars
SetEnvIf User-Agent “.*MSIE.*” \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
“%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \”%r\” %b”
It’s just question to copy the entry already placed into the file by default and define the proprieties like this.
DocumentRoot “/var/www/html/test2”
ServerName http://www.test2.com:443
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.keySSLOptions +StdEnvVars
SSLOptions +StdEnvVars
SetEnvIf User-Agent “.*MSIE.*” \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
“%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \”%r\” %b”
If you by chance wanna make sure the syntax is OK, type:
httpd -S
That’s all. Cheers.