Apache Authorization for the Allowed Users

apache-httpdauthenticationauthorization

I have read the answer to this question:

https://stackoverflow.com/questions/4102763/apache-basic-authentication-except-for-those-allowed

It helped me understand how to not authenticate some users (according to the IP):

<Directory /var/www/files/>
    Require valid-user
    Allow from 192.168.1.2
    Satisfy Any
    AuthUserFile /etc/apache2/basic.pwd 
    AuthName "Please enter username and password" 
    AuthType Basic  
</Directory>

Imagine I have this DB (Different from the DB used for authentication):

User        IP 
Mark        192.168.1.2
Mike        192.168.1.3
Karl        192.168.1.4

1- can I allow all the IP addresses stored in the DB using a configuration in Apache? I don't want a static solution (the DB is changing dynamically)?

2- another problem is the authorization of the allowed IP is lost, can Apache use this DB for authorization, if the user is allowed to get the pages without authentication?in details: We know when Apache authenticate users, it knows the user name from authentication credentials, but with the Allowing, the user name will be lost, I want Apache to extract the user name of the IP its allowing from the same table it extract the IP address?

UPDATE:

Note: I think Tony answer might be helpful but I want other answers too (which don't obligate me to build a module).

My Goal of this question is "single sign on":

  • I use freeradius to authenticate the internal (inside Network) users so I don't want Apache to re-authenticate them.

  • I want Apache to Authenticate external users using LDAP.

  • my solution is to use Allow Directive to let the internal users without Authentication but I need to Allow them using DB ( first Problem)? and trying to configure Apache to Authorize internal users ( which I didn't authenticate) (second problem)?

Note: Authorize the external users is very easy using LDAP (because Apache Knows the name of the user it's dealing with from authentication credentials).

Is my suggested solution eligible to do what I want to do, If not what do you suggest as a solution?

Best Answer

Have you tried mod-auth external, it allows you to do your custom authentication mechanism for Apache.

It gives you access to environment variables such as IP, USER, PASS, etc. You can write a script in a language that you are familiar with and go fetch the authentication data from your database.

The wiki has some examples.

If you build a custom authentication script, make sure it's well coded (security-wise).

The module is available on CentOS (mod_authnz_external) and on Ubuntu (libapache2-mod-authnz-external)

Here's a basic Apache configuration example :

LoadModule authnz_external_module modules.d/mod_authnz_external.so
DefineExternalAuth my_auth  environment /tmp/auth.sh

<Location />
   AuthType Basic
   AuthName "My super special access"
   AuthBasicProvider external
   Require valid-user
   AuthExternal my_auth
</Location>

Here's the very simple script that logs the IP the USER and the PASSWORD, and accept the authentication only if the user provided is 'Tony'.

In this particular example, The script is saved under /tmp/auth.sh with executable bit set. You can do whatever you want (filter by IP, username, etc).

#!/bin/bash

echo $(date) ${IP} >> /tmp/log.txt
echo $(date) ${USER} >> /tmp/log.txt
echo $(date) ${PASS} >> /tmp/log.txt

#Very basic filtering.
if [[ "${USER}" != "Tony" ]]
then
        exit 1;
fi
Related Question