Jan 25

Apache, webapps and BASIC authentication

Category: Linux,webserver   — Published by goeszen on January 25, 2021 at 1:47 pm

If you are running a LAMP stack, with Apache serving your web-app you probably already know how to enable simple logins via BASIC Authentication on your webserver. (usually you'll use a Directory Apache directive, with AuthType Basic and a htpasswd file..., we've all been there) It's n easy way to authorize only a select group for access to certain areas of a public site - and when you accept logins via HTTPS, it's similar secure to other login schemes.

But when you serve a web-app, probably via popular frameworks like Sinatra, Dancer, Mojo or similar, it's probably the norm that many of the paths of your webapp are virtual paths. And securing those isn't as easy with Apache. The auth module expects paths defined as being protected to physically exist on disk. And paths defined in your web-app are usually mod_rewrite paths that don't. There are one or two solutions for this problem: by passing a custom HTTP header with specific paths and similar involved tricks. See discussion here and here.

App-level auth to the rescue

One way of solving this "virtual path vs. real protected path"-dilemma is to resort to app-level authentication. With Sinatra, you can extend your app to handle the HTTP Authorization header (see here and here, for example). The PerlDancer ecosystem offers a ready-made Plugin. Your mileage may vary. In any case:

When you had that idea and implemented it in your app, you'll probably run into another issue. It's not working! Authorization is not triggering or entered user-data is simply ignored and discarded as being incorrect. Let me assure you, it's not your htpasswd file. Also, no typo here.

The thing is: Apache is not handing the Authorization header to your web-app. Check it: all HTTP headers are there, except the Authorization header on logins. And that's actually a feature! It was introduced around the more recent version 2.4.13 of Apache 2.x / Apache 2.4. For app-level auth to work, you need to manually enable the "Authorization header pass through". (Documentation is here and discussion here.)

You need to add "CGIPassAuth On" either for a specific directory via Apache's Directory directive, or for a single vhost or even system-wide -whatever fits your configuration. Reload Apache and it should work.

Leave a Reply