Environment
Novell Open Enterprise Server (Linux based)
Situation
You have documents or a location on Apache that requires restricted
access. You want this restriction to be inforced by requiring
eDirection authentication and forcing the authentication to be done
over https.
Resolution
This solution can be used on individual directories, URL's, or it
can be used on the entire Apache server itself. It really depends
on how you want to lock down your Apache server. For this example
we will only be creating a single secure location so that any
document that is referenced under that URL will require
authentication. For example, anyone that hits www.mycompany.com will have
public access but anyone why tries to access www.mycompany.com/secure, or a
document under that URL, will be required to authenticate.
Authentication should be done over a secure connection (https)
rather than a non-secure connection (http) which is why this
solution will also cover redirecting all http attempts to https for
that given location.
- First we want to make sure that the rewrite module is enabled.
To do this we will need to go into Yast, Network Services, and chooseHTTP Server. Select Modules and click Edit. Find the rewrite module,
select it, and click on the Toggle
Status button to enable it. Then click OK and Finish.
Note:Do not add the load module statement directly to the /etc/apache2/sysconfig.d/loadmodule.conf file because your changes will be lost once the apache server has been restarted. - Next we are going to create a new file under the /etc/apache2/conf.d directory
called secure.conf. We
don't need to add an include statement for this because Apache
already has a directive to load and .conf file under this
directory.
- Determine the location for your secure information. If you
already have an existing directory that you would like to secure
then you need to determine whether or not it exists under the
DocumentRoot (default is /srv/www/htdocs). If it is not a sub
directory of the DocumentRoot then you will need to create an alias
to that directory. Since the secure directory is not going to
reside under the DocumentRoot, but rather at the same level as the
DocumentRoot then and alias will need to be created. Add the
following lines to the secure.conf file.
Alias /secure"/srv/www/secure" - You will also need to verify that the wwwrun user has the appropriate
rights to access that directory. If this is an NSS volume then the
rights will need to be assigned through eDirectory rather than the
local Linux file system, which is outlined in TID #
3344085. Since the directory /secure was created under /srv/www and it is a local Linux
file system, we will need to change the owner and/or group on the
directory to the Apache user and group.
chown -R wwwrun.www /srv/www/secure - The next couple of lines that we will be adding to the
secure.conf file will intercept all http requests the /secure alias and redirect them
to https. This will allow for the authentication to be sent over an
encrypted session.
RewriteEngine On
RewriteRule ^/secure https://%{SERVER_NAME}/secure [L,R] - Now we need to add the option for LDAP authentication. We can
place this under the rewrite directives that were added in step 5,
making sure that the www.mycompany.com section is replace with your
IP address or DNS name.
Options Indexes Multiviews
AllowOverride None
Order deny,allow
Allow from all
AuthType Basic
AuthName "Protected"
require valid-user
AuthLDAPAuthoritative On
AuthLDAPURL ldaps://www.mycompany.com/o=corp?uid?sub - Now stop and start Apache (from within a terminal) to make sure
that there are now errors.
su
rcapache2 stop
rcapache2 start - After verifying that Apache is able to start, go to
http://www.mycompany.com/secure and verify that you are redirected
to https and that you are asked and are able to authenticate
against the /secure alias.