Configuring authentication and authorization in Apache2 with MySQL - mysql

I am trying to configure Apache2 so I can use MySQL for authenticating users to access certain pages. Also authorization needs to work so different groups can reach differen pages.
Now, I have googled a lot but can't find out how to do this. At least not for the configuration I am having. There doesn't seem to be any version of mod_auth_mysql that supports my configuration.
OSX 10.6.4
Apache 2.2
Now, how do I achieve this not creating my own login-application in php but using the built in support of Apache2? I'm totally stuck on this one...
Thanks in advance!
Regards,
Niklas

I also would like to use a taylormade login page, not pop-up
....
how do I achieve this not creating my own login-application in php but using the built in support of Apache2
Short answer is that you can't. Unless you rewrite the Apache source code or create your own module, you can't mix HTTP based authentication with non-pop-up login prompts.
However if you are using PHP then a relatively low impact solution would be to use auto-prepend to prefix every protected page with a check on the users session. Obviously this would need a bit more thought if it is to be applied to files other than PHP source files (it'll work perfectly well if you tell Apache to apply the php engine to, say .gif files, but your script will need to detect and return the appropriate mime type).
A simpler solution might be to put a tool like squid in front of the webserver as a reverse proxy, then make the session handling data available to the squid url-rewriter.

You can build mod_auth_mysql from the source. Have a look at this post.

I you want your own log-in page, you cannot use Apache to do authentication.
Apache authentication uses the Authentication portion of the HTTP standard, and as a result you're reliant on the browser to handle the interaction with the user. There are plugins (like mod_auth_mysql) to use a database as the backend for this, but Apache can't ask the user for their credentials any other way.
The fastest approach might well be to set up Drupal or Joomla, which will get you user and group management as well as full content editing, in a way that will let you control who can edit what.

Related

How to password protect website hosted on Amazon Web Services (AWS)

I wanted to create a website that would be like a dropbox of sort, which just has files that me and my organization can access. I wanted to password protect the website, just a simple username and password. I have my own domain. I have been looking all over the web to find how to do this(I am a beginner) and found that using httaccess and htpasswd would be used to secure a website similar to what is shown here: http://www.htaccesstools.com/articles/password-protection/
But I cannot seem to get it to work. I am using the s3 bucket and putting the httaccess and htpasswd file in the same folder as the index.html file. Do you know how I would get my site to have a simple password protection(thats not seen in the source code or by typing in the html)? I am not sure if I am finding the directory correctly or not to implement this password protection correctly. Thank you for taking the time to read this and hopefully this makes sense!
Anyone else had this issue?
Amazon AWS alone won't do it. htaccess and htpasswd are also not the right tools for what you want to do.
Get yourself a cheap hosting account with a company like hostgator or godaddy or namecheap or any other that will host your web page and give you PHP and MySQL.
You cannot accomplish what you want just using javascript/jQuery. Those languages run on the browser, but you want to store your files on a server. Therefore, you need the language that controls the server - that is usually PHP. (The other popular solution is ASP, which is by Microsoft and runs on costly and complex Microsoft servers -- PHP is free and runs on (free) Linux and is therefore what ALL of the cheap web hosting companies provide. MySQL is the (free) database that is analogous to Microsoft SQL)
Next, watch a video tutorial on creating a PHP / MySQL login system, such as the ones over at:
phpAcademy (now called codecourse, apparently)
theNewBoston.com
You need to learn more about:
PHP sessions
Ajax
jQuery
MySQL (possibly)
On a basic website, you can stick your files into directories and control who can access those directories by whether or not they are logged in.
You can determine if a visitor is "logged-in" or not by asking for a username/password and setting a session variable. Session variables are just variables that are stored on the server, rather than on a user's own computer (of course, that wouldn't work since every visitor has his own computer and your files are stored on a central server -- so that is where the security (variables) must reside, right?)
Anyway, in a weekend of video watching and trial-and-error you can probably get something cobbled together that will do what you want.

AngularJs real time app with mysql server

Is it possible to build a realtime app using AngularJs with a mysql database?
I've been reading thousands of tutorials, but they are all focused on express, nodejs, etc.. didn't found any documentation on wheter it's possible or not. I tried to take a look at the socket.io docs, but still didn't found anything relevant to this question.
I didn't tried anything yet because of this. I use a webApp based on AngularJs on a apache server (local).
Where should i start to be able to build a real time app using these tools i have?
Do i really need to use a node/express server?
What are the main consideration i need to do before taking this step?
Is there any documentation i should read?
I need to do this real time because it involves product orders, call center, ticket system, etc.. So everytime there is a new ticket is opened/changed, new order arrives, etc.. I need to make the user aware of this, without the need to refresh the page.
Or if someone could give me a further explanation of this concept and how to get started, it will be great.
You can run angular on top of any backend, although most examples push towards REST. If you want your app to feel like a real time application, using WebSockets is a likely improvement.
WebSockets play nice with Angular, look at https://github.com/wilk/ng-websocket for example. A back-end in Node will work, but many other backend techs will do equally well.
Here is a decent tutorial using MySQL, NodeJS, and Angular: https://codeforgeek.com/2015/03/real-time-app-socket-io/
I recommend that you keep using a webserver like Apache (my personal preference is Nginx). You can proxy API and socket requests to Node, and serve static resources for the app from a folder.
Check out https://httpd.apache.org/docs/2.4/mod/mod_proxy_wstunnel.html if you stay with Apache. Check out http://nginx.org/en/docs/http/websocket.html is you go for nginx.
Without a webserver, you'll have to either:
serve your static resources with Node (polluting your server project with client code), or
work with different ports, risking the app becomes unusable in client environments, or
work with different domains, giving you a CORS head-ache.
Although I don't have much experience with Node, MySQL with Node.js should help you out a bit.
You'll want to move away from Apache if you want to do websocket stuff with Socket.io
Yes, it is possible to create a software with AngularJS in the front end and any other server side language that speaks to MySQL. Few months back I worked on a software with Java Spring Framework in the backend with MySQL database and AngularJS with bootstrap in the front end. You could start by following the MVC pattern, where your views can be served as AngularJS and your Controller can be in any server side code, with MySQL database.

Is there any way to use facebook login on a localhost?

I am new to web development, I've learned php, mysql and javascript. I'm trying to make a website that uses facebook authentication and login. At the moment, I'm still working on localhost and am running xxamp. Is there any way to use the facebook development tools on a localhost? Or would it be simpler if I made my own mysql user database?
Thanks
Facebook authentication working same way in local environment as it working in every other place (just configure application using local URL's for "Canvas URL" and/or "Site URL"). To achieve this you may use both PHP-SDK and JS-SDK for that. See examples for PHP-SDK how-to implement authentication of user.
There is however functionality like social channels for which you'll need that Facebook be able to reach the machine your app running on (this may be solved with a bit of effort too)...

How can I store my Rewrite Rules in a database?

Im developing a new site, and I'd like to store my rewrite rules in a database, instead of right in the .htaccess files.
I have another site that uses Opensef (http://sourceforge.net/projects/opensef/) with a Joomla! installation that is doing this, but im not even 100% how it works underneath the hood.
How can I store these rules in a database, query for them on request and rediret to the clean URL if found? Is there a better way to do this instead of loading up a .htaccess file (there may be 1000's of entries)?
Thank you,
You can get mod_rewrite to generate a map from external source such as executing a PHP or Python file which can get the data from the database and create a mod_rewrite map.
http://httpd.apache.org/docs/2.0/misc/rewriteguide.html
(See right at the bottom)
For example
RewriteMap quux-map prg:/path/to/map.quux.pl
Good Luck
Assuming all these pages are ultimately in Joomla, I think using .htaccess or mod_rewrite is a mistake.
I think you're much better off learning how Openserf works. I'd imagine it has a little piece of code that runs early on for every request that queries the database and issues a Redirect through PHP if there's a hit. A further advantage of this approach is that it should even be possible to have Joomla rewrite links on its pages to point to the clean version in the first place, saving the user an unneeded redirect
Incidentally, this is how the Pathauto module in Drupal does it, and I use that all the time on some pretty high volume sites with many thousands of pages.
I think that the best approach to use rules stored in a database is:
Store the rules in your database through your admin panel of your site.
Then after updating database, generate a new .htaccess using the rules in DB using your server-side language solution.
Replace old .htaccess with new one.
This avoids the server load. It's similar to Aiden Bell solution.
Grab the UrlRewriteFilter, butcher it to use a DB, and use that in Tomcat instead of Apache.
Tomcat is a fine web server and can do many things Apache can do (like FastCGI for PHP), and writing stuff like this for it is trivial compared to writing such things for Apache.
What you probably want is a single rewrite rule to handle every unknown request that comes in and then pass that to a small script that will handle the lookups & generate redirects. You could even skip the rewrite rule completely and use the Apache ErrorDocument directive to pass unknown URLS into the script.
You've been pretty slim on the details of what this 'new site' is but, you might want to consider building yourself a Front Controller for the app & having it take care of all the incoming URLs. Many (most?) web app frameworks take this approach.

Linux web front-end best practices

I want to build a web based front-end to manage/administer my Linux box. E.g. I want to be able to add users, manage the file system and all those sorts of things. Think of it as a cPanel clone but more for system admin rather that web admin.
I was thinking about creating a service that runs on my box and that performs all the system levels tasks. This way I can have a clear separation between my web based front-end and the actual logic. The server pages can than make calls to my specialized server or queue tasks that way. However, I'm not sure if this would be the best way to go about this.
I guess another important question would be, how I would deal with security when building something like this?
PS: This just as a pet project and learning experience so I'm not interested in existing solutions that do a similar thing.
Have the specialized service daemon running as a distinct user -- let's call it 'managerd'. Set up your /etc/sudoers file so that 'managerd' can execute the various commands you want it to be able to run, as root, without a password.
Have the web server drop "trigger" files containing the commands to run in a directory that is mode '770' with a group that only the web server user and 'managerd' are members of. Make sure that 'managerd' verifies that the files have the correct ownership before executing the command.
Make sure that the web interface side is locked down -- run it over HTTPS only, require authentication, and if all possible, put in IP-specific ACLs, so that you can only access it from known locations, in advance.
Your solution seems like a very sensible solution to the 'root' issue.
Couple of suggestions:
Binding the 'specialised service' to localhost as well would help to guarantee that requests can't be made externally.
Checking request call functions that perform the actions and not directly give the service full unrestricted access. So calling a function "addToGroup(user,group)" instead of a generic "performAction(command)".