Skip to content

Password Authentication

Jump to bottom
Nuno Luciano edited this page Jun 4, 2024 · 1 revision

If your server is Apache or Nginx, you can use password authentication to protect your installation.
Edit _h5ai/public/index.php and add the following php auth function.
You can add in any account and password.

<?php

auth();

// Add at the bottom
function auth ()
{
  $valid_passwords = array (
    "username" => "userpassword",
    "user2" => "user2password"
  );
  $valid_users = array_keys($valid_passwords);

  $user = $_SERVER['PHP_AUTH_USER'];
  $pass = $_SERVER['PHP_AUTH_PW'];

  $validated = (in_array($user, $valid_users)) && ($pass == $valid_passwords[$user]);

  if (!$validated) {
    header('WWW-Authenticate: Basic realm="My Realm"');
    header('HTTP/1.0 401 Unauthorized');
    die ("Not authorized");
  }
}

Basic Realm

The realm attribute (case-insensitive) is required for all authentication schemes which issue a challenge. The realm value (case-sensitive), in combination with the canonical root URL of the server being accessed, defines the protection space. These realms allow the protected resources on a server to be partitioned into a set of protection spaces, each with its own authentication scheme and/or authorization database. The realm value is a string, generally assigned by the origin server, which may have additional semantics specific to the authentication scheme.

From RFC 1945 (HTTP/1.0) and RFC 2617 (HTTP Authentication referenced by HTTP/1.1)

In short, pages in the same realm should share credentials. If your credentials work for a page with the realm "My Realm", it should be assumed that the same username and password combination should work for another page with the same realm.

Security Settings

Edit the root directory .htaccess

DirectoryIndex index.html index.php /path/to/_h5ai/public/index.php

The configuration here is related to the following server settings
configured in /etc/http/conf/http.conf

<Directory "/path/to/home/"> 
    Options FollowSymLinks 
    AllowOverride None 
    Require all granted 
</Directory>

NOTE You need to turn off the H5AI search mode, otherwise the contents in other directories can be found through searching.

  1. Turn off _h5ai directory browsing mode.
  2. Delete the original _h5ai/.htaccess to avoid conflicts with the directory browsing mode.
  3. Add index.html to the directory _h5ai/
  4. Add the users and passwords to h5ai auth function

Apache Authentication

Example od default configuration, change this according to your server.

<Directory "/var/www/html">
      AuthType Basic
      AuthName "Restricted Content"
      AuthUserFile /etc/apache2/.htpasswd
      Require valid-user
  </Directory>

Apache - Authentication and Authorization

Nginx Authentication

Nginx configuring http-basic-authentication

Clone this wiki locally