[RESOLVED] PHP Authentication code

[ididntdoit]

Hey everyone. Here's my problem. The web is CRAWLING with code to authenticate a user who is opening a specific file.

My problem: I want to use PHP to authenticate access to ANYTHING and EVERYTHING. I have a vritualhost on port 8029 and it will provide access to many various files that are only for my own personal access. If, for example, someone navigates to mywebsite:8029/secretfile.afile I want my PHP code to stop them and ask for a login.

I know this has a bit more to do with apache2 than PHP, but how can I configure my server to demand authentication by a PHP file when accessing anything in a virtualhost? (or any specific directory for that matter).

Thanks!

[kows]

this would be easier to do with htaccess and htpasswd files than with PHP, though it could be done with PHP as well. I can write something up if you'd be more interested in doing it with PHP, but Apache's authorization works well.

[ididntdoit]

I know I could do it with .htaccess, and it would work just fine.

The reason I wished to do something with PHP is

a) htaccess is very primative. It offers no nice login page or option to remember passwords, it just pops up asking for a login

b) it is completely insecure since all passwords are sent using plaintext.

The security isn't a huge concern as this is just a private website, however it will be giving access to basically the system root of my server which will be used to backup files and such also.

My other alternative to a PHP login is just to straight up use PHP and not make that part of my server accessible through a web interface.

The coding isn't a problem for me, I'm not too bad with PHP actually. My problem is that I don't know how to make Apache use my PHP page to authenticate access to ANY and EVERY file. Is there a way to specify a PHP login page rather than a .htacces file and have the same outcome (forced auth before access to anything in that directory or sub-directories)?

[kows]

to forward all requests to a PHP file, you can use mod_rewrite:

Code:

RewriteEngine On
RewriteRule ^(.*)$ index.php?request=$1 [L]

you can create a basic login script and store the request in a session or something, then when they're authenticated you can just send the file to the user to be downloaded using PHP. to allow directory listings, but to require a login only for viewing/downloading files, you can add a condition:

Code:

RewriteEngine On
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule ^(.*)$ index.php?request=$1 [L]

this basically says it will only redirect requests that are files that exist. otherwise, you'll need to write a script that lists directories as well once they're logged in.

[ididntdoit]

Wow, that looks excelent and just like what I need! I assume I can either throw this right into my VirtualHost structure or a Directory structure, correct?

I'll try this in just a few minutes - I have to meet a few deadlines tonight for resume submitting

[kows]

you can put it into an Apache configuration file (httpd.conf or vhosts.conf, or whichever file you set up your virtual hosts), or into an htaccess file in the document root of your virtual host.

[ididntdoit]

I put is as such in my apache2.conf:

PHP Code:

<VirtualHost *:8029>
    ServerName "Mine"
    DocumentRoot /media/space
</VirtualHost>

<Directory "/media/space">
    RewriteEngine On
    RewriteRule ^(.*)$ index.php?request=$1 [L]
</Directory> 


I then put the files index.php and secret.txt in the folder /media/space. If I access my site (site.com:8029) I see the contents of my php file.

If I access the secret file (site.com:8029/secret.txt)
.
.
.
.
I SEE THE CONTENT OF THE INDEX.PHP FILE!!! Thank you so much! I'll find a way to do all the nice neat programming around this now.

Oh, BTW. Just thought I'd mention for any newbies that read this thread some time, I had to include a module to use the code kows provided. The module is called Rewrite and in linux you can add it to apache by doing the following i a terminal:

Code:

sudo a2enmod rewrite
sudo /etc/init.d/apache2 restart

Thanks again Kows!

[ididntdoit]

Sorry one - last problem that I can't seem to solve by online research. You're line "RewriteRule ^(.*)$ test.php?req=$1 [L]" looks perfect according to every online resource I can find. SO the content of my test.php file:

PHP Code:

<?php

echo "<html>Testing! The request was ";
echo $_GET['req'];
echo "</html>";

?>

should then write "Testing! The request was secret.txt" to the screen. HOWEVER, it always writes "Testing! The request was test.php".

It seems to always send the name of the php file that's handling the request as the req variable rather than the name/path of the file requested. Cna you shed any light on this?

[kows]

with only a quick glance, you're using the query string 'request' in the configuration file you posted:

Code:

<Directory "/media/space">
    RewriteEngine On
    RewriteRule ^(.*)$ index.php?request=$1 [L]
</Directory>

[ididntdoit]

yes, sorry. I changed that already to req. (I put it in my last post, just not in CODE quotes) I was just curious if request ahppened to be some kind of keyword either for Rewrite or PHP. I also renamed the file from index.php to test.php in case it had something to do with index.html and index.php being default files to try and open in a directory, but again no luck. Any other ideas?

Thank you very much for your help!

[kows]

post your entire Apache configuration file.

[ididntdoit]

Here it is. It's basically stock with just 2 virtual host structs and that directory struct. If it matters I'm running Ubuntu 10.04 on an x86 AMD CPU machine.

[kows]

I have no idea if it would change anything, but try adding the following to your virtual host's <Directory>:

Code:

    AllowOverride all
    Options +Indexes

[ididntdoit]

Code:

<Directory "/media/space">
	AllowOverride all
	Options +Indexes
	RewriteEngine On
	RewriteRule ^(.*)$ test.php?req=$1 [L]
</Directory>

Nope, no change with this. This is really odd. Did I mention though that

PHP Code:

%{THE_REQUEST} 


rather than $1 gives me close to what I need? I'd have to parse it a bit, but the final page displays

Code:

Testing! The request was GET /secret.txt HTTP/1.1

[kows]

$1 is a back reference to the first regular expression that was captured, which would be every request with the rewrite rule I gave you. I have this rule set up on multiple servers (and it's commonly used with a few cms/frameworks) and have never had a problem with it, so it has something to do with your configuration.

you can use the following to see if you get any weird messages:

Code:

RewriteLogLevel 9
RewriteLog "logs/rewrite_log"

and here is a pretty generic Apache configuration file that I'm using for a server (with unnecessary things removed -- like fastcgi configuration, extra mime-types). you could maybe use it to troubleshoot:

Code:

ServerRoot "/home/username/.apps/apache"

### Base Modules.  You usually need these:
LoadModule log_config_module modules/mod_log_config.so
LoadModule dir_module modules/mod_dir.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule mime_module modules/mod_mime.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule actions_module modules/mod_actions.so
LoadModule cgi_module modules/mod_cgi.so
LoadModule cgid_module modules/mod_cgid.so
LoadModule alias_module modules/mod_alias.so
LoadModule headers_module modules/mod_headers.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authz_owner_module modules/mod_authz_owner.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule auth_digest_module modules/mod_auth_digest.so
LoadModule expires_module modules/mod_expires.so


KeepAlive Off
Listen 127.0.0.1:55408
NameVirtualHost 127.0.0.1:55408
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogLevel warn
CustomLog logs/access_log combined
ServerLimit 1
ThreadsPerChild 50

# Uncomment this to debug Rewrite problems:
#RewriteLogLevel 9
RewriteLog "logs/rewrite_log"

###############

  DirectoryIndex index.html index.htm index.cgi index.py index.php index.spy nph-index.cgi index.shtml
  ProxyPreserveHost on
  <Directory /home/username>
    AllowOverride all
    Options +Indexes
    IndexOptions Charset=UTF-8
  </Directory>

###############


<VirtualHost 127.0.0.1:55408>
  ServerName example.com
  ServerAlias www.example.com
  DocumentRoot /home/username/domains/example.com/www
</VirtualHost>

<VirtualHost 127.0.0.1:55408>
  ServerName example.org
  ServerAlias www.example.org
  DocumentRoot /home/username/domains/example.org/www
</VirtualHost>

anyway, %{REQUEST_FILENAME} gives you the request's filename, which would be exactly what you want -- it just includes the absolute path on your system.