ACCESS CONTROL IN APACHE HTTPD 2.4

Transcription

1 ACCESS CONTROL IN APACHE HTTPD 2.4 Rich Slides at: tm3.org/acin24

2 INTRO Before: Hard and limited Now: Easy and very flexible

3 BEFORE (IE, 2.2 AND EARLIER) Order Allow Deny Satisfy

4 ORDER allow,deny Apply all allow rules, then all deny rules Default behavior is to deny everything (ie, "allow from all" followed by "deny from all") deny,allow Reverse that

5 ORDER People always got that wrong Merging sections confused people

6 ALLOW AND DENY Allow/Deny from all Allow/Deny from [address] Allow/Deny from env=[something] "Satisfy All" requires that all restrictions are met, while "Satisfy Any" requires that only one (or more) is met

7 <Directory /dashboard> Order deny,allow Deny from all Allow from 10.1 Require group admins Satisfy any </Dashboard>

8 DENYING BY AN ENVIRONMENT VARIABLE SetEnvIf User-Agent BadBot GoAway=1 Order allow,deny Allow from all Deny from env=goaway

9 REQUIRE Require valid-user Require user rbowen Require group sales Can be used in conjunction with Allow/Deny, with whatever rules Satisfy imposes

10 COMPLEX CONTROL Combining multiple requirements was difficult and error-prone Some combinations just weren't possible

11 NOW (2.4) Require <RequireAny> <RequireAll> <RequireNone>

12 MOD_AUTHZ_CORE New module that handles basic authz stuff Other modules may extend it

13 REQUIRE Syntax: Require [not] entity [value...]

14 ALL (OR NOTHING) Require all granted Require all denied

15 ENV Require Env something SetEnvIf User-Agent ^KnockKnock/2\.0 let_me_in Require env let_me_in

16 COMPARE SetEnvIf User-Agent ^KnockKnock/2\.0 let_me_in Order deny,allow Deny from all Allow from env=let_me_in SetEnvIf User-Agent ^KnockKnock/2\.0 let_me_in Require env let_me_in

17 REQUIRE IP - MOD_AUTHZ_HOST Require ip Require ip /16 Require ip Require ip 2001:db8::a00:20ff:fea7:ccea Require ip 2001:db8::a00:20ff:fea7:ccea/10

18 REQUIRE HOST - MOD_AUTHZ_HOST Require host example.org Require not host.ru

19 LOCAL Require local ie, /8 or ::1 Or the client and server address are the same Beware of proxied connections

20 REQUIRE USER - MOD_AUTHZ_USER In conjunction wth authentication Require user rbowen cmaria Require valid-user Require not user badguy

21 REQUIRE USER - MOD_AUTHZ_USER <Location /secure> AuthType basic AuthName "private area" AuthBasicProvider dbm AuthDBMType AuthDBMUserFile SDBM /www/etc/dbmpasswd Require valid-user </Location>

22 REQUIRE GROUP sales: rbowen cmaria iwinter sarahrhi blacklist: rbowen Require group sales Require not group blacklist

23 REQUIRE METHOD Permit only certain HTTP methods Require method GET POST OPTIONS

24 REQUIRE EXPR Require expr \ "%{TIME_HOUR} -ge 9 && %{TIME_HOUR} -le 17" Arbitrary complex expressions using any available environment variables

25 COMPARE SetEnvIf User-Agent ^KnockKnock/2\.0 let_me_in Order deny,allow Deny from all Allow from env=let_me_in SetEnvIf User-Agent ^KnockKnock/2\.0 let_me_in Require env let_me_in Require expr "${USER_AGENT} ^KnockKnock/2\.0"

26 <REQUIREALL> Enforce multiple requirements

27 <REQUIREALL> Must be on our network AND an admin Like the old "Satisfy All" <RequireAll> Require ip 10.2 Require group admins </RequireAll>

28 <REQUIREANY> Any one (or more) is sufficient

29 REQUIREANY May be on our network OR an Like the old "Satisfy Any" <RequireAny> Require ip 10.2 Require group admins </RequireAny>

30 REQUIREANY <Directory /uploads> <RequireAny> Require method GET OPTIONS Require valid-user </RequireAny> </Directory>

31 COMPARE <Directory /dashboard> Order deny,allow Deny from all Allow from 10.1 Require group admins Satisfy any </Dashboard> <Directory /dashboard> <RequireAny> Require ip 10.1 Require group admins </RequireAny> </Dashboard>

32 <REQUIRENONE> Ensure that *none* are true

33 REQUIRENONE <RequireNone> Require group temps Require ldap-group cn=temporary Employees,o=Airius </RequireNone> No temporary employees may access this content Could do this with 'Deny from' and 'Satisfy all', but you'd lose some flexibility

34 NESTING Allows you to combine requirements in a way that was not possible before

35 <Directory /www/mydocs> <RequireAll> <RequireAny> Require user superadmin <RequireAll> Require group admins Require ldap-group cn=administrators,o=airius <RequireAny> Require group sales Require ldap-attribute dept="sales" </RequireAny> </RequireAll> </RequireAny> <RequireNone> Require group temps Require ldap-group cn=temporary Employees,o=Airius </RequireNone> </RequireAll> </Directory>

36 <Directory /www/mydocs> <RequireAll> <RequireAny> Require user superadmin <RequireAll> Require group admins Require ldap-group cn=administrators,o=airius <RequireAny> Require group sales Require ldap-attribute dept="sales" </RequireAny> </RequireAll> </RequireAny> <RequireNone> Require group temps Require ldap-group cn=temporary Employees,o=Airius </RequireNone> </RequireAll> </Directory>

37 LDAP Which brings me to LDAP...

38 LDAP <Directory /www/docs/private> AuthName "Private" AuthType Basic AuthBasicProvider ldap AuthLDAPURL ldap://ldaphost/o=yourorg Require valid-user </Directory>

39 LDAP-USER Require ldap-user "Barbara Jenson" Require ldap-user "Fred User" Require ldap-user "Joe Manager"

40 LDAP-GROUP Given the LDAP entry... dn: cn=administrators, o=example objectclass: groupofuniquenames uniquemember: cn=barbara Jenson, o=example uniquemember: cn=fred User, o=example You can... Require ldap-group cn=administrators, o=example

41 LDAP-DN Based on an LDAP distinguished name Require ldap-dn cn=barbara Jenson, o=example

42 LDAP-ATTRIBUTE Based on an LDAP attribute Require ldap-attribute employeetype=active

43 LDAP-FILTER Based on an LDAP filter "Anybody in marketing that has a cell phone number on file" Require ldap-filter &(cell=*)(department=marketing)

44 VALID-USER Any valid user, by uid AuthLDAPURL "ldap://ldap1.example.com:389/ou=people, o=example?uid?sub?(objectclass=*)" Require valid-user

45 VALID-USER Any valid user, by Common Name Beware of collisions AuthLDAPURL "ldap://ldap.example.com/ou=people, o=example?cn" Require valid-user

46 VALID-USER Anybody who carries a pager AuthLDAPURL ldap://ldap.example.com/o=example?uid??(qpagepagerid=*) Require valid-user

47 ACTIVE DIRECTORY userprincipalname AuthLDAPBindDN AuthLDAPBindPassword password AuthLDAPURL ldap:// :3268/?userprincipalname?sub

48 AUTHZ_DBD Authentication against RDBMS

49 DBD CONFIG # mod_dbd configuration DBDriver pgsql DBDParams "dbname=apacheauth user=apache pass=xxxxxx" DBDMin 4 DBDKeep 8 DBDMax 20 DBDExptime 300

50 <Directory /usr/www/my.site/team-private/> # mod_authn_core and mod_auth_basic configuration # for mod_authn_dbd AuthType Basic AuthName Team AuthBasicProvider dbd DBD CONFIG # mod_authn_dbd SQL query to authenticate a logged-in user AuthDBDUserPWQuery \ "SELECT password FROM authn WHERE user = %s AND login = 'true'" # mod_authz_core configuration for mod_authz_dbd Require dbd-group team # mod_authz_dbd configuration AuthzDBDQuery "SELECT group FROM authz WHERE user = %s" # when a user fails to be authenticated or authorized, # invite them to login; this page should provide a link # to /team-private/login.html ErrorDocument 401 /login-info.html #...

51 #... DBD CONFIG <Files login.html> # don't require user to already be logged in! AuthDBDUserPWQuery "SELECT password FROM authn WHERE user = %s" # dbd-login action executes a statement to log user in Require dbd-login AuthzDBDQuery "UPDATE authn SET login = 'true' WHERE user = %s" # return user to referring page (if any) after # successful login AuthzDBDLoginToReferer On </Files> <Files logout.html> # dbd-logout action executes a statement to log user out Require dbd-logout AuthzDBDQuery "UPDATE authn SET login = 'false' WHERE user = %s" </Files> </Directory>

52 SESSION AUTH (MOD_SESSIONS) Cookie-based, form-based authentication

53 Because you're already doing your authentication this way anyways...

54 TURN ON SESSIONS Session On SessionCookieName session path=/ SessionHeader X-Replace-Session Name the cookie Define which part of the site it's valid for Defines the header that will be used to replace/ update session data

55 #!/usr/bin/perl WRITE TO A SESSION print "Content-Type: text/plain\n" print "X-Replace-Session: key1=foo&key2=&key3=bar\n" print "\n" #... Your CGI (or php or whatever) can replace/update the session data

56 READ FROM A SESSION Session On SessionEnv On SessionCookieName session path=/ SessionHeader X-Replace-Session SessionEnv On causes the environment variable HTTP_SESSION to be populated with the session data

57 THEN, MOD_AUTH_FORM AuthFormProvider file AuthUserFile conf/passwd AuthType form AuthName realm AuthFormLoginRequiredLocation Session On SessionCookieName session path=/ SessionCryptoPassphrase secret

58 THE FORM... <form method="post" action="/dologin.html"> Username: <input type="text" name="httpd_username" value="" /> Password: <input type="password" name="httpd_password" value="" /> <input type="submit" name="login" value="login" /> </form> <Location /dologin.html> SetHandler form-login-handler AuthFormLoginRequiredLocation AuthFormLoginSuccessLocation AuthFormProvider file AuthUserFile conf/passwd AuthType form AuthName realm Session On SessionCookieName session path=/ SessionCryptoPassphrase secret </Location>

59 THE FORM, WITH SUCCESS REDIRECT LOCATION <form method="post" action="/dologin.html"> Username: <input type="text" name="httpd_username" value="" /> Password: <input type="password" name="httpd_password" value="" /> <input type="submit" name="login" value="login" /> <input type="hidden" name="httpd_location" value=" success.html" /> </form>

60 LOGGING OUT Use the form-logout-handler handler <Location /logout> SetHandler form-logout-handler AuthFormLogoutLocation Session On # Expire the session SessionMaxAge 1 SessionCookieName session path=/ SessionCryptoPassphrase secret </Location>

61 USING <IF> FOR ACCESS CONTROL <RequireAny> Require expr %{TIME_HOUR} -ge 9 && %{TIME_HOUR} -le 17 Require group admins </RequireAny> Could also say this as <If expr "%{TIME_HOUR} -le 9 %{TIME_HOUR} -ge 17" > Require group admins </If>

62 MOD_ACCESS_COMPAT You can still use the old syntax if you really want to Important for upgrading from 2.2 to 2.4 LoadModule access_compat_module modules/mod_access_compat.so

63 OTHER STUFF AuthzSendForbiddenOnFailure On In the event that a user authentications, but is not authorized (ie, password was right, but you're not permitted here) send a 403 Unauthorized rather than a 401 Auth Required. May reveal to an attacker that they guessed a password correctly

64 ACCESS CONTROL WITH MOD_REWRITE Can now use expr in RewriteCond directives RewriteCon expr \ "%{TIME_HOUR} -le 9 %{TIME_HOUR} -ge 17" RewriteRule ^ - [F]

65 Rich Slides at: tm3.org/acin24