Substitute Basic With Digest Authentication In Apache

Update 260310 Apache 2.2 uses the directive AuthUserFile rather than AuthDigestFile used by Apache 2.0

The purpose of this document is minimizing downtime and possible errors.
It is understood that before following this process in a production server, you have done it successfully on a test machine!!!
This process should be repeatable by copy-paste by someone without any previous knowledge.

PRE

Compile and install a new Apachef1 version

cd /usr/local/src
rm -Rf httpd-2.0.63
wget http://www.apache.org/dist/httpd/httpd-2.0.63.tar.bz2
wget http://www.apache.org/dist/httpd/httpd-2.0.63.tar.bz2.md5
md5sum httpd-2.0.63.tar.bz2 > apache.md5
diff apache.md5 httpd-2.0.63.tar.bz2.md5
rm apache.md5

tar -xvjf httpd-2.0.63.tar.bz2
cd httpd-2.0.63

./configure --prefix=/usr/local/apachef1.2.0.63 --enable-rewrite --enable-ssl --with-mpm=prefork --enable-auth-digest --enable-ssl --disable-include  --disable-env  --enable-status --disable-asis  --disable-cgi  --disable-negotiation --disable-autoindex --disable-imap  --disable-actions  --disable-userdir  --disable-alias

make
make install

/usr/local/apachef1.2.0.63/bin/httpd -l

Create new password files to use with htdigest

For F1…

cd /home/ulysse/bf/f1/
/usr/local/apache/bin/htdigest -c .auth.digest.f1 PrivateArea.f1 NewUserName
chown nobody:ulysse .auth.digest.f1
chmod 640 .auth.digest.f1

For test…

cd /home/ulysse/bf/test/
/usr/local/apache/bin/htdigest -c .auth.digest.sandbox PrivateArea.sandbox NewUserName
chown nobody:ulysse .auth.digest.sandbox
chmod 640 .auth.digest.sandbox

Copy old configuration files

cp -fa /usr/local/apachef1/conf/* /usr/local/apachef1.2.0.63/conf/
cp -fa /usr/local/apachef1/logs/* /usr/local/apachef1.2.0.63/logs/
cp -fa /usr/local/apachef1/modules/* /usr/local/apachef1.2.0.63/modules/

Disable .htaccess on specific directories

Make a copy of the actual online configuration

cp /usr/local/apache/conf/httpd-bf.conf /usr/local/apache/conf/httpd-bf.conf.`date +%d%b%g`

Edit /usr/local/apache/conf/httpd-bf.conf

In the <VirtualHost *:80> section, change the following lines:

<Directory /home/ulysse/bf>
#       AuthName "By Invitation Only ="
#       AuthType Basic
#       AuthUserFile /home/ulysse/bf/.htpasswd
#       Require valid-user
    DirectoryIndex index.cfm
    Options FollowSymLinks
    AllowOverride All
    Order allow,deny
    Allow from all
    Include conf/forbiddenIpsAndAgents.conf
    Include conf/httpd-rewrite-bf.conf
</Directory>

**TO**

<Directory /home/ulysse/bf>
#       AuthName "By Invitation Only ="
#       AuthType Basic
#       AuthUserFile /home/ulysse/bf/.htpasswd
#       Require valid-user
    DirectoryIndex index.cfm
    Options FollowSymLinks
-->    AllowOverride None    <---
    Order allow,deny
    Allow from all
    Include conf/forbiddenIpsAndAgents.conf
    Include conf/httpd-rewrite-bf.conf
</Directory>

<In the <VirtualHost *:443> section, change the following lines

<Directory /home/ulysse/bf>
    DirectoryIndex index.cfm
    Options FollowSymLinks
    AllowOverride All
    Order allow,deny
    Allow from all
    Include conf/forbiddenIpsAndAgents.conf
    Include conf/httpd-rewrite-bf.conf
</Directory>

**TO**

<Directory /home/ulysse/bf>
    DirectoryIndex index.cfm
    Options FollowSymLinks
--->    AllowOverride None    <---
    Order allow,deny
    Allow from all
    Include conf/forbiddenIpsAndAgents.conf
    Include conf/httpd-rewrite-bf.conf
</Directory>

Set up Digest Authentication

Edit /usr/local/apache/conf/httpd.conf

cp /usr/local/apache/conf/httpd.conf /usr/local/apache/conf/httpd.conf.`date +%d%b%g`
vi /usr/local/apache/conf/httpd.conf

Find the line that reads:

<FilesMatch "^\.ht">
    Order allow,deny
    Deny from all
</FilesMatch>

**And add:**

<FilesMatch "^\.auth">
    Order allow,deny
    Deny from all
</FilesMatch>

Change the following sections:

vi /usr/local/apache/conf/httpd-bf.conf

In Virtual host www.hummy.org

Change:

<Directory /home/ulysse/bf/f1>
Deny from all
Allow from 127.0.0.1
Order deny,allow
AuthName "Access 2 f1"
AuthType Basic
AuthUserFile /home/ulysse/bf/.htpasswd.disabled
Require valid-user

    DirectoryIndex index.cfm
    Options FollowSymLinks
    AllowOverride All
#    Order allow,deny
#    Allow from all
</Directory>

To:

<Directory /home/ulysse/bf/f1>
Deny from all
Allow from 127.0.0.1
Order deny,allow
    -->    AuthName "PrivateArea.f1"    <--
    -->    AuthType Digest    <--
    -->    AuthDigestFile /home/ulysse/bf/f1/.auth.digest.f1    <--
Require valid-user

    DirectoryIndex index.cfm
    Options FollowSymLinks
    AllowOverride All
#    Order allow,deny
#    Allow from all
</Directory>

Change:

<Directory /home/ulysse/bf/test>
        AllowOverride All
        AuthName "Access 2 test"
        AuthType Basic
        AuthUserFile /home/ulysse/bf/test/.htpasswd
        Require valid-user
        Order allow,deny
        Allow from all
</Directory>

To:

<Directory /home/ulysse/bf/test>
        AllowOverride All
    -->    AuthName "PrivateArea.sandbox"                              <--
    -->    AuthType Digest                                             <--
    -->    AuthDigestFile /home/ulysse/bf/test/.auth.digest.sandbox    <--
        Require valid-user
        Order allow,deny
        Allow from all
</Directory>

In Virtual host monitor.hummy.org

**Change:**

<Directory /home/ulysse/bf>
        AllowOverride All
        AuthName "Access 2 test"
        AuthType Basic
        AuthUserFile /home/ulysse/bf/test/.htpasswd
        Require valid-user
        Order allow,deny
        Allow from all
</Directory>

**TO:**

<Directory /home/ulysse/bf>
        AllowOverride All
    -->    AuthName "PrivateArea.sandbox"                              <--
    -->    AuthType Digest                                             <--
    -->    AuthDigestFile /home/ulysse/bf/test/.auth.digest.sandbox    <--
        Require valid-user
        Order allow,deny
        Allow from all
</Directory>

In Virtual host https://www.hummy.org

Change:

<Directory /home/ulysse/bf/f1>
Deny from all
Allow from 127.0.0.1
Order deny,allow
AuthName "Access 2 f1"
AuthType Basic
AuthUserFile /home/ulysse/bf/.htpasswd.disabled
Require valid-user

    ###DirectoryIndex index.cfm
    Options FollowSymLinks
    AllowOverride All
#    Order allow,deny
#    Allow from all
</Directory>

To:

<Directory /home/ulysse/bf/f1>
Deny from all
Allow from 127.0.0.1
Order deny,allow
    -->    AuthName "PrivateArea.f1"                         <--
    -->    AuthType Digest                                   <--
    -->    AuthDigestFile /home/ulysse/bf/f1/.auth.digest.f1    <--
Require valid-user

    ###DirectoryIndex index.cfm
    Options FollowSymLinks
    AllowOverride All
#    Order allow,deny
#    Allow from all
</Directory>

Change:

<Directory /home/ulysse/bf/test>
        AllowOverride All
        AuthName "Access 2 test"
        AuthType Basic
        AuthUserFile /home/ulysse/bf/test/.htpasswd
        Require valid-user
        Order allow,deny
        Allow from all
</Directory>

To:

<Directory /home/ulysse/bf/test>
        AllowOverride All
    -->    AuthName "PrivateArea.sandbox"                              <--
    -->    AuthType Digest                                             <--
    -->    AuthDigestFile /home/ulysse/bf/test/.auth.digest.sandbox    <--
        Require valid-user
        Order allow,deny
        Allow from all
</Directory>

Edit /usr/local/apachef1.2.0.63/conf/httpd.conf

cp /usr/local/apachef1.2.0.63/conf/httpd.conf /usr/local/apachef1.2.0.63/conf/httpd.conf.`date +%d%b%g`
vi /usr/local/apachef1.2.0.63/conf/httpd.conf
**Find the line that reads:**

<FilesMatch "^\.ht">
    Order allow,deny
    Deny from all
</FilesMatch>

**And add:**

<FilesMatch "^\.auth">
    Order allow,deny
    Deny from all
</FilesMatch>

Change the following sections in Apache F1:

cp /usr/local/apachef1.2.0.63/conf/httpd-bf.conf /usr/local/apachef1.2.0.63/conf/httpd-bf.conf.`date +%d%b%g`
vi /usr/local/apachef1.2.0.63/conf/httpd-bf.conf

Change:

<Directory /home/ulysse/bf>
        AuthName "By Invitation Only"
        AuthType Basic
        AuthUserFile /home/ulysse/bf/.htpasswd.disabled
        Require valid-user
    DirectoryIndex index.cfm
    Options FollowSymLinks
    AllowOverride All
    Order allow,deny
    Allow from all
    Include conf/httpd-rewrite-bf.conf
</Directory>

To:

<Directory /home/ulysse/bf>
    -->    AuthName "PrivateArea.sandbox"                              <--
    -->    AuthType Digest                                             <--
    -->    AuthDigestFile /home/ulysse/bf/test/.auth.digest.sandbox    <--
    Require valid-user
    DirectoryIndex index.cfm
    Options FollowSymLinks
    AllowOverride All
    Order allow,deny
    Allow from all
    Include conf/httpd-rewrite-bf.conf
</Directory>

Change:

<Directory /home/ulysse/bf/f1>
        AuthName "Admin Only"
        AuthType Basic
        AuthUserFile /home/ulysse/bf/f1/.htpasswd
        Require valid-user
    DirectoryIndex index.cfm
    Options FollowSymLinks
    AllowOverride All
    Order allow,deny
    Allow from all
</Directory>

To:

<Directory /home/ulysse/bf/f1>
    -->    AuthName "PrivateArea.f1"                            <--
    -->    AuthType Digest                                      <--
    -->    AuthDigestFile /home/ulysse/bf/f1/.auth.digest.f1    <--
    Require valid-user
    DirectoryIndex index.cfm
    Options FollowSymLinks
    AllowOverride All
    Order allow,deny
    Allow from all
</Directory>

Check apachef1 syntax

/usr/local/apachef1.2.0.63/bin/apachectl -t

Copy the already prepared files with current config for apache

cp /usr/local/apache/conf/httpd.conf /usr/local/apache/conf/httpd.conf.`date +%d%b%g`
cp /usr/local/apache/conf/httpd-bf.conf /usr/local/apache/conf/httpd-bf.conf.`date +%d%b%g`
cp /usr/local/apache/conf/httpd.conf.28May08.toRestore /usr/local/apache/conf/httpd.conf
cp /usr/local/apache/conf/httpd-bf.conf.28May08.toRestore /usr/local/apache/conf/httpd-bf.conf

Check apache syntax

/usr/local/apache/bin/apachectl -t

IN 1/2

Move .htpasswd files to root

mkdir -p /root/bf/test
mkdir -p /root/bf/f1
mv /home/ulysse/bf/.htpasswd.disabled /root/bf
mv /home/ulysse/bf/test/.htpasswd /root/bf/test
mv /home/ulysse/bf/f1/.ht* /root/bf/f1

Substitute the current apachef1

cd /usr/local
/etc/init.d/apachef1 stop
mv apachef1 apachef1.`date +%d%b%g`
ln -s apachef1.2.0.63 apachef1
/etc/init.d/apachef1 start

Open a tunnel to Online and try to use the Intranet

ssh user@www.hummy.org -L 8080:localhost:8080

http://production:8080/f1/login.cfm

Rollback 1/2

Copy old Apachef1's config and restart

rm /usr/local/apachef1
mv /usr/local/apache.`date +%d%b%g` /usr/local/apachef1
or
mv /usr/local/apachef1.DATE /usr/local/apachef1

/etc/init.d/apachef1 stop
/etc/init.d/apachef1 start

IN 2/2

Restart Apache

/etc/init.d/apache restart

Check

http://www.hummy.org
https://www.hummy.org
http://www.hummy.org/test
https://www.hummy.org/test

Change the username/pass for these scripts

cp /home/ulysse/util/scripts/wget.cron.dailylog.sh /home/ulysse/util/scripts/wget.cron.dailylog.sh.`date%d%b%g`
cp /home/ulysse/util/scripts/wget.cron.sh /home/ulysse/util/scripts/wget.cron.sh.`date%d%b%g`
cp /home/ulysse/util/scripts/wgetpage.sh /home/ulysse/util/scripts/wgetpage.sh.`date%d%b%g`

Check these scripts for all ocurrences in ulysse crontab:

/home/ulysse/util/scripts/wget.cron.dailylog.sh "http://localhost/f1/proc/act_send_generic_mail.cfm?autoprocess=1" notif
/home/ulysse/util/scripts/wget.cron.sh "http://www.hummy.org/lucene/luceneindex.cfm?members=" lucene_index
/home/ulysse/util/scripts/wget.cron.sh "http://www.hummy.org/lucene/luceneindex.cfm?blog=" lucene_index
/home/ulysse/util/scripts/wget.cron.sh "http://www.hummy.org/lucene/luceneindex.cfm?stocks=" lucene_index
/home/ulysse/util/scripts/wget.cron.sh "http://www.hummy.org/lucene/luceneindex.cfm?holdings=" lucene_index
/home/ulysse/util/scripts/wget_seekingalpha.sh

Check if there are more scrits using wget locally

Rollback 2/2

Copy old Apache's config and restart

rm /usr/local/apache
mv /usr/local/apache.`date +%d%b%g` /usr/local/apache
or
mv /usr/local/apache.DATE /usr/local/apache

/etc/init.d/apache restart

POST

Checks

1.

http://www.hummy.org
https://www.hummy.org
http://www.hummy.org/server-status

Visit a member's page
Visit a member's page using HTTPS

2.

www.hummy.org/f1/index.cfm
http://production:8080/f1/index.cfm

3.

http://www.hummy.org/test/mrtg/mr6/index.html
https://www.hummy.org/test/mrtg/mr6/index.html

http://www.hummy.org/test/collectd/mr5/index.html
https://www.hummy.org/test/collectd/mr5/index.html

4. sandbox password:

http://monitor.hummy.org
http://monitor.hummy.org/server-status
http://monitor.hummy.org/test
http://monitor.hummy.org/test/mrtg/mr6/index.html
http://monitor.hummy.org/test/collectd/mr5/index.html

5. mod_security:

http://www.hummy.org/delete from table

6. Forbidden agents

Request a page as User Agent "libwww-perl"

http://hummy.org
http://hummie.org
http://www.hummy.org
http://humm.org

Check .authorized files are not visible

http://www.hummy.org/.auth.digest.sandbox
http://www.hummy.org/.auth.digest.f1
http://www.hummy.org/test/.auth.digest.sandbox
http://www.hummy.org/f1/.auth.digest.f1
http://monitor.hummy.org/.auth.digest.sandbox
http://monitor.hummy.org/.auth.digest.f1
http://monitor.hummy.org/test/.auth.digest.sandbox
http://monitor.hummy.org/f1/.auth.digest.f1

Notify everybody the new users and passwords (no email)

Update subversion with the new config files

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License