Solved

protect files to authenticated curl connections only

Posted on 2014-09-02
58
234 Views
Last Modified: 2015-02-07
I have an app which uses authenticated curl connections to communicate with a php application.

There is no reason for any other traffic on this web site other than these authenticated curl connections so I want to protect it.

How can I protect this site and any files inside so only authenticated curl connections are allowed.

I would prefer not having to mess with the web server configuration because this is a virtual host and I don't want to mess anything up.
0
Comment
Question by:projects
  • 26
  • 13
  • 10
  • +1
58 Comments
 
LVL 32

Expert Comment

by:shalomc
ID: 40301298
If they are always authenticated, doesn't it provide sufficient protection? An unauthenticated session should be rejected.

I can think of several additional and feasible layers of protection. What other protection did you have in mind?
Is the php application on the internet? is it on shared hosting? in AWS? in colo?
Is your app connecting connecting to the php server from a predictable IP address?
0
 
LVL 61

Expert Comment

by:btan
ID: 40301325
may be even be good to have client authentication where legit client present client cert to access via https website when using cURL, it will handle base on the targeted url to curl...Certificates are more secure than user / password. Hence, Apache has to have the public key or the certificate authority's cert installed to be able to trust specific certificates.

Apache's own docs have good examples on different situations:
http://httpd.apache.org/docs/2.0/ssl/ssl_howto.html#allclients
You may want to explore adding this directive: SSLUserName SSL_CLIENT_S_DN_CN
http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslusername

also thinking of modsecurity as another layer to respond to suspicious transactions within your web application

e.g. setup Apache+ModSecurity to be a reverse proxy, and have a ruleset to initiate a deny when the transactional anomaly score is above the threshold specified by the ModScurity Admin and the Anomlay Scoring Blocking variable is set

http://blog.spiderlabs.com/2011/06/modsecurity-advanced-topic-of-the-week-application-logout-response-actions.html

some example of installing mod_security Apache Intrusion Detection And Prevention Engine if of interest http://www.cyberciti.biz/faq/rhel-fedora-centos-httpd-mod_security-configuration/
0
 

Author Comment

by:projects
ID: 40301384
I am in fact using certs from the client end and on the server side.
The clients do not have fixed IPs so there is no way of controlling via IP.

While the clients are are being authenticated, that protects only from others being able to read/write with the php app.

My question is asking for is how to fully block the site to anyone but those authenticated curl connections. No others need access and yes, this is partly over the internet as well.
0
 
LVL 39

Expert Comment

by:noci
ID: 40301997
you can have curl send a special Agent ID and require that.
But note that any info can be replicated by a browser.
Like:

-A 'My SPECIAL Curl Agent'

if this needs protection then obviously you use all this though an SSL connection.
0
 

Author Comment

by:projects
ID: 40302002
There is nothing needed for the curl connections, I just want to prevent all other traffic which is not authenticated.
0
 
LVL 39

Expert Comment

by:noci
ID: 40302306
if curl can pass through, then anything can pass through.
You should view curl as your command line driven browser...

So what curl can do a browser can do, what a browser can do might be possible if you have an JS engine to handle javascript...

So you will need to use regular authentication, with curl Certificates might be the best approach. You will need an ssl link anyway if you are concerned about other tapping into the data.
0
 

Author Comment

by:projects
ID: 40302368
There's isn't really anything all that sensitive in there but I want to protect files/code we are just testing/working on.

When you say curl certificates, you do just mean regular ssl certs? That's what I am using now.

It dawns on me that I would always simply lock the web site down by name/password before even getting to the php pages. That would add the second layer of security preventing browsers.
0
 
LVL 61

Expert Comment

by:btan
ID: 40302496
I was thinking of using the apache config
http://httpd.apache.org/docs/current/mod/core.html#limitexcept

<LimitExcept> and </LimitExcept> are used to enclose a group of access control directives which will then apply to any HTTP access method not listed in the arguments; i.e., it is the opposite of a <Limit> section and can be used to control both standard and nonstandard/unrecognized methods.

Header  always set  Access-Control-Allow-Credentials "true"
Header  always set  Access-Control-Allow-Headers    "accept, origin, content-type, Man, Messagetype, Soapaction, X-Requested-With"
Header  always set  Access-Control-Allow-Methods    "GET, POST, HEAD, PUT, OPTIONS"
Header  always set  Access-Control-Allow-Origin    "app2_url"
Header  always set  Access-Control-Max-Age  "1800"

<Directory /app1/dir/>      
  Options Includes FollowSymLinks ExecCGI MultiViews
  AllowOverride None
  <LimitExcept OPTIONS>
    Order allow,deny
    allow from all
    AuthType Net
    PubcookieInactiveExpire -1
    PubcookieAppID app1.company.com
    require valid-user
  <LimitExcept>
</Directory>
0
 

Author Comment

by:projects
ID: 40302622
LimitExcept is not something I've used before. I'll look around and see if I can find examples of using it on just one virtualhost.
0
 
LVL 39

Expert Comment

by:noci
ID: 40303904
LimitExcept still requires a regular WebServer "login" .

so it all boils down to Authentication of a session/user. Using eithet username/password or subject/X509-certificate signage.
0
 

Author Comment

by:projects
ID: 40303981
Each remote has it's name/password to log into php. Could I not use that, maybe have an index.php page at the top of the site which requires the remote to log in before it can even authenticate for additional access with php?
0
 
LVL 61

Expert Comment

by:btan
ID: 40304986
actually it is more of a web portal where initial login is required and based on the privileges the necessary services are presented accordance to role and access rights. some of the web site fronted by access manager can do it w/o even affecting the web pages. i recalled seeing this with F5 Access Policy mgr (as reverse proxy) , they termed it as webtop - there is client inspection too which include cert and machine id etc (but it will need some agent for this which enforce SSL VPN plugin etc). of course the SSO comes into play as well to ease the experience of keying many times
https://devcentral.f5.com/articles/working-with-apm-webtops-ndashpart-1
https://f5.com/products/modules/access-policy-manager

may be still best to check on client cert as auth...

exploring the mod_auth and mod_bw modules
http://en.wikipedia.org/wiki/List_of_Apache_modules
mod_bw -The httpd web server doesn't really have a way to control how much resources a given virtual host can have/ a user can request. This module should be able to limit access to certain areas of the website and to limit malicious users.

mod_auth (with AuthAuthoritative Directive)
Setting the AuthAuthoritative directive explicitly to Off allows for both authentication and authorization to be passed on to lower level modules (as defined in the modules.c files) if there is no userID or rule matching the supplied userID. If there is a userID and/or rule specified; the usual password and access checks will be applied and a failure will give an "Authentication Required" reply.

So if a userID appears in the database of more than one module; or if a valid Require directive applies to more than one module; then the first module will verify the credentials; and no access is passed on; regardless of the AuthAuthoritative setting.
0
 

Author Comment

by:projects
ID: 40333339
@shalomc;

>If they are always authenticated, doesn't it provide sufficient protection?
>An unauthenticated session should be rejected.

This is what I am interested in. No other connections should be allowed, only the curl authenticated ones. There must be a way of doing this without having to get into hugely complex configurations.
0
 
LVL 32

Accepted Solution

by:
shalomc earned 500 total points
ID: 40333554
Consider using Basic authentication. When you protect your server or parts of it with BA, the Apache server will require that a user and password are provided, and will not execute your php unless the credentials are good.
Wrong credential will cause a 401 error.

Basically you want to place something like this in the main directory section in your httpd.conf file

AuthType Basic
AuthName "Secure Zone"
AuthBasicProvider file
AuthUserFile /usr/local/apache/passwd/passwords
Require user phpuser

You will also need to enable the mod_auth_basic and mod_authn_file modules.

Here is a step by step explanation on how to do it.
https://wiki.apache.org/httpd/PasswordBasicAuth

And this is the relevant documentation
http://httpd.apache.org/docs/2.2/howto/auth.html
0
 
LVL 39

Expert Comment

by:noci
ID: 40333777
well curl behaves like  a scriptless browser. So what ever curl can do a browser can do.......
or any dedicated tool usng HTML::GET e.a. from perl
You will have to rely on the autentication to handle this.
Either using Basic Authentication, or using X.509 certificates.
So issue personal certificates & validate them including checking a CRL.

You will need to use SSL anyway to secure the password ...
0
 
LVL 61

Expert Comment

by:btan
ID: 40333966
maybe we can check (using mod_security or eqv) for the appropriate cookie header and host header, which can determine state of the request is authenticated. http://forum.ivorde.com/using-curl-to-test-a-restricted-web-resource-url-for-authenticated-users-sending-cookies-headers-t16141.html
0
 

Author Comment

by:projects
ID: 40333980
Lots of good ideas but it seems that yours is closest to something which would make sense for me shalomc.

Curl and browsers are indeed similar but the only connections which should make it into the site are authenticated ones.

The point is that I am already authenticating the connections to php so I would like to use that same authentication to allow users into the site and all else fail.

I guess the question will be how do I send this so that both the apache authentication is done along with the usual php authentication I am actually doing.
0
 
LVL 39

Expert Comment

by:noci
ID: 40334288
I think btan is closest by generating & specifying a cookie from client side, not requiring one that can be generated host side. And if the cookie contains f.e. the HMAC of the content it's getting nearest to what you can achieve.
First require the web server to enfore authentication, preferablye X.509, minimal SSL should be used to communicate,  based on certificates YOU issue. Then require a kind of signature like a HMAC of the content to be sent as a cookie in the content, preferably based on a IV you issue from the server in a previous request.
0
 
LVL 61

Expert Comment

by:btan
ID: 40334321
yap almost like SYN cookie that denied SYN flood. If I understd right you can even define different cookies for every user with CURLOPT_COOKIEFILE and CURLOPT_COOKIEJAR. Make different file for every user so each one would have it's own cookie-based session on remote server. e.g  creating different cookie files for different users with unique PHPSESSID.
//Create And Save Cookies
    $tmpfname = dirname(__FILE__).'/'.$_COOKIE['PHPSESSID'].'.txt';
    curl_setopt($session, CURLOPT_COOKIEJAR, $tmpfname);
    curl_setopt($session, CURLOPT_COOKIEFILE, $tmpfname);
Then use the cookie with additional secured user content (as shared like @noci) as form of check - may be an option ...
0
 
LVL 32

Expert Comment

by:shalomc
ID: 40334330
You could drop the php authentication altogether and rely solely on the apache authentication.

A request will not pass the Apache authentication into your scripts unless the user and password are provided.
Your php script can then use the   $_SERVER['REMOTE_USER']  variable to get the authenticated user name.
0
 
LVL 39

Expert Comment

by:noci
ID: 40334425
The cookie jar & file are meant to receive cookies in one run and to provide them back to a server for sessions. In this case addeing them as a header field should be easier.
0
 

Author Comment

by:projects
ID: 40334453
@noci,
>I think btan is closest by generating & specifying a cookie from client side, not
>requiring one that can be generated host side.

So long as the solution allows me to generate what ever I need from a central machine, then copy it onto the client, then that could work.

>First require the web server to enfore authentication, preferablye X.509, minimal
>SSL should be used to communicate,  

At the moment, the server is being used to host multiple domains so the solution needs to take this into account without messing up the rest of the domains.

@btan,
>Make different file for every user so each one would have it's own
>cookie-based session on remote server. e.g  creating different

When I put another client together, I can easily create any custom files which need to be placed on that machine.

@shalomc,
>You could drop the php authentication altogether and
>rely solely on the apache authentication.

Yes, this might be an option in the future, when I can hire someone to come in and optimize the whole client/server setup but right now, it's just me and not being a programmer, I can't mess with the code too much.


The clients are what ever machines will run the client software. Client software simply means a script which allows the machine to connect, send/receive data from php/mysql.

On each client, I have an ssl cert because it needs to automatically accept the private cert so there was no way of doing this manually since no one might be on the particular machine when it runs it's script. In other words, no one could say 'yes', accept self signed cert.
This was done so I could at least have some ssl protection.

The authentication serves two purposes.

One is to allow only authenticated devices access to the php files they need to send and retrieve data from mysql.

The other is to identify which machine is connecting so that while they are communicating, they are using their own 'account' if you will, their own db records.

If needed, I could put a custom file on every 'client' but since there are three of you sending me input at this point, I am a little confused as to what I need to get done, let alone how I will pick a solution when this question is done. Seems I would have to split it so I'm sorry about that already.
0
 
LVL 61

Expert Comment

by:btan
ID: 40334812
noted on client cert which is actually machine cert then, since one can "co-shared" the same machinesort of 802.1x and app delivery controller or proxy can do that for machine/client auth via protal easily offloading transparently the much scripting to be done...nonetheless, if unique client cookie is still preferred for unique login session tying to user, then maybe that cookie stuff may be probable (pardon I do not have the script for that) ..
0
 
LVL 39

Expert Comment

by:noci
ID: 40335017
btan for curl you specify the certificate explicitely with (command line) options. Nothing from a registry or default store. and as far as the cookie stuff is concerned that needs to be design & built into both sides. as it should become part of the connecting protocol to establish both sides credibility.

OK, so you have certificate based authentication & authorisation in place, and you are using encrypted connections.   Taken care of.

Now your question on CURL ONLY ACCESS..., that needs something you can do very easy with curl and hard any other way.... Changing the protocol (Your transaction between the script client side & php on server side) will need changing code on both sides.
The protocol should prove to the server there is a curl client on the other end.
0
 
LVL 61

Expert Comment

by:btan
ID: 40335184
indeed, and noted the client cert auth too.
And to make it complicated is if client go thru proxy and maybe can look out for
User-Agent: curl/[ver] ([OS]) libcurl/[ver] OpenSSL/[ver] zlib/[ver]
Proxy-Authenticate: NEGOTIATE
Proxy-Authenticate: NTLM
0
 
LVL 32

Expert Comment

by:shalomc
ID: 40335306
As you can see, authentication is a complex subject, and there is more than one way to do it.
You already have application level authenication (based on php code) and you are looking for an additional authentication mechanism that will be done on the web server level regardless of the php code beneath.

To sum things up, you have been offered the following options:

* Basic authentication
* X.509 authentication based on client certificates
* Shared secret passed either in a special cookie or in a custom http header

All are more or less commonly used authentication schemes.
SSL is the most difficult to roll out and maintain, but also the most secure.
Using a shared secret is very common at API providers. It requires either application modification to verify the cookie/header , or some httpd configuration voodoo.
Basic authentication and shared secret have the same level of security.
Basic authentication already has the built-in mechanism, and can be easily integrated with user repositories like LDAP or databases.

Imho, if you do not want to modify your application, do not use authentication cookies or custom authentication headers with shared secrets.
0
 

Author Comment

by:projects
ID: 40342160
I cannot get into modifying my application code nor making big changes on the apache server so what ever I use, it's got to be simple.

I have to create a unique password for each client anyhow so putting something additional on it like a random based cookie would work fine.

I currently use a bash script to set up new clients anyhow so if this was something I could add/generate from within my script, that would be perfect.
0
 
LVL 32

Expert Comment

by:shalomc
ID: 40343071
Then go for basic auth from a password file.
Basic auth is proven, stable and well known.

The problem with cookies is that there is no built-in mechanism in apache to authenticate them.
You can use mod_auth_memcookie - but you will need to deploy memcached.
0
 
LVL 61

Expert Comment

by:btan
ID: 40343234
but do note that BASIC auth is plain credential sent over ...
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 

Author Comment

by:projects
ID: 40344129
Can't basic auth be used over an ssl curl connection?
0
 

Author Comment

by:projects
ID: 40344136
So for example, I already have a strong password on every remote connection so why could I not use the same password since the client already has one?
0
 
LVL 39

Expert Comment

by:noci
ID: 40344412
yes you can do basic authentication over SSL no problem at all,to behonest you should not do basic authentication WITHOUT ssl...

If you already HAVE ssl authentication that is a strong method of authenticating in itself.
you could use the basic authentication as an "EXTRA" that is not difficult to implement
(itis more or less outside of the protocol to transfer data, andalso provide a cookie upfront on the first call is another.) they don;t add to the authentication but make it harder for browsers to emulate the curl behaviour (although only slightly).
0
 

Author Comment

by:projects
ID: 40344492
What I mean is that the client (or remotes machines connecting using a script) already use ssl to connect using https AND, they also have a password on them which is a very strong password, allowing them to authenticate to a php app to send/receive data.

What would I need to do in order to allow only those clients to gain access to any pages within that web site (virtualhost in this case) using the same password.

Sorry but all of the info in this question has overwhelmed and I am not clear on my options at this point.
0
 
LVL 61

Expert Comment

by:btan
ID: 40345337
if you have SSL channel set up before the plain credential is sent over that SSL tunnel then minimally it is not plain over the wire - agree with noci

http://wiki.uniformserver.com/index.php/PHP_cURL:_GET_POST_SSL_AUTH
0
 
LVL 32

Expert Comment

by:shalomc
ID: 40345613
You say that you already have a bash script to provision users.

I assume that your script accepts a user name and password (or generates a random password), and then does database inserts and updates to support your php authentication + authorization.

It is very easy to add basic authentication support into your script.
The following examples are from http://www.htaccesstools.com/articles/htpasswd/
Read that article for a comprehensive guide on htpasswd.

* Create a password file.
It is actually just a text file, with an internal format that includes the user name and encrypted password separated by a colon.
shalomc:$apr1$dHjB0/..$mkTTbqwpK/0h/rz4ZeN8M0
btan:$apr1$IHaD0/..$N9ne/Bqnh8.MyOtvKU56j1

Open in new window


* Create users and passwords
Obviously your script knows who the user is and what is the password. This php code snippet encrypts the password to be suitable for the password file
<?php
// Password to be encrypted for a .htpasswd file
$clearTextPassword = 'some password';

// Encrypt password
$password = crypt($clearTextPassword, base64_encode($clearTextPassword));

// Print encrypted password
echo $password;
?>

Open in new window


* Configure Apache to use the password file
The full info is in an earlier comment, but you need to add something like this to your top directory in httpd.conf
AuthType Basic
AuthName "Secure Zone"
AuthBasicProvider file
AuthUserFile /usr/local/apache/passwd/.htpasswd
Require user shalomc

Open in new window


Now ALL access to the protected resources, including php, text files, images, will require authentication.

A curl request to a php authenticated + basic authenticated asset will look like this. Note the double usage of user and password: once for php in the POST body and once for Apache using the -u switch.
curl -X POST -d 'user=$user' -d 'password=$password' -d 'payload=$payload' -u '$user:$password' https://xxx.yyy/securedir/a.php

Open in new window

0
 
LVL 39

Expert Comment

by:noci
ID: 40347344
@shalomc: please note that ssl authentication already IS in place.... you may have to merge the configs.
0
 
LVL 32

Expert Comment

by:shalomc
ID: 40348326
@noci:
As far as I understand, although SSL is in place, SSL authentication is not.
SSL authentication would be a stronger solution than BA, but the management overhead is a pita.
0
 
LVL 39

Expert Comment

by:noci
ID: 40348774
shalomc: see above:   ID: 40301384
0
 
LVL 32

Expert Comment

by:shalomc
ID: 40348778
@projects, we have a dispute on how you authenticate your users.
So, how do you do that?
0
 

Author Comment

by:projects
ID: 40355215
This is how the script is connecting home;

curl -m 3 -s -k --key server.key --cert server.crt -o /dev/null -u "$USERNAME:$PASSWD" --connect-timeout 5 -X POST $SERV
ER_URL/app.php

Then when it connects, it sends -F <variable> (what ever function I want to use on php)

Another example;

curl -s -k --key server.key --cert server.crt -u "$USERNAME:$PASSWD" --connect-timeout 5 -X POST https://domain.com/app.php -F function=something_or_other

I installed the self signed certs on each machine running the script because there isn't a user to interact and accept the self signed cert.
0
 
LVL 32

Expert Comment

by:shalomc
ID: 40355273
Are there any checks on the client certificate DN property or any other property? (dn being Distinguished Name)

-u "$USERNAME:$PASSWD"
This means that you already use basic authentication and probably decode it inside your php application.

All you have to do is add the same user and password into the apache password file, configure httpd basic auth, and then Apache will enforce the user and password on the entire web site, even places where your code does not check.
Your php code will continue to function exactly in the same way.
0
 

Author Comment

by:projects
ID: 40355307
Not sure what you mean by the first question.

Sorry, the $USERNAME:$PASSWD are the variables which the script has which contain the name and password. The php side looks up the username then the password in mysql before allowing access.

Yes, I've come to understand that I will be using htpassword at this point. However, I am using curl, this is a script so how does the script know when it is being prompted for name/password and how does it then send that?

This would have to happen above each of my curl connections I guess.
0
 
LVL 32

Expert Comment

by:shalomc
ID: 40355379
If you don't know what I mean in the first question then you are not using certificate based authentication.

The-u "$USERNAME:$PASSWD"  directive causes curl to create a special Authorization HTTP header:
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

curl does it automatically. You can add -v to a curl call to see how which http headers are created by curl.
When this header is in the correct format and with the correct values, Apache will simply pass the request thru to your php, retaining the header for the application to use.
When the header is missing, or has incorrect values (like a wrong password), apache will block the request and throw a 401 (Not authorized) error.
Its like having 2 security guards checking your ID: one at the entrance to the building, and the other at the entrance of the mainframe room.
0
 

Author Comment

by:projects
ID: 40355408
Yes, there is an Authorization: Basic xxxxxxxxxx code. Here is the output of one of those connections above.

* SSLv3, TLS handshake, Client hello (1):
} [data not shown]
* SSLv3, TLS handshake, Server hello (2):
{ [data not shown]
* SSLv3, TLS handshake, CERT (11):
{ [data not shown]
* SSLv3, TLS handshake, Server key exchange (12):
{ [data not shown]
* SSLv3, TLS handshake, Server finished (14):
{ [data not shown]
* SSLv3, TLS handshake, Client key exchange (16):
} [data not shown]
* SSLv3, TLS change cipher, Client hello (1):
} [data not shown]
* SSLv3, TLS handshake, Finished (20):
} [data not shown]
* SSLv3, TLS change cipher, Client hello (1):
{ [data not shown]
* SSLv3, TLS handshake, Finished (20):
{ [data not shown]
> GET /receiver/receiver.php HTTP/1.1
> Authorization: Basic xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=
> User-Agent: curl/7.29.0
> Host: server.com
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Wed, 01 Oct 2014 19:01:43 GMT
< Server: Apache
< X-Powered-By: PHP/5.4.32
< Connection: close
< Transfer-Encoding: chunked
< Content-Type: text/html; charset=UTF-8
<
{ [data not shown]
* SSLv3, TLS alert, Client hello (1):
} [data not shown]

Open in new window

0
 
LVL 32

Expert Comment

by:shalomc
ID: 40355591
This is created by curl when you supply the user/password.
Your php code takes the values of $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'] and checks them.
These values are derived from the Authorization header.
0
 

Author Comment

by:projects
ID: 40355801
>If you don't know what I mean in the first question then you are not using
>certificate based authentication.

You see, I *have* to authenticate the connection because it is also how the script sends data to it's own database record.

When the script connects to php, php not only authenticates the script so it can send/read data but also to make sure we are storing the data being sent into the correct database record owner.

So, now that you know how I am connecting to the server, is there a way of using this same connection to also get past htpasswd?
0
 

Author Comment

by:projects
ID: 40355885
I think based on the above, this means I need a dual login setup.
The first part would use the curl connection and it's NAME:PASSWORD to get past the htpasswd and the second part would do what it always does.

Or, perhaps this means I need to add a pre-authentication line above my curl lines in the script?

Something along the lines of?????

curl_setopt($curlObj, CURLOPT_USERPWD, “$username:$password”);
curl_setopt($curlObj, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl -s -k --key server.key --cert server.crt https://domain.com/app.php -u "$USERNAME:$PASSWD" -F some_command
0
 
LVL 32

Expert Comment

by:shalomc
ID: 40356111
If you set up htpasswd to use the same user and password like your php code, then curl will pass $USERNAME:$PASSWD both to apache and to the php. No need to modify anything, no need for dual login.
You can check it easily:
Set up apache basic  auth on a test directory, and place there a small php file that prints out the user and password.
Try to access it with a correct password, and everything works, php has access to the user and password.
Try to access it with an incorrect password, and you can't get past apache.
0
 

Author Comment

by:projects
ID: 40356187
Now that would be a nice easy solution. Let me work on that and get back to this question.
0
 

Author Comment

by:projects
ID: 40356213
I've got it set up so that I can manually browse to the demo site and have to log in. I tested by using the wrong name/password then the proper one and got in.

However, the script keeps getting a 401 error. I did set the name/pass the same as the script.

www.domain.com x.x.x.x - - "HEAD / HTTP/1.1" 401 - "-" "curl/7.29.0"
0
 

Author Comment

by:projects
ID: 40356269
I tried another test, adding all of the users/passwords into the .htpasswd file along with getting the .htaccess file ready.

I put .htpasswd where it needs to be, then the second I copy the .htaccess file into the site, the remote scripts immediately get 401 errors.

I guess this means there really is some additional code needed?
0
 

Author Comment

by:projects
ID: 40358566
So we find a possible solution but this is where it all ends?
Come on now, someones got to have the answer :)
0
 
LVL 32

Expert Comment

by:shalomc
ID: 40359127
You are doing something wrong. If you set up htpasswd correctly, and you use "projects" for user and "EE" for password, then this will bypass 401

curl -u "projects:EE"

Let's start with debugging your script. Run the curl with -v to see the Authorization header, copy the encoded string and use this web site to decode it.
https://www.base64decode.org/
0
 

Author Comment

by:projects
ID: 40359667
Ok, so, using the site you sent me to, it confirms I have the correct name/passwd.
I also posted above that I do get the Authorization Basic CODE.

You said set up htpasswd on a site, then test a connection which is what I did. This works fine using a web browser, I was prompted for name/pass and wasn't able to get in with the wrong credentials but was with the right ones.

I then tried using

curl -v http://www.domain.com/ -u "name:pass" -o blah

Using the wrong password; HTTP/1.1 401 Authorization Required
Using the correct password; HTTP/1.1 200 OK

So as you can see, this is working but not with my application. In other words, there seems to be an additional step needed to get past htpasswd then send the same credentials to the app.
0
 

Author Comment

by:projects
ID: 40359692
I tested some more and I think I see why now. It may be because I have set all of the script connections to be https but one connection being made is http only without sending name:pass.

It would make sense that I am seeing a 401 error. I think the results are correct and that I need to make some adjustment to the script code.
0
 

Author Comment

by:projects
ID: 40360296
There is a strange behavior however.
Using the wrong name, I can't get authenticated until I use the proper one.
However, using the wrong password still lets me in.
0
 

Author Comment

by:projects
ID: 40367417
Anyone know why this would happen?
0
 

Author Closing Comment

by:projects
ID: 40397365
This works perfectly.

Nothing special needed to be done and that's what I was after. Curl passes the name/pass to htpasswd then passes it again to the php app and nothing else gets in.

Perfect, thank you.
0

Featured Post

Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

Join & Write a Comment

Suggested Solutions

If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
Healthcare organizations in the United States must adhere to the guidance of both the HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act) for securing and protec…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now