AuthenticateWebInterfaceUsingApache

From MLDonkey
Jump to: navigation, search

Authenticating mldonkey-webinterface-users against PAM/MYSQL/LDAP/ANYTHING

This is a short tutorial, showing you how to use either pam, mysql, ldap (or anything apache authenticates against) as authentication source for mldonkey's webinterface. IIRC, mldonkey will at some point offer this functionality itself. But until that happens, we use apache and its reverse-proxy capabilities for this.

The mldonkey webinterface is reachable on http://mldonkeyhost:4080/ and requires the http-authentication admin:supersecret. You can also set the admin-password to "", then the webinterface won't prompt for a login.

Apache (tested with version 2.2) runs on apachehost and has the following entries in httpd.conf (or whatever your apache configuration file is):

# Load required modules
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule proxy_http_module modules/mod_proxy_http.so

# REVERSE PROXY FOR MLDONKEY WEBINTERFACE
ProxyRequests off
RewriteEngine on
# append a trailing slash if user entered "/mldonkey" instead of "/mldonkey/"
RewriteRule ^/mldonkey$ mldonkey/ [R]
ProxyPass /mldonkey/ http://mldonkeyhost:4080/
ProxyHTMLURLMap http://mldonkeyhost:4080/ /mldonkey/

<Location /mldonkey>
        ProxyPassReverse /

        RequestHeader unset  Authorization
        # forward auth admin:supersecret to mldonkey webinterface
        RequestHeader set Authorization "Basic YWRtaW46c3VwZXJzZWNyZXQ="

        # authentication settings
        AuthType Basic
        AuthName "Restricted"
        AuthBasicProvider file
        AuthUserFile /usr/local/apache/passwd/passwords
        Require valid-user
</Location>

This tells apache to redirect any incoming http-request on the url http://apachehost/mldonkey to http://mldonkeyhost:4080/. Of course, apache and mldonkey can run on the same server. The http-response from the mldonkey-webinterface goes back through the apache proxy to the user's browser (the client).

As defined in the apache-configuration, the user needs to authenticate for http://apachehost/mldonkey. Authentication options for apache-2.0 differ a lot from apache-2.2, since the authentication has been reworked between those two revisions. Depending on your version, have a look at either http://httpd.apache.org/docs/2.0/howto/auth.html or http://httpd.apache.org/docs/2.2/howto/auth.html.

Once the user has authenticated to the apache-reverse-proxy, apache would forward this whole request together with the authentication-data to the mldonkey server. This is not good, as the mldonkey-webinterface doesn't require a login of someuser_on_apache_box:his_password, but rather admin:supersecret. We solve this problem by removing the original Authentication-request-header in apache before forwarding it to mldonkey's webinterface. This is done with these lines:

        RequestHeader unset  Authorization
        # forward auth admin:supersecret to mldonkey webinterface
        RequestHeader set Authorization "Basic YWRtaW46c3VwZXJzZWNyZXQ="

The "YWRtaW46c3VwZXJzZWNyZXQ=" is the string "admin:supersecret" base64-encoded. You can of course change the username and password and base64-encode it yourself. Try http://makcoder.sourceforge.net/demo/base64.php or google for similar services.

If the mldonkey-webinterface has an empty password set, it doesn't need authentication data at all, so you can simply unset the Authorization-header before passing it on to mldonkey. Thus, you only need the "RequestHeader unset Authorization" line and can remove the other two.

If apachehost and mldonkeyhost are two different machines, you must enable access to the mldonkey webinterface from apachehost.

Please note that your passwords will be transmitted in plaintext unless you use https://.

Hope that helps!

Further reading:

How HTTP authentication works: http://en.wikipedia.org/wiki/Basic_authentication_scheme

How reverse proxies work: http://www.apachetutor.org/admin/reverseproxies

See also



LanguagesEnglish

Personal tools
Namespaces
Variants
Actions
Navigation
Toolbox