search

operasoftware / dns-ui

Opera's LDAP-authenticated PowerDNS user interface
Apache License 2.0
283 stars 57 forks source link

read authentication from $REMOTE_USER #202

Closed uedvt359 closed 9 months ago

uedvt359 commented 1 year ago

This change allows other authentication methods than HTTP Basic Auth with Apache. httpd puts user information (e.g when using SSLVerifyClient and SSLUserName) into $REMOTE_USER, which is not picked up by PHP's basic auth variables.

This allows login with client certificates, using a config like this:

        SSLVerifyClient      optional
        SSLVerifyDepth       3
        SSLOptions           +StdEnvVars +ExportCertData +OptRenegotiate
        SSLUserName          SSL_CLIENT_S_DN_CN

        <Directory /var/www/html/dnsui/public_html>

                SSLRequireSSL
                Require expr %{SSL_CLIENT_S_DN_CN} == "myCertCommonName"
                Require all denied

                # fallback to basic auth if no client cert present:
                AuthType Basic
                AuthName "DNS UI"
                AuthBasicProvider file
                AuthUserFile "/var/www/html/dnsui/config/htpass"
                Require user apiUser1 apiUser2

        </Directory>

I believe that at least for apache, only reading $REMOTE_USER would be enough, but I'm keeping PHP_AUTH_USER for safety in this pullrequest.

uedvt359 commented 9 months ago

hi, @thomas-pike! are you interested in this patch? We've been running it in production for quite a while now (~1/2 year) without problems.

thomas-pike commented 9 months ago

Sure, thanks for the patch and the reminder!