Tag Archives: Apache httpd

Apache httpd: Use php-cgi without mod_php

The PHP site describes how to use PHP as a Apache httpd module, however that’s not always the desired option (e.g. if you want to use different PHP versions at the same time).

In order to enable PHP in CGI mode we use the action module of Apache httpd. On Debian-based systems you have to enable it using a2enmod actions.

One can enable php-cgi for the whole installation via the global httpd.conf, for vhosts or for specific files/folders using .htaccess-files. The configuration looks as follows:
# CUSTOM: Add PHP parsing (via CGI) handler and action for .php files
ScriptAlias /local-bin/php-cgi /usr/bin/php-cgi
AddHandler application/x-httpd-php .php
Action application/x-httpd-php /local-bin/php-cgi

Maybe you also need to allow access to /usr/bin by adding:

<Directory "/usr/bin">
Order allow,deny
Allow from all

Some other howtos suggest to use a directory as ScriptAlias (e.g. ScriptAlias /local-bin /usr/bin) which might be a security problem, since all tools in /usr/bin can be executed via the web (e.g. http://example.com/local-bin/whoami). Directly using php-cgi prevents this – also php-cgi contains a security check so that I cannot be executed directly.

Update 2013-05-20: Debian 7 has support for this by default (a2enmod php5_cgi, you might need to install php5-cgi).

mod_auth_pgsql: Support for salted md5 password hashes

Recently I created a patch against the Apache httpd authentication module mod_auth_pgsql 2.0.3 for adding support for salted md5 password hashes. In a scenario I wanted to authenticate users against the PostgreSQL user database. However, mod_auth_pgsql only could handle crypted, md5 and base64 encoded passwords. There was no support for salted MD5 passwords (username+password concatenated) like in pg_shadow-table.

Just apply the patch mod_auth_pgsql-pgsql-saltedmd5.patch and use
Auth_PG_encrypted ON
Auth_PG_hash_type MD5PGSQL

as new configuration parameters.

Update 2013-05-01: Patch accepted upstream.

Apache httpd ldap-auth: canonicalize usernames

I created a patch for Apache httpd for ldap-authentication (reported upstream as bug #646646). In my scenario I used

AuthLDAPRemoteUserAttribute uid
AuthLDAPGroupAttribute memberUid
AuthLDAPGroupAttributeIsDN Off
AuthBasicProvider ldap

require ldap-group cn=Domain Admins,ou=Group, dc=DOMAIN,dc=de

We always used lowercased usernames in memberUid. Some users tended to enter their usernames with a leading uppercase char. Password authentication worked, however, memberUid (from posixGroup, which is also used by samba domain groups) is case sensitive – so group authorization failed.

In order to fix this issue I created a patch for Apache httpd which allows to configure that the username Apache httpd uses is replaced by the “AuthLDAPRemoteUserAttribute”-field value of the ldap-result. This also helps to canonicalize usernames (in logs and REQUEST_USER environ variable) in the way that always the same casing and also for (ldap-)aliases the same username is used.