<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <title>Apache module mod_auth[n]_nufw</title> </head> <!-- Background white, links blue (unvisited), navy (visited), red (active) --> <body bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#000080" alink="#FF0000"> <div align="CENTER"> <h3>Single Sign On Authentication module for Apache HTTP Server Version 1.3/2.0/2.2</h3> </div> <h1 align="CENTER">(third party) Apache module mod_auth[n]_nufw</h1> <p>This module provides SSO user authentication, based on NuFW Firewalling solution.</p> <p><a href="module-dict.html#Status" rel="Help"><strong>Status:</strong></a> Extension<br /> <a href="module-dict.html#SourceFile" rel="Help"><strong>Source File:</strong></a> mod_auth_nufw.c<br /> <a href="module-dict.html#ModuleIdentifier" rel="Help"><strong>Module Identifier:</strong></a> mod_auth_nufw (1.3 and 2.0), mod_authn_nufw (2.2)<br /> <a href="module-dict.html#Compatibility" rel="Help"><strong>Compatibility:</strong></a> Available in Apache 1.3, 2.0 and 2.2.</p> <h2>Summary</h2> <p>This module allows for a totally transparent, and strict, identification of users. It uses NuFW as backend, performs SQL requests on the NuFW-fed SQL tables. This module is probably of no use if not used with NuFW, as it lays on a database constantly up-to-date with user network activity.</p> <p>For additional information, please visit <a href="http://www.nufw.org/">NuFW website</a> or <a href="http://software.inl.fr/trac/trac.cgi/wiki/EdenWall/mod_auth_nufw">mod_auth_nufw home page</a>.</p> <h2>Compile time options</h2> <p>These options are available at compile time: <ul> <li>--with-mysql</li> This option implies the module will connect to a Mysql database. If ommited, the module will connect to a PostGresql database. </ul> </p> <h2>Known problems</h2> <p>If you use PHP/SQL and observe children segfaults, here is the reason : your PHP module is linked on its own Mysql Library (bundled with PHP), while mod_auth_nufw is linked to the system's SQL library. Hence, a collision appears at runtime, which gets apache child to segfault (the segfault happens if mod_auth_nufw is loaded, and whether it is enabled or not). The solution to this is to recompile either PHP, either mod_auth_nufw, so they are linked on the same library.</p> <h2>Loading the module</h2> <p>On apache 1.3 or 2.0, add this line to your configuration file:</p> <code>LoadModule mod_auth_nufw libexec/mod_auth_nufw.so</code> <p>On apache 2.2, add this line to your configuration file:</p> <code>LoadModule mod_authn_nufw /usr/lib/apache2/modules/mod_auth_nufw.so</code> <h2>General Naming of directives</h2> <p>Directives starting with <strong>AuthNufw</strong> are for 1.3 and 2.0 installations of the module.</p> <p>Directives starting with <strong>AuthnNufw</strong> are for 2.2 installations of the module.</p> <p>Note that the internals of mod_auth_nufw are the same from 2.0 to 2.2, only very minor API changes were reflected. The naming change is intended to make it clear and logical to the administrator that mod_auth_nufw is an Authentication module, ie, authorization is to be performed separately.</p> <p>The description of all directives is therefore valid for 1.3, 2.0 and 2.2 installations.</p> <h2>Directives</h2> <ul> <li><a href="#AuthNufwEnabled">Auth[n]NufwEnabled</a></li> <li><a href="#AuthNufwAuthoritative">Auth[n]NufwAuthoritative</a></li> <li><a href="#AuthNufwProtocolVersion">Auth[n]NufwProtocolVersion</a></li> <li><a href="#AuthNufwAuthFrom">Auth[n]NufwAuthFrom</a></li> <li><a href="#AuthNufwSQLHost">Auth[n]NufwSQLHost</a></li> <li><a href="#AuthNufwSQLPort">Auth[n]NufwSQLPort</a></li> <li><a href="#AuthNufwSQLDatabase">Auth[n]NufwSQLDatabase</a></li> <li><a href="#AuthNufwSQLTable">Auth[n]NufwSQLTable</a></li> <li><a href="#AuthNufwSQLUser">Auth[n]NufwSQLUser</a></li> <li><a href="#AuthNufwSQLPassword">Auth[n]NufwSQLPassword</a></li> <li><a href="#AuthNufwSQLSSLEnabled">Auth[n]NufwSQLSSLEnabled</a></li> <li><a href="#AuthNufwSQLSSLKeyfile">Auth[n]NufwSQLSSLKeyfile</a></li> <li><a href="#AuthNufwSQLSSLCertfile">Auth[n]NufwSQLSSLCertfile</a></li> <li><a href="#AuthNufwSQLSSLCA">Auth[n]NufwSQLSSLCA</a></li> <li><a href="#AuthNufwSQLSSLCAPath">Auth[n]NufwSQLSSLCAPath</a></li> <li><a href="#AuthNufwSQLSSLCypher">Auth[n]NufwSQLSSLCypher</a></li> <li><a href="#AuthNufwTimeWindow">Auth[n]NufwTimeWindow</a></li> <li><a href="#AuthNufwMaxSqlConns">Auth[n]NufwMaxSqlConns</a></li> <li><a href="#AuthNufwMaxSimilarSqlConns">Auth[n]NufwMaxSimilarSqlConns</a></li> <li><a href="#AuthNufwTokensEnabled">Auth[n]NufwTokensEnabled</a></li> </ul> <hr /> <h2><a id="AuthNufwEnabled" name="AuthNufwEnabled">Auth[n]NufwEnabled</a> directive</h2> <a href="directive-dict.html#Syntax" rel="Help"><strong>Syntax:</strong></a> Auth[n]NufwEnabled <em>On/Off</em><br /> <a href="directive-dict.html#Default" rel="Help"><strong>Default:</strong></a> <code>Auth[n]NufwEnabled Off</code><br /> <a href="directive-dict.html#Context" rel="Help"><strong>Context:</strong></a> server config, virtual host, directory, .htaccess<br /> <a href="directive-dict.html#Override" rel="Help"><strong>Override:</strong></a> AuthConfig<br /> <a href="directive-dict.html#Status" rel="Help"><strong>Status:</strong></a> Extension<br /> <a href="directive-dict.html#Module" rel="Help"><strong>Module:</strong></a> mod_auth_nufw<br /> <a href="directive-dict.html#Compatibility" rel="Help"><strong>Compatibility:</strong></a> AuthNufwEnabled is only available in Apache 1.3 and 2.0. AuthnNufwEnabled is only available in Apache 2.2. <p>Specifies whether to activate mod_auth_nufw features. If set to Off, all other mod_auth_nufw directives will be ignored, apart from <a href="#AuthNufwTokensEnabled">Auth[n]NufwTokensEnabled</a> <hr /> <h2><a id="AuthNufwAuthoritative" name="AuthNufwAuthoritative">Auth[n]NufwAuthoritative</a> directive</h2> <a href="directive-dict.html#Syntax" rel="Help"><strong>Syntax:</strong></a> Auth[n]NufwAuthoritative <em>On/Off</em><br /> <a href="directive-dict.html#Default" rel="Help"><strong>Default:</strong></a> <code>Auth[n]NufwAuthoritative On</code><br /> <a href="directive-dict.html#Context" rel="Help"><strong>Context:</strong></a> server config, virtual host, directory, .htaccess<br /> <a href="directive-dict.html#Override" rel="Help"><strong>Override:</strong></a> AuthConfig<br /> <a href="directive-dict.html#Status" rel="Help"><strong>Status:</strong></a> Extension<br /> <a href="directive-dict.html#Module" rel="Help"><strong>Module:</strong></a> mod_auth_nufw<br /> <a href="directive-dict.html#Compatibility" rel="Help"><strong>Compatibility:</strong></a> AuthNufwAuthoritative is only available in Apache 1.3 and 2.0. AuthnNufwAuthoritative is only available in Apache 2.2. <p>Specifies whether Authentication should be tempted through other modules, if mod_auth_nufw fails. For instance, falling back into prompting user a login/password may be suitable if the Nufw SQL database is unreachable. If Set to <em>On</em>, no other module will be used. <hr /> <h2><a id="AuthNufwProtocolVersion" name="AuthNufwProtocolVersion">Auth[n]NufwProtocolVersion</a> directive</h2> <a href="directive-dict.html#Syntax" rel="Help"><strong>Syntax:</strong></a> Auth[n]NufwProtocolVersion <em>1/2</em><br /> <a href="directive-dict.html#Default" rel="Help"><strong>Default:</strong></a> <code>Auth[n]NufwProtocolVersion 2</code><br /> <a href="directive-dict.html#Context" rel="Help"><strong>Context:</strong></a> server config, virtual host, directory, .htaccess<br /> <a href="directive-dict.html#Override" rel="Help"><strong>Override:</strong></a> AuthConfig<br /> <a href="directive-dict.html#Status" rel="Help"><strong>Status:</strong></a> Extension<br /> <a href="directive-dict.html#Module" rel="Help"><strong>Module:</strong></a> mod_auth_nufw<br /> <a href="directive-dict.html#Compatibility" rel="Help"><strong>Compatibility:</strong></a> AuthNufwProtocolVersion is only available in Apache 1.3 and 2.0. It is available in mod_auth_nufw only in versions higher than 2.0. AuthnNufwProtocolVersion is only available in Apache 2.2. <p>Specifies protocol version of the Nufw backend firewall. The default, version 2, is simplest. Everyone uses 2.0 anyway, so this option will be removed soon. <hr /> <h2><a id="AuthNufwAuthFrom" name="AuthNufwAuthFrom">Auth[n]NufwAuthFrom</a> directive</h2> <a href="directive-dict.html#Syntax" rel="Help"><strong>Syntax:</strong></a> Auth[n]NufwAuthFrom from all|<i>host</i>|env=<i>env-variable</i> [<i>host</i>|env=<i>env-variable</i>] ...<br /> <a href="directive-dict.html#Context" rel="Help"><strong>Context:</strong></a> directory, .htaccess<br /> <a href="directive-dict.html#Override" rel="Help"><strong>Override:</strong></a> AuthConfig<br /> <a href="directive-dict.html#Status" rel="Help"><strong>Status:</strong></a> Extension<br /> <a href="directive-dict.html#Module" rel="Help"><strong>Module:</strong></a> mod_auth_nufw<br /> <a href="directive-dict.html#Compatibility" rel="Help"><strong>Compatibility:</strong></a> AuthNufwAuthFrom is available in mod_auth_nufw only in versions higher than 2.0, and only for Apache 2.0. AuthnNufwAuthFrom is available only for Apache 2.2. <p>Specifies on which conditions the auth module should query the database. Typically, one will set it to their internal network address. This directive works on the same philosophy as "Allow" or "deny" from mod_access. Beware this is part of the mod_auth_nufw module, and can therefore of course be combined with "classical" allow and deny directives. <hr /> <h2><a id="AuthNufwSQLHost" name="AuthNufwSQLHost">Auth[n]NufwSQLHost</a> directive</h2> <a href="directive-dict.html#Syntax" rel="Help"><strong>Syntax:</strong></a> Auth[n]NufwSQLHost <em>HostName/IP</em><br /> <a href="directive-dict.html#Context" rel="Help"><strong>Context:</strong></a> server config, virtual host, directory, .htaccess<br /> <a href="directive-dict.html#Override" rel="Help"><strong>Override:</strong></a> AuthConfig<br /> <a href="directive-dict.html#Status" rel="Help"><strong>Status:</strong></a> Extension<br /> <a href="directive-dict.html#Module" rel="Help"><strong>Module:</strong></a> mod_auth_nufw<br /> <a href="directive-dict.html#Compatibility" rel="Help"><strong>Compatibility:</strong></a> AuthNufwSQLHost is only available in Apache 1.3 and 2.0. AuthnNufwSQLHost is only available in Apache 2.2. <p>Specifies SQL host to connect to to perform user identification. SQL table contains : UserID, TCP connection parameters and time of the connection. This parameter accepts either FQDN or IP address. Example:</p> <pre> AuthNufwSQLHost 127.0.0.1 </pre> <hr /> <h2><a id="AuthNufwSQLPort" name="AuthNufwSQLPort">Auth[n]NufwSQLPort</a> directive</h2> <a href="directive-dict.html#Syntax" rel="Help"><strong>Syntax:</strong></a> Auth[n]NufwSQLPort <em>Port</em><br /> <a href="directive-dict.html#Default" rel="Help"><strong>Default when compiled with mysql support:</strong></a> <code>Auth[n]NufwSQLPort 3306</code><br /> <a href="directive-dict.html#Default" rel="Help"><strong>Default:</strong></a> <code>Auth[n]NufwSQLPort 5432</code><br /> <a href="directive-dict.html#Context" rel="Help"><strong>Context:</strong></a> server config, virtual host, directory, .htaccess<br /> <a href="directive-dict.html#Override" rel="Help"><strong>Override:</strong></a> AuthConfig<br /> <a href="directive-dict.html#Status" rel="Help"><strong>Status:</strong></a> Extension<br /> <a href="directive-dict.html#Module" rel="Help"><strong>Module:</strong></a> mod_auth_nufw<br /> <a href="directive-dict.html#Compatibility" rel="Help"><strong>Compatibility:</strong></a> AuthNufwSQLPort is only available in Apache 1.3 and 2.0. AuthnNufwSQLPort is only available in Apache 2.2. <p>Specifies SQL port to connect to to perform user identification.</p> <pre> AuthNufwSQLPort 5432 </pre> <hr /> <h2><a id="AuthNufwSQLDatabase" name="AuthNufwSQLDatabase">Auth[n]NufwSQLDatabase</a> directive</h2> <a href="directive-dict.html#Syntax" rel="Help"><strong>Syntax:</strong></a> Auth[n]NufwSQLDatabase <em>Database</em><br /> <a href="directive-dict.html#Context" rel="Help"><strong>Context:</strong></a> server config, virtual host, directory, .htaccess<br /> <a href="directive-dict.html#Override" rel="Help"><strong>Override:</strong></a> AuthConfig<br /> <a href="directive-dict.html#Status" rel="Help"><strong>Status:</strong></a> Extension<br /> <a href="directive-dict.html#Module" rel="Help"><strong>Module:</strong></a> mod_auth_nufw<br /> <a href="directive-dict.html#Compatibility" rel="Help"><strong>Compatibility:</strong></a> AuthNufwSQLDatabase is only available in Apache 1.3 and 2.0. AuthnNufwSQLDatabase is only available in Apache 2.2. <p>Specifies database to connect to to perform user identification. Example:</p> <pre> AuthNufwSQLDatabase nulog </pre> <hr /> <h2><a id="AuthNufwSQLTable" name="AuthNufwSQLTable">Auth[n]NufwSQLTable</a> directive</h2> <a href="directive-dict.html#Syntax" rel="Help"><strong>Syntax:</strong></a> Auth[n]NufwSQLTable <em>Table</em><br /> <a href="directive-dict.html#Context" rel="Help"><strong>Context:</strong></a> server config, virtual host, directory, .htaccess<br /> <a href="directive-dict.html#Override" rel="Help"><strong>Override:</strong></a> AuthConfig<br /> <a href="directive-dict.html#Status" rel="Help"><strong>Status:</strong></a> Extension<br /> <a href="directive-dict.html#Module" rel="Help"><strong>Module:</strong></a> mod_auth_nufw<br /> <a href="directive-dict.html#Compatibility" rel="Help"><strong>Compatibility:</strong></a> AuthNufwSQLTable is only available in Apache 1.3 and 2.0. AuthnNufwSQLTable is only available in Apache 2.2. <p>Specifies database to connect to to perform user identification. Example:</p> <pre> AuthNufwSQLTable nulog </pre> <hr /> <h2><a id="AuthNufwSQLUser" name="AuthNufwSQLUser">Auth[n]NufwSQLUser</a> directive</h2> <a href="directive-dict.html#Syntax" rel="Help"><strong>Syntax:</strong></a> Auth[n]NufwSQLUser <em>User</em><br /> <a href="directive-dict.html#Context" rel="Help"><strong>Context:</strong></a> server config, virtual host, directory, .htaccess<br /> <a href="directive-dict.html#Override" rel="Help"><strong>Override:</strong></a> AuthConfig<br /> <a href="directive-dict.html#Status" rel="Help"><strong>Status:</strong></a> Extension<br /> <a href="directive-dict.html#Module" rel="Help"><strong>Module:</strong></a> mod_auth_nufw<br /> <a href="directive-dict.html#Compatibility" rel="Help"><strong>Compatibility:</strong></a> AuthNufwSQLUser is only available in Apache 1.3 and 2.0. AuthnNufwSQLUser is only available in Apache 2.2. <p>Specifies username to use for SQL connection. Example:</p> <pre> AuthNufwSQLUser nulog </pre> <hr /> <h2><a id="AuthNufwSQLPassword" name="AuthNufwSQLPassword">Auth[n]NufwSQLPassword</a> directive</h2> <a href="directive-dict.html#Syntax" rel="Help"><strong>Syntax:</strong></a> Auth[n]NufwSQLPassword <em>Password</em><br /> <a href="directive-dict.html#Context" rel="Help"><strong>Context:</strong></a> server config, virtual host, directory, .htaccess<br /> <a href="directive-dict.html#Override" rel="Help"><strong>Override:</strong></a> AuthConfig<br /> <a href="directive-dict.html#Status" rel="Help"><strong>Status:</strong></a> Extension<br /> <a href="directive-dict.html#Module" rel="Help"><strong>Module:</strong></a> mod_auth_nufw<br /> <a href="directive-dict.html#Compatibility" rel="Help"><strong>Compatibility:</strong></a> AuthNufwSQLPassword is only available in Apache 1.3 and 2.0. AuthnNufwSQLPassword is only available in Apache 2.2. <p>Specifies password to use for SQL connection. Example:</p> <pre> AuthNufwSQLPassword nulog </pre> <hr /> <h2><a id="AuthNufwSQLSSLEnabled" name="AuthNufwSQLSSLEnabled">Auth[n]NufwSQLSSLEnabled</a> directive</h2> <a href="directive-dict.html#Syntax" rel="Help"><strong>Syntax:</strong></a> Auth[n]NufwSQLSSLEnabled <em>On/Off</em><br /> <a href="directive-dict.html#Default" rel="Help"><strong>Default:</strong></a> <code>Auth[n]NufwSQLSSLEnabled Off</code><br /> <a href="directive-dict.html#Context" rel="Help"><strong>Context:</strong></a> server config, virtual host, directory, .htaccess<br /> <a href="directive-dict.html#Override" rel="Help"><strong>Override:</strong></a> AuthConfig<br /> <a href="directive-dict.html#Status" rel="Help"><strong>Status:</strong></a> Extension<br /> <a href="directive-dict.html#Module" rel="Help"><strong>Module:</strong></a> mod_auth_nufw<br /> <a href="directive-dict.html#Compatibility" rel="Help"><strong>Compatibility:</strong></a> AuthNufwSQLSSLEnabled is only available in Apache 1.3 and 2.0, and only in mod_auth_nufw version 2.0 and higher. AuthnNufwSQLSSLEnabled is only available in Apache 2.2. <p>Specifies whether to wrap SQL connection in a SSL session.</p> <p>If this parameter is set to <code>Off</code>, all options starting with AuthNufwSQLSSL... are ignored</p> <p>This option is only effective on <strong>Mysql</strong>. If module is compiled with Postgresql support, <strong>this option and all SSL options are silently ignored</strong>. This will be fixed when PostgreSQL offers an acceptable API for SSL wrapping.</p> <hr /> <h2><a id="AuthNufwSQLSSLKeyfile" name="AuthNufwSQLSSLKeyfile">Auth[n]NufwSQLSSLKeyfile</a> directive</h2> <a href="directive-dict.html#Syntax" rel="Help"><strong>Syntax:</strong></a> Auth[n]NufwSQLSSLKeyfile <em>/home/user/my_private_key.key</em><br /> <a href="directive-dict.html#Default" rel="Help"><strong>Default:</strong></a> <code>Auth[n]NufwSQLSSLKeyfile /usr/local/apache/conf/nufw_sql_ssl_private.key</code><br /> <a href="directive-dict.html#Context" rel="Help"><strong>Context:</strong></a> server config, virtual host, directory, .htaccess<br /> <a href="directive-dict.html#Override" rel="Help"><strong>Override:</strong></a> AuthConfig<br /> <a href="directive-dict.html#Status" rel="Help"><strong>Status:</strong></a> Extension<br /> <a href="directive-dict.html#Module" rel="Help"><strong>Module:</strong></a> mod_auth_nufw<br /> <a href="directive-dict.html#Compatibility" rel="Help"><strong>Compatibility:</strong></a> AuthNufwSQLSSLKeyfile is only available in Apache 1.3 and 2.0, and only in mod_auth_nufw version 2.0 and higher. AuthnNufwSQLSSLKeyfile is only available in Apache 2.2. <p>Specifies the full path of the file containing the private key for SSL encryption. This must be set if you want to use ssl.</p> <p>This option is only effective on <strong>Mysql</strong>. If module is compiled with Postgresql support, <strong>this option and all SSL options are silently ignored</strong>. This will be fixed when PostgreSQL offers an acceptable API for SSL wrapping.</p> <hr /> <h2><a id="AuthNufwSQLSSLCertfile" name="AuthNufwSQLSSLCertfile">Auth[n]NufwSQLSSLCertfile</a> directive</h2> <a href="directive-dict.html#Syntax" rel="Help"><strong>Syntax:</strong></a> Auth[n]NufwSQLSSLCertfile <em>/home/user/my_public_cert.cert</em><br /> <a href="directive-dict.html#Default" rel="Help"><strong>Default:</strong></a> <code>Auth[n]NufwSQLSSLCertfile /usr/local/apache/conf/nufw_sql_ssl_public.cert</code><br /> <a href="directive-dict.html#Context" rel="Help"><strong>Context:</strong></a> server config, virtual host, directory, .htaccess<br /> <a href="directive-dict.html#Override" rel="Help"><strong>Override:</strong></a> AuthConfig<br /> <a href="directive-dict.html#Status" rel="Help"><strong>Status:</strong></a> Extension<br /> <a href="directive-dict.html#Module" rel="Help"><strong>Module:</strong></a> mod_auth_nufw<br /> <a href="directive-dict.html#Compatibility" rel="Help"><strong>Compatibility:</strong></a> AuthNufwSQLSSLCertfile is only available in Apache 1.3 and 2.0, and only in mod_auth_nufw version 2.0 and higher. AuthnNufwSQLSSLCertfile is only available in Apache 2.2. <p>Specifies the full path of the file containing the public certificate for SSL encryption. This must be set if you want to use ssl.</p> <p>This option is only effective on <strong>Mysql</strong>. If module is compiled with Postgresql support, <strong>this option and all SSL options are silently ignored</strong>. This will be fixed when PostgreSQL offers an acceptable API for SSL wrapping.</p> <hr /> <h2><a id="AuthNufwSQLSSLCA" name="AuthNufwSQLSSLCA">Auth[n]NufwSQLSSLCA</a> directive</h2> <a href="directive-dict.html#Syntax" rel="Help"><strong>Syntax:</strong></a> Auth[n]NufwSQLSSLCA <em>/home/user/my_ca.ca</em><br /> <a href="directive-dict.html#Context" rel="Help"><strong>Context:</strong></a> server config, virtual host, directory, .htaccess<br /> <a href="directive-dict.html#Override" rel="Help"><strong>Override:</strong></a> AuthConfig<br /> <a href="directive-dict.html#Status" rel="Help"><strong>Status:</strong></a> Extension<br /> <a href="directive-dict.html#Module" rel="Help"><strong>Module:</strong></a> mod_auth_nufw<br /> <a href="directive-dict.html#Compatibility" rel="Help"><strong>Compatibility:</strong></a> AuthNufwSQLSSLCA is only available in Apache 1.3 and 2.0, and only in mod_auth_nufw version 2.0 and higher. AuthnNufwSQLSSLCA is only available in Apache 2.2. <p>Specifies the full path of your Certificate Authority (CA) file, in PEM format. You can safely leave this unset if you do not have a CA file.</p> <p>This option is only effective on <strong>Mysql</strong>. If module is compiled with Postgresql support, <strong>this option and all SSL options are silently ignored</strong>. This may be fixed when PostgreSQL offers an acceptable API for SSL wrapping.</p> <hr /> <h2><a id="AuthNufwSQLSSLCAPath" name="AuthNufwSQLSSLCAPath">Auth[n]NufwSQLSSLCAPath</a> directive</h2> <a href="directive-dict.html#Syntax" rel="Help"><strong>Syntax:</strong></a> Auth[n]NufwSQLSSLCAPath <em>/home/user/my_cas/</em><br /> <a href="directive-dict.html#Context" rel="Help"><strong>Context:</strong></a> server config, virtual host, directory, .htaccess<br /> <a href="directive-dict.html#Override" rel="Help"><strong>Override:</strong></a> AuthConfig<br /> <a href="directive-dict.html#Status" rel="Help"><strong>Status:</strong></a> Extension<br /> <a href="directive-dict.html#Module" rel="Help"><strong>Module:</strong></a> mod_auth_nufw<br /> <a href="directive-dict.html#Compatibility" rel="Help"><strong>Compatibility:</strong></a> AuthNufwSQLSSLCAPath is only available in Apache 1.3 and 2.0, and only in mod_auth_nufw version 2.0 and higher. AuthnNufwSQLSSLCAPath is only available in Apache 2.2. <p>Specifies the full path of a directory containing your Certificate Authority (CA) files, in PEM format. You can safely leave this unset if you do not have CA files.</p> <p>This option is only effective on <strong>Mysql</strong>. If module is compiled with Postgresql support, <strong>this option and all SSL options are silently ignored</strong>. This may be fixed when PostgreSQL offers an acceptable API for SSL wrapping.</p> <hr /> <h2><a id="AuthNufwSQLSSLCypher" name="AuthNufwSQLSSLCypher">Auth[n]NufwSQLSSLCypher</a> directive</h2> <a href="directive-dict.html#Syntax" rel="Help"><strong>Syntax:</strong></a> Auth[n]NufwSQLSSLCypher <em>/home/user/my_cas/</em><br /> <a href="directive-dict.html#Default" rel="Help"><strong>Default:</strong></a> <code>Auth[n]NufwSQLSSLCypher ALL:!ADH:+RC4:@STRENGTH</code><br /> <a href="directive-dict.html#Context" rel="Help"><strong>Context:</strong></a> server config, virtual host, directory, .htaccess<br /> <a href="directive-dict.html#Override" rel="Help"><strong>Override:</strong></a> AuthConfig<br /> <a href="directive-dict.html#Status" rel="Help"><strong>Status:</strong></a> Extension<br /> <a href="directive-dict.html#Module" rel="Help"><strong>Module:</strong></a> mod_auth_nufw<br /> <a href="directive-dict.html#Compatibility" rel="Help"><strong>Compatibility:</strong></a> AuthNufwSQLSSLCypher is only available in Apache 1.3 and 2.0, and only in mod_auth_nufw version 2.0 and higher. AuthnNufwSQLSSLCypher is only available in Apache 2.2. <p>the list of ciphers you wish to use for SQL connections. A complete cipher list on your system should be available if you issue : <code>openssl ciphers</code>. The default means "Use any but give RC4 the lowest priority". For more info see : <a href="http://www.mkssoftware.com/docs/man1/openssl_ciphers.1.asp"> http://www.mkssoftware.com/docs/man1/openssl_ciphers.1.asp</a></p> <p>This option is only effective on <strong>Mysql</strong>. If module is compiled with Postgresql support, <strong>this option and all SSL options are silently ignored</strong>. This will be fixed when PostgreSQL offers an acceptable API for SSL wrapping.</p> <hr /> <h2><a id="AuthNufwTimeWindow" name="AuthNufwTimeWindow">Auth[n]NufwTimeWindow</a> directive</h2> <a href="directive-dict.html#Syntax" rel="Help"><strong>Syntax:</strong></a> Auth[n]NufwSQLTimeWindow <em>TimeWindow</em><br /> <a href="directive-dict.html#Default" rel="Help"><strong>Default:</strong></a> <code>Auth[n]NufwTimeWindow 0</code><br /> <a href="directive-dict.html#Context" rel="Help"><strong>Context:</strong></a> server config, virtual host, directory, .htaccess<br /> <a href="directive-dict.html#Override" rel="Help"><strong>Override:</strong></a> AuthConfig<br /> <a href="directive-dict.html#Status" rel="Help"><strong>Status:</strong></a> Extension<br /> <a href="directive-dict.html#Module" rel="Help"><strong>Module:</strong></a> mod_auth_nufw<br /> <a href="directive-dict.html#Compatibility" rel="Help"><strong>Compatibility:</strong></a> AuthNufwTimeWindow is only available in Apache 1.3 and 2.0. AuthnNufwTimeWindow is only available in Apache 2.2. <p>Specifies a time window that must match user's connection. The Nufw SQL database contains records of users connections, with time of connection. When mod_auth_nufw receives a connection, it will match the connection's time against the time in the database. Due to network latency, it is possible that those two times be slightly different. The timewindow is the number of tenth of seconds around the "apache time" that will be accepted to match in the SQL records. <br><strong>WARNING</Strong> : if you use HTTP 1.1, this parameter will probably break your auth for all requests but the first in the connection. In that case, it is advised to leave this parameter to its default value of 0, which disables time matching. Example:</p> <pre> AuthNufwTimeWindow 5 </pre> <hr /> <h2><a id="AuthNufwMaxSqlConns" name="AuthNufwMaxSqlConns">Auth[n]NufwMaxSqlConns</a> directive</h2> <a href="directive-dict.html#Syntax" rel="Help"><strong>Syntax:</strong></a> Auth[n]NufwSQLMaxSqlConns <em>Number</em><br /> <a href="directive-dict.html#Default" rel="Help"><strong>Default:</strong></a> <code>Auth[n]NufwMaxSqlConns 8</code><br /> <a href="directive-dict.html#Context" rel="Help"><strong>Context:</strong></a> server config, virtual host<br /> <a href="directive-dict.html#Status" rel="Help"><strong>Status:</strong></a> Extension<br /> <a href="directive-dict.html#Module" rel="Help"><strong>Module:</strong></a> mod_auth_nufw<br /> <a href="directive-dict.html#Compatibility" rel="Help"><strong>Compatibility:</strong></a> AuthNufwMaxSqlConns is only available in Apache 1.3 and 2.0. Beware the use of this directive has changed a lot as of v2.0 of this module. AuthnNufwMaxSqlConns is only available in Apache 2.2. <p>Specifies maximum overall number of SQL connections to open. When that number of connections is open, module refuses to open any more. This may hence totally block some connections in case you have several SQL servers to connect to. Use in conjunction with <a href="#AuthNufwMaxSimilarSqlConns">Auth[n]NufwMaxSimilarSqlConns</a> to solve this potential problem, or set to 0 for no limit. <hr /> <h2><a id="AuthNufwMaxSimilarSqlConns" name="AuthNufwMaxSimilarSqlConns">Auth[n]NufwMaxSimilarSqlConns</a> directive</h2> <a href="directive-dict.html#Syntax" rel="Help"><strong>Syntax:</strong></a> Auth[n]NufwSQLMaxSqlConns <em>Number</em><br /> <a href="directive-dict.html#Default" rel="Help"><strong>Default:</strong></a> <code>Auth[n]NufwMaxSimilarSqlConns 4</code><br /> <a href="directive-dict.html#Context" rel="Help"><strong>Context:</strong></a> server config, virtual host<br /> <a href="directive-dict.html#Status" rel="Help"><strong>Status:</strong></a> Extension<br /> <a href="directive-dict.html#Module" rel="Help"><strong>Module:</strong></a> mod_auth_nufw<br /> <a href="directive-dict.html#Compatibility" rel="Help"><strong>Compatibility:</strong></a> AuthNufwMaxSimilarSqlConns is only available in Apache 1.3 and 2.0, and only from v2.0 of this module. AuthnNufwMaxSimilarSqlConns is only available in Apache 2.2. <p>Specifies maximum number of SQL connections to maintain to a given target, per child, at any time. A target is an entity defined by (host, port, database name, table name, username, and optionnally SSL parameters). <br>It is to be noted that 1 should be an acceptable value for this parameter on Apache 1.3 as well as on 2.0 with MPM prefork, as children are not threaded on such setups. Set to 0 for no limit. Example: </p> <pre> AuthNufwMaxSimilarSqlConns 5 </pre> <hr /> <h2><a id="AuthNufwTokensEnabled" name="AuthNufwTokensEnabled">Auth[n]NufwTokensEnabled</a> directive</h2> <a href="directive-dict.html#Syntax" rel="Help"><strong>Syntax:</strong></a> Auth[n]NufwTokensEnabled <em>On/Off</em><br /> <a href="directive-dict.html#Default" rel="Help"><strong>Default:</strong></a> <code>Auth[n]NufwTokensEnabled On</code><br /> <a href="directive-dict.html#Context" rel="Help"><strong>Context:</strong></a> server config<br /> <a href="directive-dict.html#Override" rel="Help"><strong>Override:</strong></a> AuthConfig<br /> <a href="directive-dict.html#Status" rel="Help"><strong>Status:</strong></a> Extension<br /> <a href="directive-dict.html#Module" rel="Help"><strong>Module:</strong></a> mod_auth_nufw<br /> <a href="directive-dict.html#Compatibility" rel="Help"><strong>Compatibility:</strong></a> AuthNufwTokensEnabled is only available in Apache 2.0, and was introduced on v2.0 of this module. AuthnNufwTokensEnabled is only available in Apache 2.2. <p>Specifies whether to mention "NuFW" in server tokens. </p> <hr /> <h2>Sample configuration</h2> <pre> <Directory /var/www> <IfModule mod_auth_nufw.c> AuthnNufwEnabled On AuthnNufwAuthoritative Off AuthnNufwProtocolVersion 2 AuthnNuFWSQLHost localhost AuthnNuFWSQLDatabase ulogd AuthnNuFWSQLTable conntrack_ulog AuthnNuFWSQLUser apache AuthnNuFWSQLPassword secret #Networks covered by NuFW auth. No SQL request will be performed if client is out of these networks. Auth will fallback (see below) AuthnNufwAuthFrom from 192.168.0.0/24 AuthnNufwAuthFrom from 10.0.0.0/8 </IfModule> AuthType Basic AuthName "INL OBM" # These two lines are optional : fallback in case NuFW is deactivated, and no result is found in database. AuthBasicProvider file AuthUserFile /etc/apache2/htpasswd # Authorization phase. This is most basic : any authenticated user (by NuFW or by htpasswd) can access the resource. Require valid-user </Directory> </pre> </body> </html>