<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<title>Apache module mod_auth[n]_nufw</title>
</head>
<!-- Background white, links blue (unvisited), navy (visited), red (active) -->
<body bgcolor="#FFFFFF" text="#000000" link="#0000FF"
vlink="#000080" alink="#FF0000">
<div align="CENTER">
<h3>Single Sign On Authentication module for Apache HTTP Server Version 1.3/2.0/2.2</h3>
</div>
<h1 align="CENTER">(third party) Apache module mod_auth[n]_nufw</h1>
<p>This module provides SSO user authentication, based on NuFW
Firewalling solution.</p>
<p><a href="module-dict.html#Status"
rel="Help"><strong>Status:</strong></a> Extension<br />
<a href="module-dict.html#SourceFile"
rel="Help"><strong>Source File:</strong></a> mod_auth_nufw.c<br />
<a href="module-dict.html#ModuleIdentifier"
rel="Help"><strong>Module Identifier:</strong></a>
mod_auth_nufw (1.3 and 2.0), mod_authn_nufw (2.2)<br />
<a href="module-dict.html#Compatibility"
rel="Help"><strong>Compatibility:</strong></a> Available in
Apache 1.3, 2.0 and 2.2.</p>
<h2>Summary</h2>
<p>This module allows for a totally transparent, and strict, identification
of users. It uses NuFW as backend, performs SQL requests on the NuFW-fed SQL
tables. This module is probably of no use
if not used with NuFW, as it lays on a database constantly up-to-date with
user network activity.</p>
<p>For additional information, please visit <a
href="http://www.nufw.org/">NuFW website</a> or
<a href="http://software.inl.fr/trac/trac.cgi/wiki/EdenWall/mod_auth_nufw">mod_auth_nufw home page</a>.</p>
<h2>Compile time options</h2>
<p>These options are available at compile time:
<ul>
<li>--with-mysql</li> This option implies the module will connect to a Mysql
database. If ommited, the module will connect to a PostGresql database.
</ul>
</p>
<h2>Known problems</h2>
<p>If you use PHP/SQL and observe children segfaults, here is the reason :
your PHP module is linked on its own Mysql Library (bundled with PHP), while
mod_auth_nufw is linked to the system's SQL library. Hence, a collision
appears at runtime, which gets apache child to segfault (the segfault
happens if mod_auth_nufw is loaded, and whether it is enabled or not). The solution to
this is to recompile either PHP, either mod_auth_nufw, so they are linked on
the same library.</p>
<h2>Loading the module</h2>
<p>On apache 1.3 or 2.0, add this line to your configuration file:</p>
<code>LoadModule mod_auth_nufw libexec/mod_auth_nufw.so</code>
<p>On apache 2.2, add this line to your configuration file:</p>
<code>LoadModule mod_authn_nufw /usr/lib/apache2/modules/mod_auth_nufw.so</code>
<h2>General Naming of directives</h2>
<p>Directives starting with <strong>AuthNufw</strong> are for 1.3 and 2.0 installations of the module.</p>
<p>Directives starting with <strong>AuthnNufw</strong> are for 2.2 installations of the module.</p>
<p>Note that the internals of mod_auth_nufw are the same from 2.0 to 2.2, only very minor API changes were reflected.
The naming change is intended to make it clear and logical to the administrator that mod_auth_nufw is an Authentication
module, ie, authorization is to be performed separately.</p>
<p>The description of all directives is therefore valid for 1.3, 2.0 and 2.2 installations.</p>
<h2>Directives</h2>
<ul>
<li><a href="#AuthNufwEnabled">Auth[n]NufwEnabled</a></li>
<li><a href="#AuthNufwAuthoritative">Auth[n]NufwAuthoritative</a></li>
<li><a href="#AuthNufwProtocolVersion">Auth[n]NufwProtocolVersion</a></li>
<li><a href="#AuthNufwAuthFrom">Auth[n]NufwAuthFrom</a></li>
<li><a href="#AuthNufwSQLHost">Auth[n]NufwSQLHost</a></li>
<li><a href="#AuthNufwSQLPort">Auth[n]NufwSQLPort</a></li>
<li><a href="#AuthNufwSQLDatabase">Auth[n]NufwSQLDatabase</a></li>
<li><a href="#AuthNufwSQLTable">Auth[n]NufwSQLTable</a></li>
<li><a href="#AuthNufwSQLUser">Auth[n]NufwSQLUser</a></li>
<li><a href="#AuthNufwSQLPassword">Auth[n]NufwSQLPassword</a></li>
<li><a href="#AuthNufwSQLSSLEnabled">Auth[n]NufwSQLSSLEnabled</a></li>
<li><a href="#AuthNufwSQLSSLKeyfile">Auth[n]NufwSQLSSLKeyfile</a></li>
<li><a href="#AuthNufwSQLSSLCertfile">Auth[n]NufwSQLSSLCertfile</a></li>
<li><a href="#AuthNufwSQLSSLCA">Auth[n]NufwSQLSSLCA</a></li>
<li><a href="#AuthNufwSQLSSLCAPath">Auth[n]NufwSQLSSLCAPath</a></li>
<li><a href="#AuthNufwSQLSSLCypher">Auth[n]NufwSQLSSLCypher</a></li>
<li><a href="#AuthNufwTimeWindow">Auth[n]NufwTimeWindow</a></li>
<li><a href="#AuthNufwMaxSqlConns">Auth[n]NufwMaxSqlConns</a></li>
<li><a href="#AuthNufwMaxSimilarSqlConns">Auth[n]NufwMaxSimilarSqlConns</a></li>
<li><a href="#AuthNufwTokensEnabled">Auth[n]NufwTokensEnabled</a></li>
</ul>
<hr />
<h2><a id="AuthNufwEnabled" name="AuthNufwEnabled">Auth[n]NufwEnabled</a> directive</h2>
<a href="directive-dict.html#Syntax"
rel="Help"><strong>Syntax:</strong></a> Auth[n]NufwEnabled
<em>On/Off</em><br />
<a href="directive-dict.html#Default"
rel="Help"><strong>Default:</strong></a>
<code>Auth[n]NufwEnabled Off</code><br />
<a href="directive-dict.html#Context"
rel="Help"><strong>Context:</strong></a> server config, virtual
host, directory, .htaccess<br />
<a href="directive-dict.html#Override"
rel="Help"><strong>Override:</strong></a> AuthConfig<br />
<a href="directive-dict.html#Status"
rel="Help"><strong>Status:</strong></a> Extension<br />
<a href="directive-dict.html#Module"
rel="Help"><strong>Module:</strong></a> mod_auth_nufw<br />
<a href="directive-dict.html#Compatibility"
rel="Help"><strong>Compatibility:</strong></a> AuthNufwEnabled is only
available in Apache 1.3 and 2.0. AuthnNufwEnabled is only available in Apache 2.2.
<p>Specifies whether to activate mod_auth_nufw features. If set to Off, all
other mod_auth_nufw directives will be ignored, apart from <a
href="#AuthNufwTokensEnabled">Auth[n]NufwTokensEnabled</a>
<hr />
<h2><a id="AuthNufwAuthoritative" name="AuthNufwAuthoritative">Auth[n]NufwAuthoritative</a> directive</h2>
<a href="directive-dict.html#Syntax"
rel="Help"><strong>Syntax:</strong></a> Auth[n]NufwAuthoritative
<em>On/Off</em><br />
<a href="directive-dict.html#Default"
rel="Help"><strong>Default:</strong></a>
<code>Auth[n]NufwAuthoritative On</code><br />
<a href="directive-dict.html#Context"
rel="Help"><strong>Context:</strong></a> server config, virtual
host, directory, .htaccess<br />
<a href="directive-dict.html#Override"
rel="Help"><strong>Override:</strong></a> AuthConfig<br />
<a href="directive-dict.html#Status"
rel="Help"><strong>Status:</strong></a> Extension<br />
<a href="directive-dict.html#Module"
rel="Help"><strong>Module:</strong></a> mod_auth_nufw<br />
<a href="directive-dict.html#Compatibility"
rel="Help"><strong>Compatibility:</strong></a> AuthNufwAuthoritative is only
available in Apache 1.3 and 2.0. AuthnNufwAuthoritative is only available in Apache 2.2.
<p>Specifies whether Authentication should be tempted through other modules,
if mod_auth_nufw fails. For instance, falling back into prompting user a
login/password may be suitable if the Nufw SQL database is unreachable.
If Set to <em>On</em>, no other module will be used.
<hr />
<h2><a id="AuthNufwProtocolVersion" name="AuthNufwProtocolVersion">Auth[n]NufwProtocolVersion</a> directive</h2>
<a href="directive-dict.html#Syntax"
rel="Help"><strong>Syntax:</strong></a> Auth[n]NufwProtocolVersion
<em>1/2</em><br />
<a href="directive-dict.html#Default"
rel="Help"><strong>Default:</strong></a>
<code>Auth[n]NufwProtocolVersion 2</code><br />
<a href="directive-dict.html#Context"
rel="Help"><strong>Context:</strong></a> server config, virtual
host, directory, .htaccess<br />
<a href="directive-dict.html#Override"
rel="Help"><strong>Override:</strong></a> AuthConfig<br />
<a href="directive-dict.html#Status"
rel="Help"><strong>Status:</strong></a> Extension<br />
<a href="directive-dict.html#Module"
rel="Help"><strong>Module:</strong></a> mod_auth_nufw<br />
<a href="directive-dict.html#Compatibility"
rel="Help"><strong>Compatibility:</strong></a> AuthNufwProtocolVersion is only
available in Apache 1.3 and 2.0. It is available in mod_auth_nufw only in
versions higher than 2.0. AuthnNufwProtocolVersion is only available in Apache 2.2.
<p>Specifies protocol version of the Nufw backend firewall. The default,
version 2, is simplest. Everyone uses 2.0 anyway, so this option will be removed soon.
<hr />
<h2><a id="AuthNufwAuthFrom" name="AuthNufwAuthFrom">Auth[n]NufwAuthFrom</a> directive</h2>
<a href="directive-dict.html#Syntax"
rel="Help"><strong>Syntax:</strong></a> Auth[n]NufwAuthFrom from all|<i>host</i>|env=<i>env-variable</i> [<i>host</i>|env=<i>env-variable</i>] ...<br />
<a href="directive-dict.html#Context"
rel="Help"><strong>Context:</strong></a> directory, .htaccess<br />
<a href="directive-dict.html#Override"
rel="Help"><strong>Override:</strong></a> AuthConfig<br />
<a href="directive-dict.html#Status"
rel="Help"><strong>Status:</strong></a> Extension<br />
<a href="directive-dict.html#Module"
rel="Help"><strong>Module:</strong></a> mod_auth_nufw<br />
<a href="directive-dict.html#Compatibility"
rel="Help"><strong>Compatibility:</strong></a>
AuthNufwAuthFrom is available in mod_auth_nufw only in versions higher than 2.0, and only for
Apache 2.0. AuthnNufwAuthFrom is available only for Apache 2.2.
<p>Specifies on which conditions the auth module should query the database.
Typically, one will set it to their internal network address. This directive
works on the same philosophy as "Allow" or "deny" from mod_access. Beware
this is part of the mod_auth_nufw module, and can therefore of course be
combined with "classical" allow and deny directives.
<hr />
<h2><a id="AuthNufwSQLHost" name="AuthNufwSQLHost">Auth[n]NufwSQLHost</a> directive</h2>
<a href="directive-dict.html#Syntax"
rel="Help"><strong>Syntax:</strong></a> Auth[n]NufwSQLHost
<em>HostName/IP</em><br />
<a href="directive-dict.html#Context"
rel="Help"><strong>Context:</strong></a> server config, virtual
host, directory, .htaccess<br />
<a href="directive-dict.html#Override"
rel="Help"><strong>Override:</strong></a> AuthConfig<br />
<a href="directive-dict.html#Status"
rel="Help"><strong>Status:</strong></a> Extension<br />
<a href="directive-dict.html#Module"
rel="Help"><strong>Module:</strong></a> mod_auth_nufw<br />
<a href="directive-dict.html#Compatibility"
rel="Help"><strong>Compatibility:</strong></a> AuthNufwSQLHost is only
available in Apache 1.3 and 2.0. AuthnNufwSQLHost is only available in Apache 2.2.
<p>Specifies SQL host to connect to to perform user identification.
SQL table contains : UserID, TCP connection parameters and time of the
connection. This parameter accepts either FQDN or IP address. Example:</p>
<pre>
AuthNufwSQLHost 127.0.0.1
</pre>
<hr />
<h2><a id="AuthNufwSQLPort" name="AuthNufwSQLPort">Auth[n]NufwSQLPort</a> directive</h2>
<a href="directive-dict.html#Syntax"
rel="Help"><strong>Syntax:</strong></a> Auth[n]NufwSQLPort
<em>Port</em><br />
<a href="directive-dict.html#Default"
rel="Help"><strong>Default when compiled with mysql support:</strong></a>
<code>Auth[n]NufwSQLPort 3306</code><br />
<a href="directive-dict.html#Default"
rel="Help"><strong>Default:</strong></a>
<code>Auth[n]NufwSQLPort 5432</code><br />
<a href="directive-dict.html#Context"
rel="Help"><strong>Context:</strong></a> server config, virtual
host, directory, .htaccess<br />
<a href="directive-dict.html#Override"
rel="Help"><strong>Override:</strong></a> AuthConfig<br />
<a href="directive-dict.html#Status"
rel="Help"><strong>Status:</strong></a> Extension<br />
<a href="directive-dict.html#Module"
rel="Help"><strong>Module:</strong></a> mod_auth_nufw<br />
<a href="directive-dict.html#Compatibility"
rel="Help"><strong>Compatibility:</strong></a> AuthNufwSQLPort is only
available in Apache 1.3 and 2.0. AuthnNufwSQLPort is only available in Apache 2.2.
<p>Specifies SQL port to connect to to perform user identification.</p>
<pre>
AuthNufwSQLPort 5432
</pre>
<hr />
<h2><a id="AuthNufwSQLDatabase" name="AuthNufwSQLDatabase">Auth[n]NufwSQLDatabase</a> directive</h2>
<a href="directive-dict.html#Syntax"
rel="Help"><strong>Syntax:</strong></a> Auth[n]NufwSQLDatabase
<em>Database</em><br />
<a href="directive-dict.html#Context"
rel="Help"><strong>Context:</strong></a> server config, virtual
host, directory, .htaccess<br />
<a href="directive-dict.html#Override"
rel="Help"><strong>Override:</strong></a> AuthConfig<br />
<a href="directive-dict.html#Status"
rel="Help"><strong>Status:</strong></a> Extension<br />
<a href="directive-dict.html#Module"
rel="Help"><strong>Module:</strong></a> mod_auth_nufw<br />
<a href="directive-dict.html#Compatibility"
rel="Help"><strong>Compatibility:</strong></a> AuthNufwSQLDatabase is only
available in Apache 1.3 and 2.0. AuthnNufwSQLDatabase is only available in Apache 2.2.
<p>Specifies database to connect to to perform user identification. Example:</p>
<pre>
AuthNufwSQLDatabase nulog
</pre>
<hr />
<h2><a id="AuthNufwSQLTable" name="AuthNufwSQLTable">Auth[n]NufwSQLTable</a> directive</h2>
<a href="directive-dict.html#Syntax"
rel="Help"><strong>Syntax:</strong></a> Auth[n]NufwSQLTable
<em>Table</em><br />
<a href="directive-dict.html#Context"
rel="Help"><strong>Context:</strong></a> server config, virtual
host, directory, .htaccess<br />
<a href="directive-dict.html#Override"
rel="Help"><strong>Override:</strong></a> AuthConfig<br />
<a href="directive-dict.html#Status"
rel="Help"><strong>Status:</strong></a> Extension<br />
<a href="directive-dict.html#Module"
rel="Help"><strong>Module:</strong></a> mod_auth_nufw<br />
<a href="directive-dict.html#Compatibility"
rel="Help"><strong>Compatibility:</strong></a> AuthNufwSQLTable is only
available in Apache 1.3 and 2.0. AuthnNufwSQLTable is only available in Apache 2.2.
<p>Specifies database to connect to to perform user identification. Example:</p>
<pre>
AuthNufwSQLTable nulog
</pre>
<hr />
<h2><a id="AuthNufwSQLUser" name="AuthNufwSQLUser">Auth[n]NufwSQLUser</a> directive</h2>
<a href="directive-dict.html#Syntax"
rel="Help"><strong>Syntax:</strong></a> Auth[n]NufwSQLUser
<em>User</em><br />
<a href="directive-dict.html#Context"
rel="Help"><strong>Context:</strong></a> server config, virtual
host, directory, .htaccess<br />
<a href="directive-dict.html#Override"
rel="Help"><strong>Override:</strong></a> AuthConfig<br />
<a href="directive-dict.html#Status"
rel="Help"><strong>Status:</strong></a> Extension<br />
<a href="directive-dict.html#Module"
rel="Help"><strong>Module:</strong></a> mod_auth_nufw<br />
<a href="directive-dict.html#Compatibility"
rel="Help"><strong>Compatibility:</strong></a> AuthNufwSQLUser is only
available in Apache 1.3 and 2.0. AuthnNufwSQLUser is only available in Apache 2.2.
<p>Specifies username to use for SQL connection. Example:</p>
<pre>
AuthNufwSQLUser nulog
</pre>
<hr />
<h2><a id="AuthNufwSQLPassword" name="AuthNufwSQLPassword">Auth[n]NufwSQLPassword</a> directive</h2>
<a href="directive-dict.html#Syntax"
rel="Help"><strong>Syntax:</strong></a> Auth[n]NufwSQLPassword
<em>Password</em><br />
<a href="directive-dict.html#Context"
rel="Help"><strong>Context:</strong></a> server config, virtual
host, directory, .htaccess<br />
<a href="directive-dict.html#Override"
rel="Help"><strong>Override:</strong></a> AuthConfig<br />
<a href="directive-dict.html#Status"
rel="Help"><strong>Status:</strong></a> Extension<br />
<a href="directive-dict.html#Module"
rel="Help"><strong>Module:</strong></a> mod_auth_nufw<br />
<a href="directive-dict.html#Compatibility"
rel="Help"><strong>Compatibility:</strong></a> AuthNufwSQLPassword is only
available in Apache 1.3 and 2.0. AuthnNufwSQLPassword is only available in Apache 2.2.
<p>Specifies password to use for SQL connection. Example:</p>
<pre>
AuthNufwSQLPassword nulog
</pre>
<hr />
<h2><a id="AuthNufwSQLSSLEnabled" name="AuthNufwSQLSSLEnabled">Auth[n]NufwSQLSSLEnabled</a> directive</h2>
<a href="directive-dict.html#Syntax"
rel="Help"><strong>Syntax:</strong></a> Auth[n]NufwSQLSSLEnabled
<em>On/Off</em><br />
<a href="directive-dict.html#Default"
rel="Help"><strong>Default:</strong></a>
<code>Auth[n]NufwSQLSSLEnabled Off</code><br />
<a href="directive-dict.html#Context"
rel="Help"><strong>Context:</strong></a> server config, virtual
host, directory, .htaccess<br />
<a href="directive-dict.html#Override"
rel="Help"><strong>Override:</strong></a> AuthConfig<br />
<a href="directive-dict.html#Status"
rel="Help"><strong>Status:</strong></a> Extension<br />
<a href="directive-dict.html#Module"
rel="Help"><strong>Module:</strong></a> mod_auth_nufw<br />
<a href="directive-dict.html#Compatibility"
rel="Help"><strong>Compatibility:</strong></a> AuthNufwSQLSSLEnabled is only
available in Apache 1.3 and 2.0, and only in mod_auth_nufw version 2.0 and
higher. AuthnNufwSQLSSLEnabled is only available in Apache 2.2.
<p>Specifies whether to wrap SQL connection in a SSL session.</p>
<p>If this parameter is set to <code>Off</code>, all options starting with
AuthNufwSQLSSL... are ignored</p>
<p>This option is only effective on <strong>Mysql</strong>. If module is
compiled with Postgresql support, <strong>this option and all SSL options
are silently ignored</strong>. This will be fixed when PostgreSQL offers an
acceptable API for SSL wrapping.</p>
<hr />
<h2><a id="AuthNufwSQLSSLKeyfile"
name="AuthNufwSQLSSLKeyfile">Auth[n]NufwSQLSSLKeyfile</a> directive</h2>
<a href="directive-dict.html#Syntax"
rel="Help"><strong>Syntax:</strong></a> Auth[n]NufwSQLSSLKeyfile
<em>/home/user/my_private_key.key</em><br />
<a href="directive-dict.html#Default"
rel="Help"><strong>Default:</strong></a>
<code>Auth[n]NufwSQLSSLKeyfile /usr/local/apache/conf/nufw_sql_ssl_private.key</code><br />
<a href="directive-dict.html#Context"
rel="Help"><strong>Context:</strong></a> server config, virtual
host, directory, .htaccess<br />
<a href="directive-dict.html#Override"
rel="Help"><strong>Override:</strong></a> AuthConfig<br />
<a href="directive-dict.html#Status"
rel="Help"><strong>Status:</strong></a> Extension<br />
<a href="directive-dict.html#Module"
rel="Help"><strong>Module:</strong></a> mod_auth_nufw<br />
<a href="directive-dict.html#Compatibility"
rel="Help"><strong>Compatibility:</strong></a> AuthNufwSQLSSLKeyfile is only
available in Apache 1.3 and 2.0, and only in mod_auth_nufw version 2.0 and
higher. AuthnNufwSQLSSLKeyfile is only available in Apache 2.2.
<p>Specifies the full path of the file containing the private key for SSL
encryption. This must be set if you want to use ssl.</p>
<p>This option is only effective on <strong>Mysql</strong>. If module is
compiled with Postgresql support, <strong>this option and all SSL options
are silently ignored</strong>. This will be fixed when PostgreSQL offers an
acceptable API for SSL wrapping.</p>
<hr />
<h2><a id="AuthNufwSQLSSLCertfile"
name="AuthNufwSQLSSLCertfile">Auth[n]NufwSQLSSLCertfile</a> directive</h2>
<a href="directive-dict.html#Syntax"
rel="Help"><strong>Syntax:</strong></a> Auth[n]NufwSQLSSLCertfile
<em>/home/user/my_public_cert.cert</em><br />
<a href="directive-dict.html#Default"
rel="Help"><strong>Default:</strong></a>
<code>Auth[n]NufwSQLSSLCertfile /usr/local/apache/conf/nufw_sql_ssl_public.cert</code><br />
<a href="directive-dict.html#Context"
rel="Help"><strong>Context:</strong></a> server config, virtual
host, directory, .htaccess<br />
<a href="directive-dict.html#Override"
rel="Help"><strong>Override:</strong></a> AuthConfig<br />
<a href="directive-dict.html#Status"
rel="Help"><strong>Status:</strong></a> Extension<br />
<a href="directive-dict.html#Module"
rel="Help"><strong>Module:</strong></a> mod_auth_nufw<br />
<a href="directive-dict.html#Compatibility"
rel="Help"><strong>Compatibility:</strong></a> AuthNufwSQLSSLCertfile is only
available in Apache 1.3 and 2.0, and only in mod_auth_nufw version 2.0 and
higher. AuthnNufwSQLSSLCertfile is only available in Apache 2.2.
<p>Specifies the full path of the file containing the public certificate for SSL
encryption. This must be set if you want to use ssl.</p>
<p>This option is only effective on <strong>Mysql</strong>. If module is
compiled with Postgresql support, <strong>this option and all SSL options
are silently ignored</strong>. This will be fixed when PostgreSQL offers an
acceptable API for SSL wrapping.</p>
<hr />
<h2><a id="AuthNufwSQLSSLCA"
name="AuthNufwSQLSSLCA">Auth[n]NufwSQLSSLCA</a> directive</h2>
<a href="directive-dict.html#Syntax"
rel="Help"><strong>Syntax:</strong></a> Auth[n]NufwSQLSSLCA
<em>/home/user/my_ca.ca</em><br />
<a href="directive-dict.html#Context"
rel="Help"><strong>Context:</strong></a> server config, virtual
host, directory, .htaccess<br />
<a href="directive-dict.html#Override"
rel="Help"><strong>Override:</strong></a> AuthConfig<br />
<a href="directive-dict.html#Status"
rel="Help"><strong>Status:</strong></a> Extension<br />
<a href="directive-dict.html#Module"
rel="Help"><strong>Module:</strong></a> mod_auth_nufw<br />
<a href="directive-dict.html#Compatibility"
rel="Help"><strong>Compatibility:</strong></a> AuthNufwSQLSSLCA is only
available in Apache 1.3 and 2.0, and only in mod_auth_nufw version 2.0 and
higher. AuthnNufwSQLSSLCA is only available in Apache 2.2.
<p>Specifies the full path of your Certificate Authority
(CA) file, in PEM format. You can safely leave this unset if you do not have a CA file.</p>
<p>This option is only effective on <strong>Mysql</strong>. If module is
compiled with Postgresql support, <strong>this option and all SSL options
are silently ignored</strong>. This may be fixed when PostgreSQL offers an
acceptable API for SSL wrapping.</p>
<hr />
<h2><a id="AuthNufwSQLSSLCAPath"
name="AuthNufwSQLSSLCAPath">Auth[n]NufwSQLSSLCAPath</a> directive</h2>
<a href="directive-dict.html#Syntax"
rel="Help"><strong>Syntax:</strong></a> Auth[n]NufwSQLSSLCAPath
<em>/home/user/my_cas/</em><br />
<a href="directive-dict.html#Context"
rel="Help"><strong>Context:</strong></a> server config, virtual
host, directory, .htaccess<br />
<a href="directive-dict.html#Override"
rel="Help"><strong>Override:</strong></a> AuthConfig<br />
<a href="directive-dict.html#Status"
rel="Help"><strong>Status:</strong></a> Extension<br />
<a href="directive-dict.html#Module"
rel="Help"><strong>Module:</strong></a> mod_auth_nufw<br />
<a href="directive-dict.html#Compatibility"
rel="Help"><strong>Compatibility:</strong></a> AuthNufwSQLSSLCAPath is only
available in Apache 1.3 and 2.0, and only in mod_auth_nufw version 2.0 and
higher. AuthnNufwSQLSSLCAPath is only available in Apache 2.2.
<p>Specifies the full path of a directory containing your Certificate Authority
(CA) files, in PEM format. You can safely leave this unset if you do not have CA files.</p>
<p>This option is only effective on <strong>Mysql</strong>. If module is
compiled with Postgresql support, <strong>this option and all SSL options
are silently ignored</strong>. This may be fixed when PostgreSQL offers an
acceptable API for SSL wrapping.</p>
<hr />
<h2><a id="AuthNufwSQLSSLCypher"
name="AuthNufwSQLSSLCypher">Auth[n]NufwSQLSSLCypher</a> directive</h2>
<a href="directive-dict.html#Syntax"
rel="Help"><strong>Syntax:</strong></a> Auth[n]NufwSQLSSLCypher
<em>/home/user/my_cas/</em><br />
<a href="directive-dict.html#Default"
rel="Help"><strong>Default:</strong></a>
<code>Auth[n]NufwSQLSSLCypher ALL:!ADH:+RC4:@STRENGTH</code><br />
<a href="directive-dict.html#Context"
rel="Help"><strong>Context:</strong></a> server config, virtual
host, directory, .htaccess<br />
<a href="directive-dict.html#Override"
rel="Help"><strong>Override:</strong></a> AuthConfig<br />
<a href="directive-dict.html#Status"
rel="Help"><strong>Status:</strong></a> Extension<br />
<a href="directive-dict.html#Module"
rel="Help"><strong>Module:</strong></a> mod_auth_nufw<br />
<a href="directive-dict.html#Compatibility"
rel="Help"><strong>Compatibility:</strong></a> AuthNufwSQLSSLCypher is only
available in Apache 1.3 and 2.0, and only in mod_auth_nufw version 2.0 and
higher. AuthnNufwSQLSSLCypher is only available in Apache 2.2.
<p>the list of ciphers you wish to use for SQL connections. A complete
cipher list on your system should be available if you issue : <code>openssl
ciphers</code>. The default means "Use any but give RC4 the lowest
priority".
For more info see :
<a href="http://www.mkssoftware.com/docs/man1/openssl_ciphers.1.asp">
http://www.mkssoftware.com/docs/man1/openssl_ciphers.1.asp</a></p>
<p>This option is only effective on <strong>Mysql</strong>. If module is
compiled with Postgresql support, <strong>this option and all SSL options
are silently ignored</strong>. This will be fixed when PostgreSQL offers an
acceptable API for SSL wrapping.</p>
<hr />
<h2><a id="AuthNufwTimeWindow" name="AuthNufwTimeWindow">Auth[n]NufwTimeWindow</a> directive</h2>
<a href="directive-dict.html#Syntax"
rel="Help"><strong>Syntax:</strong></a> Auth[n]NufwSQLTimeWindow
<em>TimeWindow</em><br />
<a href="directive-dict.html#Default"
rel="Help"><strong>Default:</strong></a>
<code>Auth[n]NufwTimeWindow 0</code><br />
<a href="directive-dict.html#Context"
rel="Help"><strong>Context:</strong></a> server config, virtual
host, directory, .htaccess<br />
<a href="directive-dict.html#Override"
rel="Help"><strong>Override:</strong></a> AuthConfig<br />
<a href="directive-dict.html#Status"
rel="Help"><strong>Status:</strong></a> Extension<br />
<a href="directive-dict.html#Module"
rel="Help"><strong>Module:</strong></a> mod_auth_nufw<br />
<a href="directive-dict.html#Compatibility"
rel="Help"><strong>Compatibility:</strong></a> AuthNufwTimeWindow is only
available in Apache 1.3 and 2.0. AuthnNufwTimeWindow is only available in Apache 2.2.
<p>Specifies a time window that must match user's connection. The Nufw SQL
database contains records of users connections, with time of connection.
When mod_auth_nufw receives a connection, it will match the connection's
time against the time in the database. Due to network latency, it is
possible that those two times be slightly different. The timewindow is the
number of tenth of seconds around the "apache time" that will be accepted to
match in the SQL records.
<br><strong>WARNING</Strong> : if you use HTTP 1.1, this parameter will
probably break your auth for all requests but the first in the connection.
In that case, it is advised to leave this parameter to its default value of
0, which disables time matching. Example:</p>
<pre>
AuthNufwTimeWindow 5
</pre>
<hr />
<h2><a id="AuthNufwMaxSqlConns" name="AuthNufwMaxSqlConns">Auth[n]NufwMaxSqlConns</a> directive</h2>
<a href="directive-dict.html#Syntax"
rel="Help"><strong>Syntax:</strong></a> Auth[n]NufwSQLMaxSqlConns
<em>Number</em><br />
<a href="directive-dict.html#Default"
rel="Help"><strong>Default:</strong></a>
<code>Auth[n]NufwMaxSqlConns 8</code><br />
<a href="directive-dict.html#Context"
rel="Help"><strong>Context:</strong></a> server config, virtual
host<br />
<a href="directive-dict.html#Status"
rel="Help"><strong>Status:</strong></a> Extension<br />
<a href="directive-dict.html#Module"
rel="Help"><strong>Module:</strong></a> mod_auth_nufw<br />
<a href="directive-dict.html#Compatibility"
rel="Help"><strong>Compatibility:</strong></a> AuthNufwMaxSqlConns is only
available in Apache 1.3 and 2.0. Beware the use of this directive has
changed a lot as of v2.0 of this module. AuthnNufwMaxSqlConns is only available in Apache 2.2.
<p>Specifies maximum overall number of SQL connections to open. When that
number of connections is open, module refuses to open any more. This may
hence totally block some connections in case you have several SQL servers to
connect to. Use in conjunction with <a
href="#AuthNufwMaxSimilarSqlConns">Auth[n]NufwMaxSimilarSqlConns</a> to solve this
potential problem, or set to 0 for no limit.
<hr />
<h2><a id="AuthNufwMaxSimilarSqlConns" name="AuthNufwMaxSimilarSqlConns">Auth[n]NufwMaxSimilarSqlConns</a> directive</h2>
<a href="directive-dict.html#Syntax"
rel="Help"><strong>Syntax:</strong></a> Auth[n]NufwSQLMaxSqlConns
<em>Number</em><br />
<a href="directive-dict.html#Default"
rel="Help"><strong>Default:</strong></a>
<code>Auth[n]NufwMaxSimilarSqlConns 4</code><br />
<a href="directive-dict.html#Context"
rel="Help"><strong>Context:</strong></a> server config, virtual
host<br />
<a href="directive-dict.html#Status"
rel="Help"><strong>Status:</strong></a> Extension<br />
<a href="directive-dict.html#Module"
rel="Help"><strong>Module:</strong></a> mod_auth_nufw<br />
<a href="directive-dict.html#Compatibility"
rel="Help"><strong>Compatibility:</strong></a> AuthNufwMaxSimilarSqlConns is only
available in Apache 1.3 and 2.0, and only from v2.0 of this module. AuthnNufwMaxSimilarSqlConns is only available in Apache 2.2.
<p>Specifies maximum number of SQL connections to maintain to a given
target, per child, at any time. A target is an entity defined by (host,
port, database name, table name, username, and optionnally SSL parameters).
<br>It is to be noted that 1 should be an acceptable value for this parameter
on Apache 1.3 as well as on 2.0 with MPM prefork, as children are not
threaded on such setups. Set to 0 for no limit. Example: </p>
<pre>
AuthNufwMaxSimilarSqlConns 5
</pre>
<hr />
<h2><a id="AuthNufwTokensEnabled" name="AuthNufwTokensEnabled">Auth[n]NufwTokensEnabled</a> directive</h2>
<a href="directive-dict.html#Syntax"
rel="Help"><strong>Syntax:</strong></a> Auth[n]NufwTokensEnabled
<em>On/Off</em><br />
<a href="directive-dict.html#Default"
rel="Help"><strong>Default:</strong></a>
<code>Auth[n]NufwTokensEnabled On</code><br />
<a href="directive-dict.html#Context"
rel="Help"><strong>Context:</strong></a> server config<br />
<a href="directive-dict.html#Override"
rel="Help"><strong>Override:</strong></a> AuthConfig<br />
<a href="directive-dict.html#Status"
rel="Help"><strong>Status:</strong></a> Extension<br />
<a href="directive-dict.html#Module"
rel="Help"><strong>Module:</strong></a> mod_auth_nufw<br />
<a href="directive-dict.html#Compatibility"
rel="Help"><strong>Compatibility:</strong></a> AuthNufwTokensEnabled is only
available in Apache 2.0, and was introduced on v2.0 of this
module. AuthnNufwTokensEnabled is only available in Apache 2.2.
<p>Specifies whether to mention "NuFW" in server tokens. </p>
<hr />
<h2>Sample configuration</h2>
<pre>
<Directory /var/www>
<IfModule mod_auth_nufw.c>
AuthnNufwEnabled On
AuthnNufwAuthoritative Off
AuthnNufwProtocolVersion 2
AuthnNuFWSQLHost localhost
AuthnNuFWSQLDatabase ulogd
AuthnNuFWSQLTable conntrack_ulog
AuthnNuFWSQLUser apache
AuthnNuFWSQLPassword secret
#Networks covered by NuFW auth. No SQL request will be performed if client is out of these networks. Auth will fallback (see below)
AuthnNufwAuthFrom from 192.168.0.0/24
AuthnNufwAuthFrom from 10.0.0.0/8
</IfModule>
AuthType Basic
AuthName "INL OBM"
# These two lines are optional : fallback in case NuFW is deactivated, and no result is found in database.
AuthBasicProvider file
AuthUserFile /etc/apache2/htpasswd
# Authorization phase. This is most basic : any authenticated user (by NuFW or by htpasswd) can access the resource.
Require valid-user
</Directory>
</pre>
</body>
</html>
distrib
>
Mandriva
>
2010.1
>
x86_64
>
media
>
contrib-release
>
by-pkgid
>
c5d5e6a8695b7c37740ae32f97935ab9
>
files
>
8
