htaccess and Dynamic IP Addresses

How to Apache htaccess Allow from Dynamic IP Address

Apache web server access control via htaccess, to allow authorized access to web pages.

The Apache directive Allow from make it possible to exclude a specific IP from the login prompt. Unfortunately, it is not possible to pass host names and FQDN. The following script reads the Dynamic IP of a hostname and add them into the file htaccess.

htaccess Allow from Dynamic IP Address

The following shell script resolve the IP address and write them into the htaccess file. Insert the following lines out from console with copy & paste, so that the script file is created.

cat << EOF > ./allow_myhost.sh
#!/bin/sh
htpath="/var/www/blog/"
grep -lr "#DDNS" $htpath | while read i; do
sed -i '/#DDNS-IP$/d' $i
grep -i "#DDNS$" $i | while read j; do
words=( $j )
ddns="${words[2]}"
ip="$(host $ddns)"
if [ "$ip" == "${ip%% has address *}" ]; then
continue;
fi
ip="${ip##* has address }"
sed -i 's/^\('"$j"'\)$/\1\nAllow from '"$ip"' #DDNS-IP/' $i
done
done
EOF

Copy Paste

This script here on a CentOS host rewrites the htaccess file. The lineAllow fromwith the tag #DDNS reads the host name, and the host’s resolved IP is written on the next line with the tag #DDNS-IP. The path variablehtpathcan be DocumentRoot or a subdirectory, whereby the script edits all occurring .htaccess files recursively from htpath.

htaccess store to web directory

The file htaccess is stored in the web directory to be protected. Using cd to change to the desired directory and insert the following lines will copy & paste out from the console, this generates the file.htaccess

cat << EOF > .htaccess
AuthName "A Blog"
AuthType Basic
AuthUserFile /home/jonny/.htpasswd
AuthGroupFile /dev/null
Order deny,allow
Deny from all
require valid-user
Allow from myhome.dyndns.org #DDNS
Allow from 198.51.100.93 #DDNS-IP
Satisfy Any
EOF

Copy Paste

The lines with #DDNS and #DDNS-IP (#) use to tagging.

The script has yet to be made executable.

chmod 755 allow_myhost.sh

Keep dynamic IP up to date

Keep the dynamic IP resolution up to date with crontab -e to create a cron job.

*/5 * * root /home/jonny/allow_myhome.sh >/dev/null 2>&1

Older Linux need to restart the cron daemon to the cron job come active.

service crond restart

Note. Apache 2.4 directiveRequire
Apache 2.x directiveAllow from

Apache 2.x mod_access_compat

Order deny,allow
Deny from all

Apache 2.4 mod_authz_host

Require all denied

The directivesAllow Denyprovided by mod_access_compat are deprecated and will no longer be supported in the future release. It is recommended to use the new directives.

How to Create self-signed certificates use OpenSSL

Create, Sign and Manage Certificate using OpenSSL

OpenSSL is a versatile command line tool that can be used for a variety of cryptographic tasks related to Public Key Infrastructure (PKI) and HTTPS (HTTP over TLS).

This tutorial shows how to use OpenSSL for certificates used for asymmetric encryption in beta and test tasks used for internal or development environments. The associated CSR Certificate Signing Request certificates are not worthwhile for testing purposes issued by a Trusted CA certificate issuer. For this purpose, in an example, the generation of a private key with certificate issuance and its signing.

Create a self-signed certificate

openssl genrsa -out priv.key 4096
openssl req -new -nodes -sha256 -key priv.key -out cert.csr
openssl x509 -req -sha256 -days 3650 -in cert.csr -signkey priv.key -out cert.crt

In this example, a private key with a length of 4096 bits is generated, which is valid for 10 years, the X509 Distinguished Key Identifiers are defined, with the encryption of the SHA256 algorithm, finally the certificate is self-signed.

openssl genrsa -out priv.key 4096
Generating RSA private key, 4096 bit long modulus
................................++
..................................++
e is 65537 (0x010001)
PS C:temp> openssl req -new -nodes -sha256 -key priv.key -out cert.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CH
State or Province Name (full name) [Some-State]:ZRH
Locality Name (eg, city) []:ZURICH
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Cyber Lab Ltd.
Organizational Unit Name (eg, section) []:D evOps Root CA Cert Authority
Common Name (e.g. server FQDN or YOUR name) []:cyber.foo.org
Email Address []:support@cyber.foo.org

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:1234
An optional company name []:1234

The self-signed certificate generated in this way is used for cryptographic encryption for HTTPS / TLS server and client, code signing, IP End Point Security (SSL-VPN) or for S/MIME e-mail.

The certificate cert.crt is then imported into the certificate store, this to Trusted Root Certification Authorities and to The Own Certificates.

Figure: Certificates snap-in

OpenSSL – Open Secure Socket Layer protocol is standard on most Linux distributions, the Windows binaries are available on sourceforge.

XCA – X Certificate Key Management

If you are not familiar with the OpenSSL command line tool, you can use the X Certificate – xca tool, which offers all options in a GUI.

X Certificate and Key Management is an interface for managing asymmetric keys such as RSA or DSA. It is intended for the creation and signing of certificates. The cryptographic operations use the OpenSSL library.

Features

  • Start own PKI and create all kinds of certificates, requests or CRLs
  • Import and export in any format like PEM, DER, PKCS#7, PKCS#12
  • Use them for your IPsec, OpenVPN, HTTPs or any other certificate based setup
  • Manage your Smart-Cards via PKCS#11 interface
  • Export certificates and requests to an OpenSSL config file
  • Create Subject- and/or Extension- templates to ease issuing similar certs
  • Convert existing certificates or requests to templates
  • Get the broad support of x509v3 extensions as flexible as OpenSSL but user friendlier
  • Adapt the Columns to have your important information at a glance

Download at sourceforge

Figure: X Certificate and Key management

Before keys and certificates can be generated, a database must <Ctrl+N> be created.<Ctrl+N> After generating a private key, a new certificate can be generated. The private keys should be kept password protected. If a private key becomes available for unauthorized ones, the certificate is no longer secure and must be replaced.

Verify key and certificate

Check and output private key

openssl rsa -check -in priv.key

View Certificate

openssl x509 -noout -text -in cert.crt

Certificate Signing Request Check and output

openssl req -text -noout -verify -in cert.csr

Verification of the private key, the CSR and the certificate for authenticity.

openssl rsa -noout -modulus -in priv.key | openssl md5
openssl x509 -noout -modulus -in cert.crt | openssl md5
openssl req -noout -modulus -in cert.csr | openssl md5

If the output of each command is identical, there is a very high probability that the certificate and CSR are related to the private key.

Conclusion

OpenSSL is the versatile Swiss Army Knife that can be used for a variety of cryptographic tasks for asymmetric encryption, from generating a private key with certificate issuance and signing, to verifying authenticity with testing of connectivity.

Exit mobile version