サイト接続時に認証をかけたいページがあったのでh2oでbasic認証を実装してみた
他のサイトを見たところmrubyを使ってやればいいとのことだったのでまずはmrubyをインストールしてみる
mrubyインストール
dnf install mruby
vi /etc/h2o/h2o.conf
試しにphpMyAdminのログインページに認証をかけてみる
user: h2o gzip: ON file.index: [ 'index.html', 'index.php' ] # PHPの設定 file.custom-handler: extension: .php fastcgi.connect: port: /var/run/php-fpm/www.sock type: unix hosts: "xxxxxxx.com:80": listen: port: 80 paths: "/": file.dir: /var/www/html redirect: url: /index.php/ internal: YES status: 307 --------↓ここから追記↓----- "/phpMyAdmin/": mruby.handler: | require "htpasswd.rb" Htpasswd.new("/var/www/html/.htpasswd", "realm-name") file.dir: /usr/share/phpMyAdmin
mkdir /etc/h2o/mruby vi /etc/h2o/mruby/htpasswd.rb
# based on public-domain code by cho45 # # Copyright (c) 2015 DeNA Co., Ltd., Kazuho Oku # # Permission is hereby granted, free of charge, to any person obtaining a copy # of this software and associated documentation files (the "Software"), to # deal in the Software without restriction, including without limitation the # rights to use, copy, modify, merge, publish, distribute, sublicense, and/or # sell copies of the Software, and to permit persons to whom the Software is # furnished to do so, subject to the following conditions: # # The above copyright notice and this permission notice shall be included in # all copies or substantial portions of the Software. # # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING # FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS # IN THE SOFTWARE. # class Htpasswd attr_accessor :path attr_accessor :realm def initialize(path, realm) @path = path @realm = realm end def call(env) if /\/\.ht/.match(env['PATH_INFO']) return [ 404, { "Content-Type" => "text/plain" }, [ "not found" ] ] end auth = env['HTTP_AUTHORIZATION'] if auth method, cred = *auth.split(' ') if method.casecmp("basic") == 0 user, pass = cred.unpack("m")[0].split(':', 2) begin if lookup(user, pass) return [ 399, { "x-fallthru-set-remote-user" => user }, [] ] end rescue => e $stderr.puts "failed to validate password using file:#{@path}:#{e.message}" return [ 500, { "Content-Type" => "text/plain" }, [ "Internal Server Error" ] ] end end end return [ 401, { "Content-Type" => "text/plain", "WWW-Authenticate" => "Basic realm=\"#{@realm}\"" }, [ "Authorization Required" ] ] end def lookup(user, pass) File.open(@path) do |file| file.each_line do |line| line_user, hash = line.chomp.split(':', 2) if user == line_user && self.class.validate(pass, hash) return true end end end return false end def Htpasswd.crypt_md5(pass, salt) ctx = Digest::MD5.new.update("#{pass}$apr1$#{salt}") final = Digest::MD5.new.update("#{pass}#{salt}#{pass}").digest!.bytes l = pass.length while l > 0 ctx.update(final[0 .. (l > 16 ? 16 : l) - 1].pack("C*")) l -= 16 end l = pass.length while l > 0 ctx.update(l % 2 != 0 ? "\0" : pass[0]) l >>= 1 end final = ctx.digest! 1000.times do |i| ctx = Digest::MD5.new ctx.update(i % 2 != 0 ? pass : final) ctx.update(salt) if i % 3 != 0 ctx.update(pass) if i % 7 != 0 ctx.update(i % 2 != 0 ? final : pass) final = ctx.digest! end final = final.bytes hash = "" for a, b, c in [[0, 6, 12], [1, 7, 13], [2, 8, 14], [3, 9, 15], [4, 10, 5]] hash << _to64(final[a] << 16 | final[b] << 8 | final[c], 4) end hash << _to64(final[11], 2) "$apr1$#{salt}$#{hash}" end def Htpasswd._to64(v, n) chars = "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" output = "" n.times do output << chars[v & 0x3f] v >>= 6 end output end def Htpasswd.crypt_sha1(pass) "{SHA}" + [Digest::SHA1.new.update(pass).digest!].pack("m").chomp end def Htpasswd.validate(pass, hash) if /^\$apr1\$(.*)\$/.match(hash) encoded = crypt_md5(pass, $1) elsif /^{SHA}/.match(hash) encoded = crypt_sha1(pass) else raise "crypt-style password hash is not supported" end return encoded == hash end end
htpasswd -nbm ユーザー名 パスワード [ユーザー名]:[パスワード] ←ハッシュ化されたパスワードが表示されるのでコピー
vi /var/www/html/.htpasswd 先ほどのパスワードを貼り付け
サービスの再起動
systemctl restart h2o systemctl status h2o
再起動後、phpMyAdminのページに接続すると、ユーザー名とパスワードを聞かれるようになった
参考
h2oでBasic認証を実装する - Qiita
死ぬほどハマったので今のうちにメモしておかねばならない(使命感)手順1. h2oのコンフィグでmruby.handlerについて記述する2. /etc/h2o/sites-enabled/mr…
コメント