前言
在之前的一篇博文《Apache httpd2.2版本以及2.4版本部分实验》的实验二里面,提到了协议认证使用了mod_auth_mysql.so模块,本文将阐述该模块的安装,配置,以及对于aes加密特性的支持。
基于开发者文档的安装步骤
注:在笔者的CentOS7测试环境下并不支持aes加密
首先从模块提供的官方站点下载mod_auth_mysql-3.0.0.tar.gz,并下载对应的补丁mod_auth_mysql_3.0.0_patch_apache2.4.diff,解压缩之后,将补丁拷贝到解压目录下面,运行如下命令进行打补丁:
$ patch -p1 < mod_auth_mysql_3.0.0_patch_apache2.4.diff
确保安装了mariadb-libs和mariadb-devel包,并且安装有development Tools包组,如果没有,请自行安装。其目的是为了解决编译安装可能遇到的头文件依赖以及库依赖问题。
利用httpd-tools包中带的apxs工具进行编译:
$ apxs -c -L/usr/lib/mysql -I/usr/include/mysql -lmysqlclient -lm -lz mod_auth_mysql.c
编译完之后,会生成mod_auth_mysql.la文件,再利用如下命令将该模块安装到httpd里面:
$ apxs -i mod_auth_mysql.la
安装完成之后,在/etc/httpd/conf.modules.d目录下面添加一个配置文件,这里为10-mysql.conf,添加如下内容:
LoadModule mysql_auth_module modules/mod_auth_mysql.so
初步添加如下配置信息到/etc/httpd/conf.d/virtualhost.conf里面,配合mysql数据库,即可进行认证:
<VirtualHost 192.168.5.181:80> ServerName www3.stuX.com LogFormat "%h %u %t \"%r\" %>s \"%{Referer}i\" \"%{User-Agent}i\"" custom3 CustomLog /web/vhosts/www3/access_log custom3 ErrorLogFormat "[%t] [%l] [pid %P] %F: %E: [client %a] %M" ErrorLog /web/vhosts/www3/error_log LogLevel info <Location /status> SetHandler server-status AuthType Basic AuthBasicAuthoritative Off AuthName "auth login" AuthUserFile /dev/null AuthMySQLHost 192.168.5.121 AuthMySQLPort 3306 AuthMySQLUser root AuthMySQLPassword 123456 AuthMySQLDB http_auth AuthMySQLUserTable mysql_auth AuthMySQLNameField user_name AuthMySQLPasswordField user_passwd AuthMySQLEnable on AuthMySQLPwEncryption md5 Require valid-user </Location> </Virtualhost>
上述内容当中,关于AuthMySQL的指令,可以从编译安装包中的CONFIGURE文件中查询到。上文所用到的参数的解释如下所示:
指令 | 解释 |
---|---|
AuthMySQLHost | mysql的IP地址 |
AuthMySQLPort | mysql的连接端口 |
AuthMySQLUser | mysql的连接用户 |
AuthMySQLPassword | mysql的登录密码 |
AuthMySQLDB | 登录的数据库名称 |
AuthMySQLUserTable | 需要进行用户查询的数据表 |
AuthMySQLNamedField | httpd验证的用户名字段 |
AuthMySQLPasswordField | httpd验证的密码字段 |
AuthMySQLEnable | 开启认证 |
AuthMySQLPwEncryption | 密码加密形式为MD5 |
配置完毕,重启之后,即可进行认证。
关于mod_auth_mysql.so对于AES加密支持
在该模块的CONFIGURE文档中,提及了两条指令,分别是AuthMySQLPwEncryption
以及AuthMySQLSaltField
。前者可以在其指令后面添加加密算法,在文档中,该指令的介绍如下所示:
AuthMySQLPwEncryption none | crypt | scrambled | md5 | aes | sha1
The encryption type used for the passwords in AuthMySQLPasswordField:
none: not encrypted (plain text)
crypt: UNIX crypt() encryption
scrambled: MySQL PASSWORD encryption
md5: MD5 hashing
aes: Advanced Encryption Standard (AES) encryption
sha1: Secure Hash Algorihm (SHA1)WARNING: When using aes encryption, the password field MUST be a BLOB type
(i.e. TINYBLOB). MySQL will strip trailing x’20’ characters (blanks), EVEN
IF THE COLUMN TYPE IS BINARY!AuthMySQLSaltField <> | | mysql_column_name
Contains information on the salt field to be used for crypt and aes
encryption methods. It can contain one of the following:
<>: password itself is the salt field (use with crypt() only)
: “string” as the salt field
mysql_column_name: the salt is take from the mysql_column_name field in the
same row as the passwordThis field is required for aes encryption, optional for crypt encryption.
It is ignored for all other encryption types.
可以看到,文档中提及到了支持aes加密算法,并且配合AuthMySQLSaltField
指令,指明盐字段。不过,在笔者的CentOS7环境上面,如果使用了aes加密,会使得配置了认证的目标页面失效,如下所示:
curl -u admin:admin http://www3.stuX.com/status <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>401 Unauthorized</title> </head><body> <h2>Unauthorized</h2> <p>This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.</p> </body></html>
在httpd的错误日志中,可以看到如下一条:
[error] [pid 9958] mod_auth_mysql.c(1188): [client 192.168.5.180:55586] mysql invalid encryption method as
初步断定,在编译的时候可能没有把aes算法编译进去。依据网上的两篇资料:
Works plain text, AES or SHA-1 fails
mod_auth_mysql with AES encryption (on Fedora 14 x64)
解决方案是在编译的时候添加上-DAES,该选项在文档中并未明文提及到,相关的源代码部分内容如下:
...... ...... #if _AES /* Only needed if AES encryption desired */ #include <my_global.h> #endif #include <mysql.h> #if _AES #include <my_aes.h> #endif ...... ......
因此编译的时候还需要注意,-DAES需要my_global.h以及my_aes.h的支持。笔者这里的my_global.h由mariadb-devel的rpm包提供,而my_aes.h由mariadb的源码包提供。在这里,笔者为了方便,直接将解压之后的源码包中的my_aes.h拷贝到/usr/include/mysql头文件目录当中。再进行编译:
注:下面编译的warning可以忽略。
$ apxs -c -L/usr/lib64/mysql -I/usr/include/mysql -DAES -lmysqlclient -lm -lz mod_auth_mysql.c /usr/lib64/apr-1/build/libtool --silent --mode=compile gcc -std=gnu99 -prefer-pic -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -DLINUX -D_REENTRANT -D_GNU_SOURCE -pthread -I/usr/include/httpd -I/usr/include/apr-1 -I/usr/include/apr-1 -I/usr/include/mysql -DAES -c -o mod_auth_mysql.lo mod_auth_mysql.c && touch mod_auth_mysql.slo In file included from /usr/include/mysql/my_config.h:14:0, from /usr/include/mysql/my_global.h:79, from mod_auth_mysql.c:267: /usr/include/mysql/my_config_x86_64.h:631:0: warning: "PACKAGE_NAME" redefined [enabled by default] #define PACKAGE_NAME "MySQL Server" ^ In file included from /usr/include/httpd/ap_config.h:138:0, from /usr/include/httpd/httpd.h:44, from mod_auth_mysql.c:198: /usr/include/httpd/ap_config_auto.h:228:0: note: this is the location of the previous definition #define PACKAGE_NAME "" ^ In file included from /usr/include/mysql/my_config.h:14:0, from /usr/include/mysql/my_global.h:79, from mod_auth_mysql.c:267: /usr/include/mysql/my_config_x86_64.h:632:0: warning: "PACKAGE_STRING" redefined [enabled by default] #define PACKAGE_STRING "MySQL Server 5.5.44" ^ In file included from /usr/include/httpd/ap_config.h:138:0, from /usr/include/httpd/httpd.h:44, from mod_auth_mysql.c:198: /usr/include/httpd/ap_config_auto.h:231:0: note: this is the location of the previous definition #define PACKAGE_STRING "" ^ In file included from /usr/include/mysql/my_config.h:14:0, from /usr/include/mysql/my_global.h:79, from mod_auth_mysql.c:267: /usr/include/mysql/my_config_x86_64.h:633:0: warning: "PACKAGE_TARNAME" redefined [enabled by default] #define PACKAGE_TARNAME "mysql" ^ In file included from /usr/include/httpd/ap_config.h:138:0, from /usr/include/httpd/httpd.h:44, from mod_auth_mysql.c:198: /usr/include/httpd/ap_config_auto.h:234:0: note: this is the location of the previous definition #define PACKAGE_TARNAME "" ^ In file included from /usr/include/mysql/my_config.h:14:0, from /usr/include/mysql/my_global.h:79, from mod_auth_mysql.c:267: /usr/include/mysql/my_config_x86_64.h:634:0: warning: "PACKAGE_VERSION" redefined [enabled by default] #define PACKAGE_VERSION "5.5.44" ^ In file included from /usr/include/httpd/ap_config.h:138:0, from /usr/include/httpd/httpd.h:44, from mod_auth_mysql.c:198: /usr/include/httpd/ap_config_auto.h:240:0: note: this is the location of the previous definition #define PACKAGE_VERSION "" ^ mod_auth_mysql.c: In function 'str_format': mod_auth_mysql.c:891:7: warning: format '%d' expects argument of type 'int', but argument 8 has type 'long int' [-Wformat=] LOG_ERROR_2(APLOG_ERR|APLOG_NOERRNO, 0, r, "MySQL ERROR: Invalid formatting character at position %d: \"%s\"", ^ /usr/lib64/apr-1/build/libtool --silent --mode=link gcc -std=gnu99 -Wl,-z,relro,-z,now -o mod_auth_mysql.la -L/usr/lib64/mysql -lmysqlclient -lm -lz -rpath /usr/lib64/httpd/modules -module -avoid-version mod_auth_mysql.lo
之后利用apxs -i mod_auth_mysql.la
进行安装,安装完毕之后,通过systemctl restart httpd.service
命令对服务进行重启操作,但是发现无法启动:
$ systemctl restart httpd.service Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details. $ systemctl status httpd.service -l | grep error httpd: Syntax error on line 56 of /etc/httpd/conf/httpd.conf: Syntax error on line 1 of /etc/httpd/conf.modules.d/10-mysql.conf: Cannot load modules/mod_auth_mysql.so into server: /etc/httpd/modules/mod_auth_mysql.so: undefined symbol: my_aes_encrypt
可以看到,缺少了my_aes_encrypt函数,初步断定是缺少了库依赖所导致。从上文的mod_auth_mysql with AES encryption (on Fedora 14 x64)当中,给出了一种手动添加动态库的方式,利用httpd的LoadFile指令,将其加载进来:
LoadFile /usr/lib64/mysql/libmysqld.so
经过笔者测试,这样做的话确实能将httpd服务启动,但是仍然无法正常使用aes加密,甚至连mod_auth_mysql.so模块本身都无法正常工作了。利用curl命令访问指定页面的时候,会返回empty response的错误。
改进的措施
既然无法用LoadFile来加载共享库,所以这里采用直接将libmysqld编译到mod_auth_mysql模块的方法。首先需要获取libmysqld库,以mariadb5.5.44版本为例,需要将其源码编译。先解压源码包,进入源码目录,使用如下命令进行cmake:
cmake . -DWITH_EMBEDDED_SERVER=ON
之后进入libmysqld子目录,确保Makefile已经生成,之后利用make
命令编译该模块。
编译完成之后,会发现当前libmysqld子目录下面多出了libmysqld.a,以及libmysqld.so文件。
注意!到这里为止,往后可以采用两种方式进行编译:
利用libmysqld.a将libmysqld静态编译进mod_auth_mysql当中
利用libmysqld.so将libmysqld动态编译进mod_auth_mysql当中
在此,笔者采用第一种方法。将libmysqld.a拷贝到mod_auth_mysql的源码目录当中,用如下命令进行编译,并且安装到httpd当中,再将httpd服务进行重启:
$ apxs -c -L/usr/lib64/mysql -I/usr/include/mysql -DAES -lmysqlclient -lm -lz -l:libmysqld.a mod_auth_mysql.c $ apxs -i mod_auth_mysql.la $ systemctl restart httpd.service
利用curl命令进行访问,发现认证成功:
$ curl -u admin:admin http://www3.stuX.com/status | less % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 3789 100 3789 0 0 339k 0 --:--:-- --:--:-- --:--:-- 411k <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <html><head> <title>Apache Status</title> </head><body> <h2>Apache Server Status for www3.stux.com (via 192.168.5.181)</h2> <dl><dt>Server Version: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips PHP/5.4.16</dt> <dt>Server MPM: prefork</dt> <dt>Server Built: Nov 19 2015 21:43:13 </dt></dl><hr /><dl> <dt>Current Time: Thursday, 08-Jun-2017 16:06:30 CST</dt> <dt>Restart Time: Thursday, 08-Jun-2017 16:04:36 CST</dt> <dt>Parent Server Config. Generation: 1</dt> <dt>Parent Server MPM Generation: 0</dt> <dt>Server uptime: 1 minute 53 seconds</dt> <dt>Server load: 0.01 0.02 0.05</dt> <dt>Total accesses: 1 - Total Traffic: 3 kB</dt> <dt>CPU Usage: u0 s0 cu0 cs0<dt>.00885 requests/sec - 27 B/second - 3072 B/request</dt> <dt>1 requests currently being processed, 4 idle workers</dt> </dl><pre>_W___........................................................... ................................................................ ................................................................ ................................................................
其他
笔者并未测试动态编译libmysqld.so的可用性,不过笔者认为动态编译仍然是可行的,不过需要将动态库纳入ldconfig
管理范畴即可。
诸如此类的第三方模块多半由开发者在Fedora平台上面测试,而头文件依赖和库依赖的不一致性,总会导致各种问题,因此有些时候,需要使用者对其进行一定程度的“量体裁衣”,不能盲目迷信文档。
免责声明:本站发布的内容(图片、视频和文字)以原创、转载和分享为主,文章观点不代表本网站立场,如果涉及侵权请联系站长邮箱:is@yisu.com进行举报,并提供相关证据,一经查实,将立刻删除涉嫌侵权内容。