Shulou(Shulou.com)06/01 Report--

Preface

In the experiment 2 of a previous blog post "Apache httpd2.2 version and partial experiments of version 2.4", it was mentioned that mod_auth_mysql.so module was used in protocol authentication. This article will describe the installation, configuration and support for aes encryption features of this module.

Installation steps based on developer documentation

Note: aes encryption is not supported in the author's CentOS7 test environment.

First, download mod_auth_mysql-3.0.0.tar.gz from the official site provided by the module, and download the corresponding patch mod_auth_mysql_3.0.0_patch_apache2.4.diff. After decompression, copy the patch to the decompression directory, and run the following command to patch:

$patch-p1

< mod_auth_mysql_3.0.0_patch_apache2.4.diff 确保安装了mariadb-libs和mariadb-devel包，并且安装有development Tools包组，如果没有，请自行安装。其目的是为了解决编译安装可能遇到的头文件依赖以及库依赖问题。 利用httpd-tools包中带的apxs工具进行编译： $ apxs -c -L/usr/lib/mysql -I/usr/include/mysql -lmysqlclient -lm -lz mod_auth_mysql.c 编译完之后，会生成mod_auth_mysql.la文件，再利用如下命令将该模块安装到httpd里面： $ apxs -i mod_auth_mysql.la 安装完成之后，在/etc/httpd/conf.modules.d目录下面添加一个配置文件，这里为10-mysql.conf，添加如下内容： LoadModule mysql_auth_module modules/mod_auth_mysql.so 初步添加如下配置信息到/etc/httpd/conf.d/virtualhost.conf里面，配合mysql数据库，即可进行认证： ServerName www3.stuX.com LogFormat "%h %u %t \"%r\" %>

S\ "% {Referer} I\"\ "{User-Agent} I\"custom3 CustomLog / web/vhosts/www3/access_log custom3 ErrorLogFormat" [t] [% l] [pid% P]% F:% E: [client% a]% M "ErrorLog / web/vhosts/www3/error_log LogLevel info SetHandler server-status AuthType Basic AuthBasicAuthoritative Off AuthName "auth login" AuthUserFile / dev/null AuthMySQLHost 192.168.5.121 AuthMySQLPort 3306 AuthMySQLUser root AuthMySQLPassword 123456 AuthMySQLDB http_auth AuthMySQLUserTable mysql_auth AuthMySQLNameField user_name AuthMySQLPasswordField user_ Passwd AuthMySQLEnable on AuthMySQLPwEncryption md5 Require valid-user

Among the above, the instructions about AuthMySQL can be queried from the CONFIGURE file in the compilation and installation package. The parameters used above are explained as follows:

Directive interprets the IP address of AuthMySQLHostmysql, the connection port of AuthMySQLPortmysql, the login password of connection user AuthMySQLUsermysql, the login password of AuthMySQLDB login, the database name of AuthMySQLUserTable, the data table that needs to be queried, the user name field of AuthMySQLNamedFieldhttpd authentication, the password field of AuthMySQLPasswordFieldhttpd authentication, AuthMySQLEnable, authentication, the password encryption form of AuthMySQLPwEncryption is MD5.

After the configuration is completed and rebooted, authentication can be carried out.

About mod_auth_mysql.so 's support for AES encryption

In the CONFIGURE document for this module, two instructions are mentioned, AuthMySQLPwEncryption and AuthMySQLSaltField. The former can add an encryption algorithm after its instruction, which is described in the document as follows:

AuthMySQLPwEncryption none | crypt | scrambled | md5 | aes | sha1

The encryption type used for the passwords in AuthMySQLPasswordField:

None: not encrypted (plain text)

Crypt: UNIX crypt () encryption

Scrambled: MySQL PASSWORD encryption

Md5: MD5 hashing

Aes: Advanced Encryption Standard (AES) encryption

Sha1: Secure Hash Algorihm (SHA1)

WARNING: When using aes encryption, the password field MUST be a BLOB type

(I.E. TINYBLOB). MySQL will strip trailing Xero20' characters (blanks), EVEN

IF THE COLUMN TYPE IS BINARY!

AuthMySQLSaltField | | mysql_column_name

Contains information on the salt field to be used for crypt and aes

Encryption methods. It can contain one of the following:

Password itself is the salt field (use with crypt () only)

: "string" as the salt field

Mysql_column_name: the salt is take from the mysql_column_name field in the

Same row as the password

This field is required for aes encryption, optional for crypt encryption.

It is ignored for all other encryption types.

As you can see, the document mentions support for the aes encryption algorithm and, in conjunction with the AuthMySQLSaltField directive, specifies the salt field. However, in the author's CentOS7 environment, if aes encryption is used, the target page configured with authentication will be invalidated, as shown below:

Curl-u admin:admin http://www3.stuX.com/status401 UnauthorizedUnauthorized

This server could not verify that youare authorized to access the documentrequested. Either you supplied the wrongcredentials (e.g.bad password), or yourbrowser doesn't understand how to supplythe credentials required.

In the error log of httpd, you can see the following:

[error] [pid 9958] mod_auth_mysql.c (1188): [client 192.168.5.180 mysql invalid encryption method as]

It is initially concluded that the aes algorithm may not have been compiled at compile time. According to two pieces of information on the Internet:

Works plain text, AES or SHA-1 fails

Mod_auth_mysql with AES encryption (on Fedora 14 x64)

The solution is to add-DAES when compiling, which is not explicitly mentioned in the documentation, and the relevant source code is as follows:

. # if _ AES / * Only needed if AES encryption desired * / # include # endif#include # if _ AES # include # endif.

Therefore, it should also be noted when compiling that-DAES requires the support of my_global.h and my_aes.h. The my_global.h here is provided by mariadb-devel 's rpm package, while my_aes.h is provided by mariadb's source package. Here, for convenience, the author directly copies the my_aes.h in the decompressed source code package to the / usr/include/mysql header file directory. Then compile:

Note: the warning compiled below can be ignored.

$apxs-c-L/usr/lib64/mysql-I/usr/include/mysql-DAES-lmysqlclient-lm-lz mod_auth_mysql.c/usr/lib64/apr-1/build/libtool-- silent-- mode=compile gcc-std=gnu99-prefer-pic-O2-g-pipe-Wall-Wp -D_FORTIFY_SOURCE=2-fexceptions-fstack-protector-strong-- param=ssp-buffer-size=4-grecord-gcc-switches-M64-mtune=generic-DLINUX-D_REENTRANT-D_GNU_SOURCE-pthread-I/usr/include/httpd-I/usr/include/apr-1-I/usr/include/apr-1-I/usr/include/mysql-DAES-c-o mod_auth_mysql.lo mod_auth_mysql.c & & touch mod_auth_mysql.sloIn file included from / Usr/include/mysql/my_config.h:14:0 From / usr/include/mysql/my_global.h:79, from mod_auth_mysql.c:267:/usr/include/mysql/my_config_x86_64.h:631:0: warning: "PACKAGE_NAME" redefined [enabled by default] # define PACKAGE_NAME "MySQL Server" ^ In file included from / usr/include/httpd/ap_config.h:138:0, from / usr/include/httpd/httpd.h:44 From mod_auth_mysql.c:198:/usr/include/httpd/ap_config_auto.h:228:0: note: this is the location of the previous definition # define PACKAGE_NAME "^ In file included from / usr/include/mysql/my_config.h:14:0, from / usr/include/mysql/my_global.h:79 From mod_auth_mysql.c:267:/usr/include/mysql/my_config_x86_64.h:632:0: warning: "PACKAGE_STRING" redefined [enabled by default] # define PACKAGE_STRING "MySQL Server 5.5.44" ^ In file included from / usr/include/httpd/ap_config.h:138:0, from / usr/include/httpd/httpd.h:44 From mod_auth_mysql.c:198:/usr/include/httpd/ap_config_auto.h:231:0: note: this is the location of the previous definition # define PACKAGE_STRING "^ In file included from / usr/include/mysql/my_config.h:14:0, from / usr/include/mysql/my_global.h:79 From mod_auth_mysql.c:267:/usr/include/mysql/my_config_x86_64.h:633:0: warning: "PACKAGE_TARNAME" redefined [enabled by default] # define PACKAGE_TARNAME "mysql" ^ In file included from / usr/include/httpd/ap_config.h:138:0, from / usr/include/httpd/httpd.h:44 From mod_auth_mysql.c:198:/usr/include/httpd/ap_config_auto.h:234:0: note: this is the location of the previous definition # define PACKAGE_TARNAME "^ In file included from / usr/include/mysql/my_config.h:14:0, from / usr/include/mysql/my_global.h:79 From mod_auth_mysql.c:267:/usr/include/mysql/my_config_x86_64.h:634:0: warning: "PACKAGE_VERSION" redefined [enabled by default] # define PACKAGE_VERSION "5.5.44" ^ In file included from / usr/include/httpd/ap_config.h:138:0, from / usr/include/httpd/httpd.h:44 From mod_auth_mysql.c:198:/usr/include/httpd/ap_config_auto.h:240:0: note: this is the location of the previous definition # define PACKAGE_VERSION "^ mod_auth_mysql.c: In function 'str_format':mod_auth_mysql.c:891:7: warning: format'% d'expects argument of type' int', but argument 8 has type 'long int' [- Wformat=] LOG_ERROR_2 (APLOG_ERR | APLOG_NOERRNO, 0, r "MySQL ERROR: Invalid formatting character at position% d:\"% s\ ", ^ / usr/lib64/apr-1/build/libtool-- silent-- mode=link gcc-std=gnu99-Wl,-z,relro,-z,now-o mod_auth_mysql.la-L/usr/lib64/mysql-lmysqlclient-lm-lz-rpath / usr/lib64/httpd/modules-module-avoid-version mod_auth_mysql.lo

After that, apxs-I mod_auth_mysql.la is used to install the service. After the installation is completed, the service is restarted by systemctl restart httpd.service command, but it is found that it cannot be started:

$systemctl restart httpd.serviceJob for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl-xe" for details.$ systemctl status httpd.service-l | grep errorhttpd: Syntax error on line 56 of / etc/httpd/conf/httpd.conf: Syntax error on line 1 of / etc/httpd/conf.modules.d/10-mysql.conf: Cannot load modules/mod_auth_mysql.so into server: / etc/httpd/modules/mod_auth_mysql.so: undefined symbol: my_aes_encrypt

As you can see, the lack of the my_aes_encrypt function is tentatively caused by the lack of library dependencies. From mod_auth_mysql with AES encryption (on Fedora 14 x64) above, a way to manually add dynamic libraries is given, which is loaded in using the LoadFile instruction of httpd:

LoadFile / usr/lib64/mysql/libmysqld.so

After the author's test, this does start the httpd service, but it still doesn't work properly with aes encryption, and even the mod_auth_mysql.so module itself doesn't work properly. When you use the curl command to access a specified page, an error of empty response is returned.

Measures for improvement

Since the shared library cannot be loaded with LoadFile, the method of compiling libmysqld directly into the mod_auth_mysql module is used here. First of all, you need to obtain the libmysqld library, and take the mariadb5.5.44 version as an example, you need to compile its source code. First decompress the source code package, enter the source code directory, and use the following command to cmake:

Cmake. -DWITH_EMBEDDED_SERVER=ON

After that, go to the libmysqd subdirectory, make sure that Makefile has been generated, and then compile the module using the make command.

After the compilation is complete, you will find that libmysqld.an and the libmysqld.so file are extra under the current libmysqd subdirectory.

Be careful! So far, you can compile in two ways:

Using libmysqld.a to statically compile libmysqld into mod_auth_mysql

Using libmysqld.so to dynamically compile libmysqld into mod_auth_mysql

Here, the author adopts the first method. Copy libmysqld.a to the source code directory of mod_auth_mysql, compile it with the following command, install it into httpd, and restart the httpd service:

$apxs-c-L/usr/lib64/mysql-I/usr/include/mysql-DAES-lmysqlclient-lm-lz-l:libmysqld.a mod_auth_mysql.c$ apxs-I mod_auth_mysql.la$ systemctl restart httpd.service

Use the curl command to access and find that the authentication is successful:

$curl-u admin:admin http://www3.stuX.com/status | less% Total% Received% Xferd Average Speed Time Current Dload Upload Total Spent Left Speed100 3789 3789 00 339k 0--: -:-- 411kApache StatusApache Server Status for www3.stux.com (via 192.168. 5.181) Server Version: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips PHP/5.4.16Server MPM: preforkServer Built: Nov 19 2015 21:43:13Current Time: Thursday 08-Jun-2017 16:06:30 CSTRestart Time: Thursday, 08-Jun-2017 16:04:36 CSTParent Server Config. Generation: 1Parent Server MPM Generation: 0Server uptime: 1 minute 53 secondsServer load: 0.010.02 0.05Total accesses: 1-Total Traffic: 3 kBCPU Usage: U0s0 cu0 cs0.00885 requests/sec-27 B/second-3072 B/request1 requests currently being processed 4 idle workers_W___. . .

Other

The author has not tested the availability of dynamically compiled libmysqld.so, but I believe that dynamic compilation is still feasible, but dynamic libraries need to be brought into the scope of ldconfig management.

Such third-party modules are mostly tested by developers on the Fedora platform, and the inconsistency between header file dependency and library dependency will always lead to all kinds of problems, so sometimes, users need to make a certain degree of "tailoring" to it, and should not blindly believe in documents.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.