Installation and configuration of httpd 2.x, mod_auth_mysql module and support for aes encryption


Preface 
A previous blog post Apache httpd version 2.2 and part of the experiment of version 2.4 In experiment 2, it is mentioned that mod_auth_mysql.so module is used for protocol authentication. This paper will describe the installation and configuration of this module, as well as the support for aes encryption characteristics.

  • Installation steps based on developer documentation 
    Note: aes encryption is not supported in the author's entOS 7 test environment

First download it from the official website provided by the module mod_auth_mysql-3.0.0.tar.gz And download the corresponding patch mod_auth_mysql_3.0.0_patch_apache2.4.diff After decompression, copy the patch to the decompressed directory and run the following command to patch:

$ patch -p1 < mod_auth_mysql_3.0.0_patch_apache2.4.diff

Make sure that mariadb-libs and mariadb-devel packages are installed and that the development Tools package group is installed. If not, install it yourself. The purpose is to solve the problems of header file dependency and library dependency that may be encountered in compilation and installation.

Compile using the apxs tool in httpd-tools package:

$ apxs -c -L/usr/lib/mysql -I/usr/include/mysql -lmysqlclient -lm -lz mod_auth_mysql.c

After compiling, the mod_auth_mysql.la file is generated, and then the module is installed into httpd with the following commands:

$ apxs -i mod_auth_mysql.la

After installation, add a configuration file under the / etc/httpd/conf.modules.d directory, here is 10-mysql.conf, add the following:

LoadModule mysql_auth_module modules/mod_auth_mysql.so

Initially add the following configuration information to / etc/httpd/conf.d/virtualhost.conf and cooperate with mysql database to authenticate:

<VirtualHost 192.168.5.181:80>
        ServerName www3.stuX.com
        LogFormat "%h %u %t \"%r\" %>s \"%{Referer}i\" \"%{User-Agent}i\"" custom3
        CustomLog /web/vhosts/www3/access_log custom3
        ErrorLogFormat "[%t] [%l] [pid %P] %F: %E: [client %a] %M"
        ErrorLog /web/vhosts/www3/error_log
        LogLevel info
        <Location /status>
                SetHandler server-status
                AuthType Basic
                AuthBasicAuthoritative Off
                AuthName "auth login"
                AuthUserFile /dev/null
                AuthMySQLHost 192.168.5.121
                AuthMySQLPort 3306
                AuthMySQLUser root
                AuthMySQLPassword 123456
                AuthMySQLDB http_auth
                AuthMySQLUserTable mysql_auth
                AuthMySQLNameField user_name
                AuthMySQLPasswordField user_passwd
                AuthMySQLEnable on
                AuthMySQLPwEncryption md5
                Require valid-user
        </Location>
</Virtualhost>

Among the above, instructions on AuthMySQL can be queried from the CONFIGURE file in the compilation and installation package. The explanations of the parameters used above are as follows:

instructionsexplain
AuthMySQLHostThe IP address of mysql
AuthMySQLPortConnection port of mysql
AuthMySQLUsermysql Connection User
AuthMySQLPasswordLogin password of mysql
AuthMySQLDBRegistered database name
AuthMySQLUserTableData tables that require user queries
AuthMySQLNamedFieldUser Name Section Authenticated by httpd
AuthMySQLPasswordFieldPassword fields for httpd validation
AuthMySQLEnableOpen authentication
AuthMySQLPwEncryptionThe password is encrypted in the form of MD5

After configuration is completed, authentication can be performed after reboot.

  • About the support of mod_auth_mysql.so for AES encryption

In the CONFIGURE document of this module, two instructions are mentioned, namely AuthMySQLPwEncryption and AuthMySQLSaltField. The former can add encryption algorithm after its instruction. In the document, the instruction is introduced as follows:

AuthMySQLPwEncryption none | crypt | scrambled | md5 | aes | sha1 
The encryption type used for the passwords in AuthMySQLPasswordField: 
none: not encrypted (plain text) 
crypt: UNIX crypt() encryption 
scrambled: MySQL PASSWORD encryption 
md5: MD5 hashing 
aes: Advanced Encryption Standard (AES) encryption 
sha1: Secure Hash Algorihm (SHA1)

WARNING: When using aes encryption, the password field MUST be a BLOB type 
(i.e. TINYBLOB). MySQL will strip trailing x'20' characters (blanks), EVEN 
IF THE COLUMN TYPE IS BINARY!

AuthMySQLSaltField <> | | mysql_column_name

Contains information on the salt field to be used for crypt and aes 
encryption methods. It can contain one of the following: 
<>: password itself is the salt field (use with crypt() only) 
: "string" as the salt field 
mysql_column_name: the salt is take from the mysql_column_name field in the 
same row as the password

This field is required for aes encryption, optional for crypt encryption. 
It is ignored for all other encryption types.

As you can see, the document mentions support for aes encryption algorithm, and with the AuthMySQLSaltField directive, specifies the salt field. However, in my client OS 7 environment, if aes encryption is used, the target page with authentication will be invalidated, as follows:

curl -u admin:admin http://www3.stuX.com/status
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>401 Unauthorized</title>
</head><body>
<h1>Unauthorized</h1>
<p>This server could not verify that you
are authorized to access the document
requested.  Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.</p>
</body></html>

In the error log of httpd, you can see the following:

[error] [pid 9958] mod_auth_mysql.c(1188): [client 192.168.5.180:55586] mysql invalid encryption method as

It is preliminarily concluded that the aes algorithm may not be compiled in the compilation. According to two articles on the Internet:

  1. Works plain text, AES or SHA-1 fails

  2. mod_auth_mysql with AES encryption (on Fedora 14 x64)

The solution is to add - DAES at compile time. This option is not explicitly mentioned in the document. The relevant source code is as follows:

......
......
#if _AES  /* Only needed if AES encryption desired */
  #include <my_global.h>
#endif
#include <mysql.h>
#if _AES
  #include <my_aes.h>
#endif
......
......

So it's also important to note that - DAES requires my_global.h and my_aes.h support. My_global.h is provided by mariadb-devel's rpm package, while my_aes.h is provided by mariadb's source package. Here, for convenience, the author directly copies my_aes.h from the decompressed source package to the / usr/include/mysql header file directory. Then compile: 
Note: The following compiled warning can be ignored.

$ apxs -c -L/usr/lib64/mysql -I/usr/include/mysql -DAES -lmysqlclient -lm -lz mod_auth_mysql.c
/usr/lib64/apr-1/build/libtool --silent --mode=compile gcc -std=gnu99 -prefer-pic -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic  -DLINUX -D_REENTRANT -D_GNU_SOURCE -pthread -I/usr/include/httpd  -I/usr/include/apr-1   -I/usr/include/apr-1  -I/usr/include/mysql -DAES  -c -o mod_auth_mysql.lo mod_auth_mysql.c && touch mod_auth_mysql.slo
In file included from /usr/include/mysql/my_config.h:14:0,
                 from /usr/include/mysql/my_global.h:79,
                 from mod_auth_mysql.c:267:
/usr/include/mysql/my_config_x86_64.h:631:0: warning: "PACKAGE_NAME" redefined [enabled by default]
 #define PACKAGE_NAME "MySQL Server"
 ^
In file included from /usr/include/httpd/ap_config.h:138:0,
                 from /usr/include/httpd/httpd.h:44,
                 from mod_auth_mysql.c:198:
/usr/include/httpd/ap_config_auto.h:228:0: note: this is the location of the previous definition
 #define PACKAGE_NAME ""
 ^
In file included from /usr/include/mysql/my_config.h:14:0,
                 from /usr/include/mysql/my_global.h:79,
                 from mod_auth_mysql.c:267:
/usr/include/mysql/my_config_x86_64.h:632:0: warning: "PACKAGE_STRING" redefined [enabled by default]
 #define PACKAGE_STRING "MySQL Server 5.5.44"
 ^
In file included from /usr/include/httpd/ap_config.h:138:0,
                 from /usr/include/httpd/httpd.h:44,
                 from mod_auth_mysql.c:198:
/usr/include/httpd/ap_config_auto.h:231:0: note: this is the location of the previous definition
 #define PACKAGE_STRING ""
 ^
In file included from /usr/include/mysql/my_config.h:14:0,
                 from /usr/include/mysql/my_global.h:79,
                 from mod_auth_mysql.c:267:
/usr/include/mysql/my_config_x86_64.h:633:0: warning: "PACKAGE_TARNAME" redefined [enabled by default]
 #define PACKAGE_TARNAME "mysql"
 ^
In file included from /usr/include/httpd/ap_config.h:138:0,
                 from /usr/include/httpd/httpd.h:44,
                 from mod_auth_mysql.c:198:
/usr/include/httpd/ap_config_auto.h:234:0: note: this is the location of the previous definition
 #define PACKAGE_TARNAME ""
 ^
In file included from /usr/include/mysql/my_config.h:14:0,
                 from /usr/include/mysql/my_global.h:79,
                 from mod_auth_mysql.c:267:
/usr/include/mysql/my_config_x86_64.h:634:0: warning: "PACKAGE_VERSION" redefined [enabled by default]
 #define PACKAGE_VERSION "5.5.44"
 ^
In file included from /usr/include/httpd/ap_config.h:138:0,
                 from /usr/include/httpd/httpd.h:44,
                 from mod_auth_mysql.c:198:
/usr/include/httpd/ap_config_auto.h:240:0: note: this is the location of the previous definition
 #define PACKAGE_VERSION ""
 ^
mod_auth_mysql.c: In function 'str_format':
mod_auth_mysql.c:891:7: warning: format '%d' expects argument of type 'int', but argument 8 has type 'long int' [-Wformat=]
       LOG_ERROR_2(APLOG_ERR|APLOG_NOERRNO, 0, r, "MySQL ERROR: Invalid formatting character at position %d: \"%s\"",
       ^
/usr/lib64/apr-1/build/libtool --silent --mode=link gcc -std=gnu99 -Wl,-z,relro,-z,now   -o mod_auth_mysql.la  -L/usr/lib64/mysql -lmysqlclient -lm -lz -rpath /usr/lib64/httpd/modules -module -avoid-version    mod_auth_mysql.lo

After the installation, the service is restarted with the command of system CTL restart httpd. service, but it is found that it can not start:

$ systemctl restart httpd.service
Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details.

$ systemctl status httpd.service -l | grep error
httpd: Syntax error on line 56 of /etc/httpd/conf/httpd.conf: Syntax error on line 1 of /etc/httpd/conf.modules.d/10-mysql.conf: Cannot load modules/mod_auth_mysql.so into server: /etc/httpd/modules/mod_auth_mysql.so: undefined symbol: my_aes_encrypt

As you can see, the lack of my_aes_encrypt function leads to the lack of Library dependency. From above mod_auth_mysql with AES encryption (on Fedora 14 x64) In this paper, a way of adding dynamic libraries manually is given, which is loaded by using the LoadFile instruction of httpd.

LoadFile   /usr/lib64/mysql/libmysqld.so

After the author's test, it can start the httpd service, but it still can't use aes encryption properly, even mod_auth_mysql.so module itself can't work properly. When the curl command is used to access the specified page, an empty response error is returned.

  • Measures for improvement

Since the shared library cannot be loaded with LoadFile, the method of compiling libmysqld directly into mod_auth_mysql module is adopted here. First, you need to get the libmysqld library. Take mariadb5.5.44 as an example, you need to compile its source code. First decompress the source package and enter the source directory. Use the following commands to make cmake:

cmake . -DWITH_EMBEDDED_SERVER=ON

Then enter the libmysqld subdirectory to ensure that Makefile has been generated, and then compile the module using the make command. 
After compiling, you will find libmysqld.a and libmysqld.so files under the current libmysqld subdirectory. 
Be careful! So far, compilation can be done in two ways:

  1. Static compilation of libmysqld into mod_auth_mysql using libmysqld.a

  2. Using libmysqld.so to dynamically compile libmysqld into mod_auth_mysql

Here, the author uses the first method. Copy libmysqld.a to the source directory of mod_auth_mysql, compile it with the following commands, install it into httpd, and restart the httpd service:

$ apxs -c -L/usr/lib64/mysql -I/usr/include/mysql -DAES -lmysqlclient -lm -lz -l:libmysqld.a mod_auth_mysql.c

$ apxs -i mod_auth_mysql.la

$ systemctl restart httpd.service

Using curl command to access, the authentication is found to be successful:

$ curl -u admin:admin http://www3.stuX.com/status | less
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  3789  100  3789    0     0   339k      0 --:--:-- --:--:-- --:--:--  411k
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html><head>
<title>Apache Status</title>
</head><body>
<h1>Apache Server Status for www3.stux.com (via 192.168.5.181)</h1>

<dl><dt>Server Version: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips PHP/5.4.16</dt>
<dt>Server MPM: prefork</dt>
<dt>Server Built: Nov 19 2015 21:43:13
</dt></dl><hr /><dl>
<dt>Current Time: Thursday, 08-Jun-2017 16:06:30 CST</dt>
<dt>Restart Time: Thursday, 08-Jun-2017 16:04:36 CST</dt>
<dt>Parent Server Config. Generation: 1</dt>
<dt>Parent Server MPM Generation: 0</dt>
<dt>Server uptime:  1 minute 53 seconds</dt>
<dt>Server load: 0.01 0.02 0.05</dt>
<dt>Total accesses: 1 - Total Traffic: 3 kB</dt>
<dt>CPU Usage: u0 s0 cu0 cs0<dt>.00885 requests/sec - 27 B/second - 3072 B/request</dt>
<dt>1 requests currently being processed, 4 idle workers</dt>
</dl><pre>_W___...........................................................
................................................................
................................................................
................................................................
  • Other 

  1. I have not tested the availability of dynamic compilation libmysqld.so, but I think that dynamic compilation is still feasible, but we need to include dynamic libraries in the field of ldconfig management.

  2. Most of these third-party modules are tested by developers on Fedora platform. The inconsistency between header dependency and library dependency always leads to various problems. Therefore, sometimes users need to tailor them to a certain extent, so they can not blindly superstition documents.

Tags: MySQL Fedora Apache MariaDB

Posted on Fri, 21 Dec 2018 14:18:05 -0500 by Dasndan