Apache two-factor (2FA) authentication with Google Authenticator based on Time-based One-Time Password (TOTP) or HMAC-based one-time password (HOTP) Algorithms.
License: BSD 2-Clause "Simplified" License
Hi,
I tried to make a pull request, but it somehow doesn't work.
So I ask here.
Is there a some blocking timer after too many attempts of the wrong 6 digit Auth key?
So is there any way to prevent a Brute Force Attack?
I am using apache with mod_evasive, too.
hi
Is it possible to use active directory for user auth and then the 2fa ?
Thanks
Hi,
Nice work on the 2fa part, i am building a proxy that uses this but i want to be able to proxy requests to an internal machine, and im about to pull my hair out.....
Where to put the proxy in, so it wont skip auth/2fa?
I'm getting this error using ispconfig3:
This page isn’t working
mydomain.com redirected you too many times.
Try clearing your cookies.
ERR_TOO_MANY_REDIRECTS
I followed your instructions carefully. Is there anything I should do or test?
I have completed 1st step of authentication, but after successful authenticate google authenticate page will not come, straight redirect to protected directory. Not sure why?
Can you please help me out?
My Virtual Host file look like below
i am working in xampp on localhost in ubuntu
RewriteEngine On
RewriteCond %{REQUEST_URI} !^/auth/
#RewriteCond %{HTTP_COOKIE} !^.*2FA_Auth=([a-zA-Z0-9]+)
RewriteRule ^(.*)$ /auth/auth?$1?%{QUERY_STRING} [L,R=302]
RewriteCond %{REQUEST_URI} !^/auth/
#RewriteCond %{HTTP_COOKIE} ^.*2FA_Auth=([a-zA-Z0-9]+)
RewriteCond /opt/lampp/htdocs/2factor/apache_2fa/state/%1 !-f
RewriteRule ^(.*)$ /auth/auth?$1?%{QUERY_STRING} [L,R=302]
ScriptAlias /auth/ /opt/lampp/htdocs/2factor/apache_2fa/
<Directory /opt/lampp/htdocs/2factor/apache_2fa>
AuthType Digest
AuthName "dev.apache2fa.com"
AuthDigestDomain /
AuthDigestProvider file
AuthUserFile /opt/lampp/htdocs/2factor/apache_2fa/apache_credentials
Require valid-user
<Directory /opt/lampp/htdocs/Temp>
AuthType Digest
AuthName "dev.apache2fa.com"
AuthDigestDomain /
AuthDigestProvider file
AuthUserFile /opt/lampp/htdocs/2factor/apache_2fa/apache_credentials
Require valid-user
</Directory>
Hi, could you please me to resolve issue, all has been done as required . Only auth triggers fail
[Wed Apr 22 17:44:52.088407 2020] [authz_core:error] [pid 5392:tid 140583272183552] [client 10.9.9.97:51653] AH01630: client denied by server configuration: /etc/apache2/apache_2faauth
[Wed Apr 22 17:44:52.133027 2020] [authz_core:error] [pid 5392:tid 140583247005440] [client 10.9.9.97:51653] AH01630: client denied by server configuration: /etc/apache2/apache_2faauth
[Wed Apr 22 17:45:14.550158 2020] [mpm_event:notice] [pid 4969:tid 140583751044032] AH00493: SIGUSR1 received. Doing graceful restart
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.17.0.3. Set the 'ServerName' directive globally to suppress this message
[Wed Apr 22 17:45:14.602942 2020] [mpm_event:notice] [pid 4969:tid 140583751044032] AH00489: Apache/2.4.29 (Ubuntu) configured -- resuming normal operations
[Wed Apr 22 17:45:14.602957 2020] [core:notice] [pid 4969:tid 140583751044032] AH00094: Command line: '/usr/sbin/apache2'
[Wed Apr 22 17:45:37.082281 2020] [auth_digest:error] [pid 5475:tid 140583660463872] [client 10.9.9.97:51656] AH01790: user user_test' in realm home.me' not found: /auth/auth
<VirtualHost *:80>
RewriteEngine On
RewriteCond %{REQUEST_URI} !^/auth/
RewriteCond %{HTTP_COOKIE} !^.2FA_Auth=([a-zA-Z0-9]+)
RewriteRule ^(.)$ /auth/auth?$1?%{QUERY_STRING} [L,R=302]
RewriteCond %{REQUEST_URI} !^/auth/
RewriteCond %{HTTP_COOKIE} ^.2FA_Auth=([a-zA-Z0-9]+)
RewriteCond /etc/apache2/apache_2fa/state/%1 !-f
RewriteRule ^(.)$ /auth/auth?$1?%{QUERY_STRING} [L,R=302]
ScriptAlias /auth/ /etc/apache2/apache_2fa/
<Directory /etc/apache2/apache_2fa/>
AuthType Digest
AuthName "home.me"
AuthDigestDomain /
AuthDigestProvider file
AuthUserFile /etc/apache2/apache_2fa/apache_credentials
Require valid-user
<Directory /var/www/>
AuthType Digest
AuthName "home.me"
AuthDigestDomain /
AuthDigestProvider file
AuthUserFile /etc/apache2/apache_2fa/apache_credentials
Require valid-user
Running on apache 2.4.50.
I get redirected to /auth/auth?/%3f every time
I got your script to work and authenticate users/passwords/otps
but i think because the rewrite rules any page request gets send to the 2fa screen, for me to only protect folder /new/ i had to add
RewriteCond %{REQUEST_URI} ^/new/
before any of other rewrite conditions.
I've followed README.md, but still have issues:
After all is said and do, I go to the page, and I'm prompted with an auth prompt, which I successfully complete, and when I'm supposed to be forwarded to the google authenticator phase, I get a 500 error, and the error log says:
[cgid:error] [pid 9002] [client xxx.xxx.xxx.xxx:54750] End of script output before headers: auth
Not sure what the issue is. Any suggestions
At the end of your Guide you Mixed Up clean_state
The files Name is state_clean
But your cronjob dass clean_state
Have an good day and thank you.
I'm not a Python expert, but using Ubuntu 16.04 I found the current instructions apparently start python3 by default. In Linux, "python" start Python v2.x while "python3" starts Python v3.x. Meanwhile, "pip" starts the package manager for Python v2.x, so the instruction to install the onetimepass resulted in python3 being unable to import the module.
To fix, I installed pip3:
sudo apt install python3-pip
Then added onetimepass:
sudo -H pip3 install onetimepass
Then everything worked as expected. Thanks very much for Apache_2fa!
Hi,
Thank You for this great package.
I am stuck and can't access my website anymore.
My apache2.conf looks like this:
<
Options -Indexes
Options FollowSymLinks
AllowOverride None
Require all denied
<Directory /usr/share>
AllowOverride None
Require all granted
<Directory /var/www/html/private_website/>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
My Virtual Host looks like:
ServerAdmin admin@localhost ServerName mywebsite.com ServerAlias mywebsite.com DocumentRoot /var/www/html/private_website/ ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined SSLEngine on SSLCertificateFile /etc/apache2/ssl/apache.crt SSLCertificateKeyFile /etc/apache2/ssl/apache.key SSLCompression off SSLOptions +StdEnvVars SSLOptions +StdEnvVars BrowserMatch "MSIE [2-6]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 BrowserMatch "MSIE [17-9]" ssl-unclean-shutdownRewriteEngine On
RewriteCond %{REQUEST_URI} !^/auth/
RewriteCond %{HTTP_COOKIE} !^.2FA_Auth=([a-zA-Z0-9]+)
RewriteRule ^(.)$ /auth/auth?$1?%{QUERY_STRING} [L,R=302]
RewriteCond %{REQUEST_URI} !^/auth/
RewriteCond %{HTTP_COOKIE} ^.2FA_Auth=([a-zA-Z0-9]+)
RewriteCond </home/pi/apache_2fa>/state/%1 !-f
RewriteRule ^(.)$ /auth/auth?$1?%{QUERY_STRING} [L,R=302]
ScriptAlias /auth/ </home/pi/apache_2fa>/
<Directory </home/pi/apache_2fa/>>
AuthType Digest
AuthName "mywebsite.com"
AuthDigestDomain /
AuthDigestProvider file
AuthUserFile </home/pi/apache_2fa>/apache_credentials
Require valid-user
<Directory </var/www/html/private_website/>>
AuthType Digest
AuthName "mywebsite.com"
AuthDigestDomain /
AuthDigestProvider file
AuthUserFile </home/pi/apache_2fa>/apache_credentials
Require valid-user
I get the error 403 Forbidden.
before all worked fine with ssl certificate etc.
The file I access is the index.html file
I type into the browser:
https://mywebsite.com:1111/private_website/
and the rewrite creates: https://mywebsite.com:1111/auth/auth?/private_website/%3f
Website and the folder name are changed, but illustrate the same issue.
I hope you can help me :)
From the Apache http documentation regarding AuthDigest which is used as an example in this project's documentation:
This module implements HTTP Digest Authentication (RFC2617), and provides an alternative to mod_auth_basic where the password is not transmitted as cleartext. However, this does not lead to a significant security advantage over basic authentication. On the other hand, the password storage on the server is much less secure with digest authentication than with basic authentication. Therefore, using basic auth and encrypting the whole connection using mod_ssl is a much better alternative.
I'm new to 2FA and just set it up for my private web services.
Now I'm wondering if we aren't missing a "destroy token" functionality which could be triggered when a user logs out from an application. As only logging out of the application would still leave the token valid.
Before I start adding the related functionality, I thought I ask for your thoughts, just to make sure I didn't miss something here.
Using the Apache 2FA authentication method, how can I bypass authentication for an IP address range? The idea being that any external requests coming in via the internet are always required to authenticate but requests coming from within our company network will not be authenticated.
Thank you for your Authenticator code.
It almost works for me... but I'm stuck at page asking me token...
Can't understand what I did wrong.
My setup: ubuntu server 17.04 with default apache setup (with default index.html page i'm trying to protect)
Website page located at: /var/www/html/
Your code was cloned to: /var/www/a2fa/
I added lines listed below to my /etc/apache2/sites-available/000-default.conf:
RewriteEngine On
RewriteCond %{REQUEST_URI} !^/auth/
RewriteCond %{HTTP_COOKIE} !^.*2FA_Auth=([a-zA-Z0-9]+)
RewriteRule ^(.*)$ /auth/auth?$1?%{QUERY_STRING} [L,R=302]
RewriteCond %{REQUEST_URI} !^/auth/
RewriteCond %{HTTP_COOKIE} ^.*2FA_Auth=([a-zA-Z0-9]+)
RewriteCond /var/www/a2fa/state/%1 !-f
RewriteRule ^(.*)$ /auth/auth?$1?%{QUERY_STRING} [L,R=302]
ScriptAlias /auth/ /var/www/a2fa/
<Directory /var/www/a2fa>
AuthType Digest
AuthName "yourdomain.com"
AuthDigestDomain /
AuthDigestProvider file
AuthUserFile /var/www/a2fa/apache_credentials
Require valid-user
</Directory>
<Directory /var/www/html>
AuthType Digest
AuthName "yourdomain.com"
AuthDigestDomain /
AuthDigestProvider file
AuthUserFile /var/www/a2fa/apache_credentials
Require valid-user
</Directory>
I can pass apache digest authentication. But OTP token is not accepted, and google auth page is shown again and again.
I can see that cookie files appear in /var/www/a2fa/state folder, so it means that token is valid... but it seems that apache rewrite rules fail somewhere.
Could you please advise.
Hi,
I've followed the instructions in the readme file to the letter, for a test domain.
When I attempt to authenticate, the redirect URL changes to the following:
http://test/auth/auth?/%3f
When I look at the Apache error logs, I can see the following:
End of script output before headers: auth.
I noticed someone else reported this previously so I attempted to run the ./auth script directly yet this comes up with the following:
No module named 'onetimepass'
This module was previously installed using sudo pip install onetimepass, yet when I attempt to install it again, I see the following message:
sudo pip install onetimepass
The directory '/home/<user>/.cache/pip/http' or its parent directory is not owned by the current user and the cache has been disabled. Please check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
The directory '/home/<user>/.cache/pip' or its parent directory is not owned by the current user and caching wheels has been disabled. check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
Requirement already satisfied: onetimepass in /usr/local/lib/python2.7/dist-packages
Requirement already satisfied: six in /usr/lib/python2.7/dist-packages (from onetimepass)
Any clues would be greatly appreciated.
When implementing this solution I am not able to gain access to the protected page.
By printing the generated token on the auth page I was able to see that the token is not the same as google authenticator generates on my phone.
I have checked the file for the secret key and they are the same.
Hello,
I have a question regarding the user Authentication, Would be possible to use Active directory instead of local users.
Best Regards,
Hamzaoui
I am trying to use the 2fa with LDAP authentication. I have referred to the guide here https://www.hallam.ch/blog/index.php/2020/01/13/apache-and-two-factor-authentication-2fa-using-ldap-accounts/
I have setup everything properly but after entering my ldap credentials I get internal server error.
Hi,
French guy, apache 2.4, ubuntu 18.04
After installing all, web site ask me for login and password then show me only a white page with :
Contact your administrator to obtain your 2FA secret.
What i am doing wrong ? Thanks !
`
<VirtualHost *:1443>
ServerName denis.xxx.com
RewriteEngine On
RewriteCond %{REQUEST_URI} !^/auth/
RewriteCond %{HTTP_COOKIE} !^.*2FA_Auth=([a-zA-Z0-9]+)
RewriteRule ^(.*)$ /auth/auth?$1?%{QUERY_STRING} [L,R=302]
RewriteCond %{REQUEST_URI} !^/auth/
RewriteCond %{HTTP_COOKIE} ^.*2FA_Auth=([a-zA-Z0-9]+)
RewriteCond /etc/apache2/2fa/apache_2fa/state/%1 !-f
RewriteRule ^(.*)$ /auth/auth?$1?%{QUERY_STRING} [L,R=302]
ScriptAlias /auth/ /etc/apache2/2fa/apache_2fa/
<Directory /etc/apache2/2fa/apache_2fa>
AuthType Digest
AuthName "denis.xxx.com"
AuthDigestDomain /
AuthDigestProvider file
AuthUserFile /etc/apache2/2fa/apache_2fa/apache_credentials
Require valid-user
</Directory>
<Directory /var/www/html/android>
AuthType Digest
AuthName "denis.xxx.com"
AuthDigestDomain /
AuthDigestProvider file
AuthUserFile /etc/apache2/2fa/apache_2fa/apache_credentials
Require valid-user
</Directory>
Include ssl.conf
`
I'm using mod_proxy in front of an internal https server. I'm using a location as follows:
AuthType Digest AuthName "Please login" AuthDigestUserFile /usr/local/apache/accounts.pwd Require valid-user ProxyPass https://internal server/ ProxyPassReverse https://internal server/ Order allow,deny Allow from allThis works great and authenticates perfectly before proxying the traffic. I would love to use Google Authenticator with this, but this module seems to require it's config to be in a directory, not location. Is there any way to make this work with Location so I can utility mod_proxy?
Thanks,
Bob
Hi,
head -10 /dev/urandom | md5sum | cut -b 1-30
However, when I do that and the key contains an "8" character, Google Authenticator says "illegal character".
thanks!
BC
Hi Itemir,
I have no experienced background in Apache and Virtual Hosts, but I would like to implement the following. I have one amazon server instance (linux) with a running Jenkins on 'localhost:8080'. I want the user to use Multifactor authentication on Port 80, and provide the user access to Jenkins via the Proxy after authentication.
Regretfully it is not possible to set up a Proxy using the Directory block, or I at least don't know how. Do you see a possibility to use your code in combination with a Proxy?
Kind Regards,
Bert
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.