DSM-G600, DNS-3xx and NSA-220 Hack Forum

See lighttpd documentation: http://trac.lighttpd.net/trac/wiki/Docs%3AModAuth
Unless you have another Linux box with htpasswd, I think using a plain password file is your only option.

It's covered in the docs that fonz pointed you at...did you read it?

I just took a quick look, but it looked relatively straightforward...create the password file and update your lighttpd.conf file to point at it...I could be minimzing the effort, as I only scanned it briefly.

what do you mean by uncomment?

I assume, I can only use the  htpasswd htdigest ldap, if I as mentioned by fonz have an extra Linux server, correct?

I just tried it, but with this lighttpd.conf file, I cant get access. I get problem loading, unable to connect, what am I doing wrong?

server.document-root = "/mnt/HD_a2/www/"
server.port = 3000
server.username = “lighttpd”
server.groupname = “lighttpd”

server.modules = (
“mod_auth”
)

mimetype.assign = (
  ".html" => "text/html",
  ".txt" => "text/plain",
  ".jpg" => "image/jpeg",
  ".png" => "image/png")

index-file.names = ( "index.php", "index.html", "index.htm", "default.htm" )

## debugging
# 0 for off, 1 for 'auth-ok' messages, 2 for verbose debugging
auth.debug                 = 0
auth.backend               = "plain"
auth.backend.plain.userfile = "\lnx_bin\lib\.passwordfile"


auth.require = ( "/to be protected dir/" =>
                 (
                   "method"  => "basic",
                   "require" => "user=xxx1|user=xxx2|user=xxx3|user=xxx4"
                 ),
                 "/server-info" =>
                 (
                   "method"  => "basic",
                   "require" => "valid-user"
                 )
               )

pwvandeursen wrote:

can anybody please help me? I'm still no step further with protecting my site.....

Thanks!
Patrick

If you are looking for a simple password protection for your website you may want to try this:

http://www.dynamicdrive.com/dynamicindex9/password.htm

I was using that to password protect a few of my jalbum pages.  It is fairly simple to add, just follow the directions, generate a usercode and passcode, and then copy the code into the html page you want protected.  This one required my friends and family to have to add my website to the "Trusted Zone" in internet explorer otherwise it wouldn't work.

But now that I have PHP running with lighttpd, I am using this:

http://www.zubrag.com/scripts/password-protect.php

It requires PHP running, but I like it better than the first one.    You have to save the password file in a different location, copy the code into your PHP file you want protected, and change the location in that code to where you saved the password file. 

I am not sure how secure either of these are.  But I just wanted to secure my pages and give family or friends access to them and keep the honest people out.

I am sure there are other ways out there that are more secure.  But I don't know too much and have been happy to just get what I have running.

Curtis,

thanks for your clear story. Let me try to answer all questions.

-----

Hi Patrick.  I'm not much more advanced than yourself, I don't think.  I'll try to help a bit, if I can.
A few thoughts ...

Well this is the first time I have done any programming and ever even touched Linux so.......

---------------------

First ... you're not really giving anyone on the forums enough information to help you debug.  Most of the time, that means people will read your post and move on.  How did you get lighttp running?  Did you start with someone's fun_plug and binaries, or did you produce your own.

I used the simple funplug I found on this site, which starts telnet, which starts the lighttpd.conf file

------

In most unix and linux configuration files, lines that start with a # are considered to be comments.  The thing that reads information from the configuration file ignores those lines.  When someone tells you to uncomment the line, they mean to ensure that the first character on the line isn`t #.

I did remove those, but didn't know these were the quotes. thats for that clarification.
----------------

It looks like you started with a template, but didn't fill everything in.  For example ... is the directory you're trying to password protect really called "to be protected dir"?  That seems to be what's indicated in the conf file.  Same goes for the users.  If I understand your config, you're askig the server to require one of four users (xxx1, xxx2, xxx3, xxx4).  Are those the users you listed in your auth.backend.plain.userfile (\lnx_bin\lib\.passwordfile)?

I did fill in as much as I could but also changed some things on the text I posted. to be protected dir, I did fill the dir I wanted protected. The uses are stored in the file caled passwordfile in the same dir as where the lighttpd.conf file is located

---------------------

The steps to get lighttp to required authorized users are, at a very high level ...
- Make sure lighttp is loading the module mod_auth (restart lighttp or re-boot the d-link)

mod_auth is loaded as far as I think, as I called it in the lighttpd.conf file as shown above.....Is that enough, and done correctly?
I have rebooted, so it must then be loaded, correct?

-------------------------

- Make sure that the plain.userfile you put in your .conf file exists, and contains a list of users.  For a plaintext userfile, I think (check the documentation in the link Fonz posted) that the format is something like
  bob:bobspassword
  frank:frankspassword
  mary:maryspassowrd
  * The users and passwords will both be case sensitive I think.

I have the users in the file and the file exists (and done in this formating) so that must be ok as well

-------------------


- Make sure that you`ve configured your directories correctly.  In the configuration file you posted, you`re asking lighttpd to secure two directories; /to be protected dir/ and /server-info.  I suspect you either want to protect the root directory (/) or your photos directory. 

THis is the part that could be incorrect......
protecting the root is the easiest and best way probably, so I'll change the line:auth.require = ( "/to be protected dir/" => to auth.require = ( "/" => the root is then: server.document-root = "/mnt/HD_a2/www/". However all the files are stored in www, which is not the real root (I stored all these files in a seperate dir. Do I have to thus put them in the real root, If that is what I am protecting?

---------------------

As well, for the first entry, you`re asking to to require very specific users.  I get the impression that`s not what you`re trying to do, so
"require" => "valid-user" (which just tells lighttpd that any valid user that enters their correct password is okay) is good enough.

So if I want to just valide users that enter their correct password., I have to remove the first part, leading to:

auth.require = ( "/" =>
                 (
                   "method"  => "basic",
                   "require" => "valid-user"
                 )
                      )

WHich is then the end of the file.....

I hope that help.

Curtis

---------------

Thanks again for the help!!

Patrick

Last edited by pwvandeursen (2007-07-20 09:17:28)

Sorry, but I don't really understand what you mean by point the browser to the lighttpd server. you mean open the index.html file that is in the root? If that is the question it does not prompt for a password, it just shows me the page. If I log in remotely it can't find anything..


My photos are under /mnt/HD_a2/www/photo webpage. the first index file is in /mnt/HD_a2/www, which points to /mnt/HD_a2/www/photo webpage, so I'm not sure I need to incorporate a short cut.

Also, if I just use the normal conf file all works well, also from external.

btw, the whole reason for this is to have a password promted for people connecting externally, and not so much internally.

Patrick

Hi Patrick.
If you just "open" the index.html file (for example using 'File' | 'Open...' on internet explorer or double-clicking on the file in Windows Explorer), you're not using lighttpd to "serve" the web page.  In order to get lighttpd to serve it to you, you would have to type something like
http://<name_of_your_dns-323>/index.html
in your address bar.
However, even if you`re successful doing that, that address is just an internal address.  In other words, only computers on your home network will know about it, unless you have some sort of service through your internet service provider that allows all of your PCs to be exposed to the internet.
If and when we run into that hurdle, I`ll probably have to google you up a tutorial or something, becuase that`s  a lot to step someone through in a forum.

If your photos live underneath the server.document.root directory (looks like it does) you won`t need the symlink.

Hope that helps,
Curtis

Hi Patrick,

I got it working - finally! - on my side. For me as a Unix beginner it was not really painfree. Anyway, let me show you how my config file looks like.
I am using Notepad++ to create UNIX format text files on a Win machine.

You can also look at the attached lighttpd.conf file as a reference.

At the beginning of the file I uncommented "mod_auth" so it gets loaded.

These are the changes in the auth module config section

#### auth module
## read authentication.txt for more info
auth.debug                   = 1
auth.backend               = "plain"
auth.backend.plain.userfile = "/mnt/HD_a2/fun_plug.d/etc/lighttpd.user"
#auth.backend.plain.groupfile = "lighttpd.group"
## for htpasswd
#auth.backend.htpasswd.userfile = "/mnt/HD_a2/fun_plug.d/etc/lighttpd-htpasswd.user"
## for htdigest
#auth.backend.htdigest.userfile = "/mnt/HD_a2/fun_plug.d/etc/lighttpd-htdigest.user"

#auth.backend.ldap.hostname = "localhost"
#auth.backend.ldap.base-dn  = "dc=my-domain,dc=com"
#auth.backend.ldap.filter   = "(uid=$)"

auth.require               = ( "/" =>
                               (
                                 "method"  => "basic",
                                 "realm"   => "slideshow",
                                 "require" => "valid-user"
                               )
                              )

I then put the lighttpd.user file with username:password in the funplug.d/etc directory.
I got everything but ldap running by now (haven't looked at that yet).
Hint: It is always useful to double check is lighttpd is running (use PS at the telnet console). If it isn't there is probably a problem with the config file or password file.
You can also kill lighttpd and restart it manually to try new conf files.

Let me know if this works for you.

Regards
Thomas

other question where to store the mod_auth.la and .so file?