-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathadd_http_auth.sh
executable file
·275 lines (242 loc) · 8.11 KB
/
add_http_auth.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
#!/bin/bash
# Script to add HTTP Basic authentication to an .htaccess file
# The password is stored in an .htpasswd file
# Function to display help
show_help() {
echo "Usage: $0 [options]"
echo "Options:"
echo " -f, --file Path to the .htaccess file (default: ./.htaccess)"
echo " -p, --passwd Path to the .htpasswd file (default: ./.htpasswd)"
echo " -u, --user Username (default: 'admin')"
echo " -s, --password Password (if not specified, it will be asked interactively)"
echo " -e, --encrypt Encryption method: md5, bcrypt, sha1 (default: 'bcrypt')"
echo " -i, --ip Comma-separated list of IP addresses allowed without authentication"
echo " -a, --apache Apache version: 2.2 or 2.4 (default: '2.4')"
echo " -h, --help Display this help"
exit 0
}
# Function to get absolute path without relying on realpath
get_absolute_path() {
local path="$1"
# If the path is already absolute, return it as is
if [[ "$path" = /* ]]; then
echo "$path"
return
fi
# Otherwise, build the absolute path
echo "$(cd "$(dirname "$path")" 2>/dev/null && pwd)/$(basename "$path")"
}
# Function to generate an htpasswd entry
generate_htpasswd_entry() {
local username="$1"
local password="$2"
local encrypt_method="$3"
case "$encrypt_method" in
md5)
if command -v openssl &> /dev/null; then
# Generate MD5 hash with openssl
local hash=$(echo -n "$password" | openssl passwd -apr1 -stdin)
echo "$username:$hash"
else
echo "Error: openssl command not found. Cannot generate MD5 hash."
exit 1
fi
;;
bcrypt)
if command -v htpasswd &> /dev/null; then
# Use htpasswd to generate bcrypt hash
htpasswd -bnBC 10 "$username" "$password" 2>/dev/null
else
echo "Error: htpasswd command not found. Cannot generate bcrypt hash."
echo "Please install apache2-utils (Debian/Ubuntu) or httpd-tools (CentOS/RHEL)."
exit 1
fi
;;
sha1)
if command -v openssl &> /dev/null; then
# Generate SHA1 hash with openssl
local hash=$(echo -n "$password" | openssl passwd -5 -stdin)
echo "$username:$hash"
else
echo "Error: openssl command not found. Cannot generate SHA1 hash."
exit 1
fi
;;
*)
echo "Error: Unknown encryption method: $encrypt_method"
exit 1
;;
esac
}
# Function to generate IP-based access rules
generate_ip_rules() {
local ip_list="$1"
local apache_version="$2"
local rules=""
# If IP list is empty, return empty rules
if [ -z "$ip_list" ]; then
echo ""
return
fi
# Format the IP list for use in the rules
# Replace commas with spaces for Apache 2.4 Require ip directive
local formatted_ip_list=${ip_list//,/ }
# Start the rules block
rules="# Allow access from specific IP addresses without authentication\n"
if [ "$apache_version" = "2.2" ]; then
# Apache 2.2 syntax
# Replace spaces with | for regex OR
local regex_ip_list=${ip_list//,/|}
rules="${rules}SetEnvIf Remote_Addr \"^(${regex_ip_list})$\" ALLOW_ACCESS\n"
rules="${rules}Order deny,allow\n"
rules="${rules}Deny from all\n"
rules="${rules}Allow from env=ALLOW_ACCESS\n"
rules="${rules}Satisfy any\n\n"
else
# Apache 2.4 syntax using RequireAny
rules="${rules}<RequireAny>\n"
rules="${rules} Require ip ${formatted_ip_list}\n"
rules="${rules} Require valid-user\n"
rules="${rules}</RequireAny>\n\n"
fi
echo -e "$rules"
}
# Default values
HTACCESS_FILE="./.htaccess"
HTPASSWD_FILE="./.htpasswd"
USERNAME="admin"
PASSWORD=""
ENCRYPT_METHOD="bcrypt"
ALLOWED_IPS=""
APACHE_VERSION="2.4"
# Process arguments
while [[ $# -gt 0 ]]; do
case $1 in
-f|--file)
HTACCESS_FILE="$2"
shift 2
;;
-p|--passwd)
HTPASSWD_FILE="$2"
shift 2
;;
-u|--user)
USERNAME="$2"
shift 2
;;
-s|--password)
PASSWORD="$2"
shift 2
;;
-e|--encrypt)
ENCRYPT_METHOD="$2"
shift 2
;;
-i|--ip)
ALLOWED_IPS="$2"
shift 2
;;
-a|--apache)
APACHE_VERSION="$2"
shift 2
;;
-h|--help)
show_help
;;
*)
echo "Unknown option: $1"
show_help
;;
esac
done
# Validate encryption method
if [[ ! "$ENCRYPT_METHOD" =~ ^(md5|bcrypt|sha1)$ ]]; then
echo "Error: Invalid encryption method. Valid options are: md5, bcrypt, sha1"
exit 1
fi
# Validate Apache version
if [[ ! "$APACHE_VERSION" =~ ^(2.2|2.4)$ ]]; then
echo "Error: Invalid Apache version. Valid options are: 2.2, 2.4"
exit 1
fi
# Convert to absolute paths without using realpath
HTACCESS_PATH=$(get_absolute_path "$HTACCESS_FILE")
HTPASSWD_PATH=$(get_absolute_path "$HTPASSWD_FILE")
# Check if directories exist
HTACCESS_DIR=$(dirname "$HTACCESS_PATH")
if [ ! -d "$HTACCESS_DIR" ]; then
echo "Error: The directory for the .htaccess file '$HTACCESS_DIR' does not exist."
exit 1
fi
HTPASSWD_DIR=$(dirname "$HTPASSWD_PATH")
if [ ! -d "$HTPASSWD_DIR" ]; then
echo "Error: The directory for the .htpasswd file '$HTPASSWD_DIR' does not exist."
exit 1
fi
# Check if the .htaccess file already exists
if [ -f "$HTACCESS_PATH" ]; then
echo "The .htaccess file already exists at '$HTACCESS_PATH'."
# Check if authentication is already configured
if grep -q "AuthType Basic" "$HTACCESS_PATH"; then
echo "HTTP Basic authentication is already configured in the .htaccess file."
exit 0
fi
else
echo "Creating a new .htaccess file at '$HTACCESS_PATH'."
touch "$HTACCESS_PATH"
fi
# Ask for password if not specified as an argument
if [ -z "$PASSWORD" ]; then
echo -n "Please enter the password for user '$USERNAME': "
read -s PASSWORD
echo ""
# Check that the password is not empty
if [ -z "$PASSWORD" ]; then
echo "Error: Password cannot be empty."
exit 1
fi
else
echo "Using password provided as argument."
fi
# Create or update the .htpasswd file
if [ ! -f "$HTPASSWD_PATH" ]; then
echo "Creating .htpasswd file at '$HTPASSWD_PATH'."
touch "$HTPASSWD_PATH"
fi
# Generate the entry in the .htpasswd file using our function
echo "Generating entry for user '$USERNAME' in the .htpasswd file using $ENCRYPT_METHOD encryption."
generate_htpasswd_entry "$USERNAME" "$PASSWORD" "$ENCRYPT_METHOD" > "$HTPASSWD_PATH"
# Generate IP-based access rules if IPs are provided
IP_RULES=""
if [ -n "$ALLOWED_IPS" ]; then
echo "Configuring access without authentication for IPs: $ALLOWED_IPS (Apache $APACHE_VERSION syntax)"
IP_RULES=$(generate_ip_rules "$ALLOWED_IPS" "$APACHE_VERSION")
fi
# Add authentication configuration to the .htaccess file
cat << EOF >> "$HTACCESS_PATH"
# HTTP Basic Authentication Configuration
AuthType Basic
AuthName "Restricted Area"
AuthUserFile "$HTPASSWD_PATH"
EOF
# For Apache 2.4 without IP rules or Apache 2.2, we need to add Require valid-user
if [ -z "$ALLOWED_IPS" ]; then
if [ "$APACHE_VERSION" = "2.4" ]; then
echo "Require valid-user" >> "$HTACCESS_PATH"
elif [ "$APACHE_VERSION" = "2.2" ]; then
echo "Require valid-user" >> "$HTACCESS_PATH"
fi
fi
# Add IP rules if any
if [ -n "$IP_RULES" ]; then
echo -e "$IP_RULES" >> "$HTACCESS_PATH"
fi
echo "HTTP Basic authentication successfully added to the .htaccess file."
echo "Username: $USERNAME"
echo "Encryption method: $ENCRYPT_METHOD"
echo "Password file: $HTPASSWD_PATH"
echo "Apache version: $APACHE_VERSION"
if [ -n "$ALLOWED_IPS" ]; then
echo "IPs allowed without authentication: $ALLOWED_IPS"
fi
exit 0