Configure mod_authnz_pam to use OS users for Basic Authentication in httpd.
Username and password are sent in plain text with Basic Authentication, so ensure you're using a secure connection with SSL/TLS.
mod_authnz_pamInstall the mod_authnz_pam module and enable it.
# Install mod_authnz_pam
[root@www ~]# dnf -y install mod_authnz_pam
# Enable the module
[root@www ~]# vi /etc/httpd/conf.modules.d/55-authnz_pam.conf
# Uncomment the following line
LoadModule authnz_pam_module modules/mod_authnz_pam.so
# Restart httpd to apply changes
[root@www ~]# systemctl restart httpd
Set up Basic Authentication with PAM for a specific directory, for example, /var/www/html/auth-pam.
# Configure Basic Authentication with PAM
[root@www ~]# vi /etc/httpd/conf.d/authnz_pam.conf
# Add the following configuration
<Directory "/var/www/html/auth-pam">
SSLRequireSSL
AuthType Basic
AuthName "PAM Authentication"
AuthBasicProvider PAM
AuthPAMService httpd-auth
Require valid-user
</Directory>
# Create and configure PAM service for httpd
[root@www ~]# vi /etc/pam.d/httpd-auth
# Add the following lines
auth required pam_listfile.so item=user sense=deny file=/etc/httpd/conf.d/denyusers onerr=succeed
auth include system-auth
account include system-auth
# Create a deny list for users
[root@www ~]# vi /etc/httpd/conf.d/denyusers
# Add users you want to prohibit
root
user01
user02
# Set permissions for the deny list
[root@www ~]# chgrp apache /etc/httpd/conf.d/denyusers
[root@www ~]# chmod 640 /etc/httpd/conf.d/denyusers
# Change permission so httpd can read the shadow file
[root@www ~]# chgrp apache /etc/shadow
[root@www ~]# chmod 440 /etc/shadow
# Reload httpd to apply the configuration
[root@www ~]# systemctl reload httpd
# Create a test page
[root@www ~]# mkdir /var/www/html/auth-pam
[root@www ~]# vi /var/www/html/auth-pam/index.html
<html>
<body>
<div style="width: 100%; font-size: 40px; font-weight: bold; text-align: center;">
Test Page for PAM Authentication
</div>
</body>
</html>
If SELinux is enabled, modify the policy to allow httpd to use PAM.
# Set SELinux boolean for httpd_mod_auth_pam
[root@www ~]# setsebool -P httpd_mod_auth_pam on
Access the test page from any client computer with a web browser. Authentication with any OS user is required as per the settings.
http://[your-server's-domain-or-IP]/auth-pam/index.html.This configuration integrates the OS user accounts with Apache httpd, enhancing the security and management of web application access.