-------------------------------------------------------------------------------
Important:  First read the introduction in "apache_auth_basic.txt"

-------------------------------------------------------------------------------
Set up apache server so only file owners can access files in a sub-directory

Install modules

   authz_owner          file owner authorization (standard install)
   mod_authnz_external  external program authentication
   pwauth               provide PAM password authentication
   mod_ssl              enable SSL and the SSLRequireSSL (forbiden if not)
   mod_pam              authenticate local users using pam

=======8<--------CUT HERE----------
<Directory "/home/*/public_html/secure">
    # Require SSL connection for password protection.
    SSLRequireSSL

    # Set up use of external authentication (via pam)
    AuthType Basic
    AuthName "User Secure Area"
    AuthBasicProvider external
    AuthExternal pwauth

    # Access Control (who can access)
    #require valid-user
    require file-owner
    require user test
</Directory>
=======8<--------CUT HERE----------

This allow only the owner, or user 'test' to access the files in that
sub-directory.

NOTE only works for files, it does not work for virtual information
such as PHP or CGI access thru that URI.

-------------------------------------------------------------------------------
Adjust to auto redirect HTTP to HTTPS

Note that this must happen BEFORE the authentication is requested as such the
redirection must be in HTTP Virtual host, while the authentication must ONLY
be done in the HTTPS virtual host.  NOTE: this restriction means ".htaccess"
files can NOT be used as they are looked at by BOTH virtual hosts.

In "userdir.conf"
=======8<--------CUT HERE----------
<Directory "/home/*/public_html/secure">
    # Require SSL connection for password protection.
    #SSLRequireSSL

    # Map HTTP to HTTPS
    RewriteEngine On
    # check it not https
    RewriteCond %{HTTPS} !=on
    # redirect users using http to https with same URI
    RewriteRule . https://%{SERVER_NAME}%{REQUEST_URI} [R,L]

</Directory>
=======8<--------CUT HERE----------

In "ssl.conf"
=======8<--------CUT HERE----------
<VirtualHost _default_:443>
   ...

  DefineExternalAuth pwauth pipe /usr/bin/pwauth

  <Directory "/home/*/public_html/secure">
    # Set up use of external authentication (via pam)
    AuthType Basic
    AuthName "User Secure Area"
    AuthBasicProvider external
    AuthExternal pwauth

    # Access Control (who can access)
    #require valid-user
    require user test
    require file-owner
  </Directory>

</VirtualHost>
=======8<--------CUT HERE----------

NOTE: the separation is to ensure that authentication only occurs after
the user is redirected to use the HTTPS protocol


-------------------------------------------------------------------------------
Authorize users to access a 'secure' sub-directory of there home.

NOTE: The Group is being used as autherizor to test if this user is allowed to
access a specific URI.  This seems to have some caching, if you try to access
the same URI immediately after a previous try, but does seem to be working.

Expand the "ssl.conf" section above...
=======8<--------CUT HERE----------
<VirtualHost _default_:443>
   ...

  DefineExternalAuth   pwauth   pipe /usr/bin/pwauth
  DefineExternalGroup  authhome pipe /path/to/authorize_home

  <Directory "/home/*/public_html/secure">
    # Set up use of external authentication (via pam)
    AuthType Basic
    AuthName "User Secure Area"
    AuthBasicProvider external
    AuthExternal pwauth
    GroupExternal authhome

    # Access Control (who can access)
    #Require valid-user
    #Require file-owner
    Require user test
    Require external-group access_to_home_secure

  </Directory>

=======8<--------CUT HERE----------

Note the script does not check the given group "access_to_home_secure"
Instead the URI (from the passed environment) is being checked instead,
to determine if the user is allowed access.

The Authenticator "authorize_home"...
=======8<--------CUT HERE----------
#!/bin/perl
#
# Authorize access to home directory (URI) of an authenticated user (USER)
#
# Called from apache configuration using mod_authnz_external as a group
# authenticator (misused for authorization).
#
# Anthony Thyssen, 3 Feb 2014
#
chomp($USER=<STDIN>);
exit 0 if $ENV{URI} =~ m|/~$USER/|;  # true if it is this users home
exit 1;                              # false -- user is denied group access

=======8<--------CUT HERE----------

NOTE: This is just checking that the authenticated user matches the users home,
and not the specific sub-directory of the users home, which is defined by the
SSL configuration.

-------------------------------------------------------------------------------