mod_authn_socache.html.en 18.8 KB
Newer Older
powelld's avatar
powelld committed
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "">
<html xmlns="" lang="en" xml:lang="en"><head>
<meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type" />
              This file is generated from xml source: DO NOT EDIT
<title>mod_authn_socache - Apache HTTP Server Version 2.4</title>
<link href="../style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" />
<link href="../style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" />
<link href="../style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" /><link rel="stylesheet" type="text/css" href="../style/css/prettify.css" />
<script src="../style/scripts/prettify.min.js" type="text/javascript">

<link href="../images/favicon.ico" rel="shortcut icon" /></head>
<div id="page-header">
<p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p>
<p class="apache">Apache HTTP Server Version 2.4</p>
<img alt="" src="../images/feather.png" /></div>
<div class="up"><a href="./"><img title="&lt;-" alt="&lt;-" src="../images/left.gif" /></a></div>
<div id="path">
<a href="">Apache</a> &gt; <a href="">HTTP Server</a> &gt; <a href="">Documentation</a> &gt; <a href="../">Version 2.4</a> &gt; <a href="./">Modules</a></div>
<div id="page-content">
<div id="preamble"><h1>Apache Module mod_authn_socache</h1>
<div class="toplang">
<p><span>Available Languages: </span><a href="../en/mod/mod_authn_socache.html" title="English">&nbsp;en&nbsp;</a> |
<a href="../fr/mod/mod_authn_socache.html" hreflang="fr" rel="alternate" title="Franais">&nbsp;fr&nbsp;</a></p>
<table class="module"><tr><th><a href="module-dict.html#Description">Description:</a></th><td>Manages a cache of authentication credentials to relieve
the load on backends</td></tr>
<tr><th><a href="module-dict.html#Status">Status:</a></th><td>Base</td></tr>
<tr><th><a href="module-dict.html#ModuleIdentifier">ModuleIdentifier:</a></th><td>authn_socache_module</td></tr>
<tr><th><a href="module-dict.html#SourceFile">SourceFile:</a></th><td>mod_authn_socache.c</td></tr>
<tr><th><a href="module-dict.html#Compatibility">Compatibility:</a></th><td>Version 2.3 and later</td></tr></table>

    <p>Maintains a cache of authentication credentials, so that a new backend
    lookup is not required for every authenticated request.</p>
<div id="quickview"><a href="" class="badge"><img src="" alt="Support Apache!" /></a><h3>Topics</h3>
<ul id="topics">
<li><img alt="" src="../images/down.gif" /> <a href="#intro">Authentication Cacheing</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#usage">Usage</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#dev">Cacheing with custom modules</a></li>
</ul><h3 class="directives">Directives</h3>
<ul id="toc">
<li><img alt="" src="../images/down.gif" /> <a href="#authncachecontext">AuthnCacheContext</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#authncacheenable">AuthnCacheEnable</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#authncacheprovidefor">AuthnCacheProvideFor</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#authncachesocache">AuthnCacheSOCache</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#authncachetimeout">AuthnCacheTimeout</a></li>
<h3>Bugfix checklist</h3><ul class="seealso"><li><a href="">httpd changelog</a></li><li><a href=";list_id=144532&amp;product=Apache%20httpd-2&amp;query_format=specific&amp;order=changeddate%20DESC%2Cpriority%2Cbug_severity&amp;component=mod_authn_socache">Known issues</a></li><li><a href=";component=mod_authn_socache">Report a bug</a></li></ul><h3>See also</h3>
<ul class="seealso">
<li><a href="#comments_section">Comments</a></li></ul></div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
<h2><a name="intro" id="intro">Authentication Cacheing</a></h2>
    <p>Some users of more heavyweight authentication such as SQL database
    lookups (<code class="module"><a href="../mod/mod_authn_dbd.html">mod_authn_dbd</a></code>) have reported it putting an
    unacceptable load on their authentication provider.  A typical case
    in point is where an HTML page contains hundreds of objects
    (images, scripts, stylesheets, media, etc), and a request to the page
    generates hundreds of effectively-immediate requests for authenticated
    additional contents.</p>
    <p>mod_authn_socache provides a solution to this problem by
    maintaining a cache of authentication credentials.</p>
</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
<h2><a name="usage" id="usage">Usage</a></h2>
    <p>The authentication cache should be used where authentication
    lookups impose a significant load on the server, or a backend or
    network.  Authentication by file (<code class="module"><a href="../mod/mod_authn_file.html">mod_authn_file</a></code>)
    or dbm (<code class="module"><a href="../mod/mod_authn_dbm.html">mod_authn_dbm</a></code>) are unlikely to benefit,
    as these are fast and lightweight in their own right (though in some
    cases, such as a network-mounted file, cacheing may be worthwhile).
    Other providers such as SQL or LDAP based authentication are more
    likely to benefit, particularly where there is an observed
    performance issue.  Amongst the standard modules, <code class="module"><a href="../mod/mod_authnz_ldap.html">mod_authnz_ldap</a></code> manages its own cache, so only
    <code class="module"><a href="../mod/mod_authn_dbd.html">mod_authn_dbd</a></code> will usually benefit from this cache.</p>
    <p>The basic rules to cache for a provider are:</p>
    <ol><li>Include the provider you're cacheing for in an
            <code class="directive">AuthnCacheProvideFor</code> directive.</li>
        <li>List <var>socache</var> ahead of the provider you're
            cacheing for in your <code class="directive"><a href="../mod/mod_auth_basic.html#authbasicprovider">AuthBasicProvider</a></code> or <code class="directive"><a href="../mod/mod_auth_digest.html#authdigestprovider">AuthDigestProvider</a></code> directive.</li>
    <p>A simple usage example to accelerate <code class="module"><a href="../mod/mod_authn_dbd.html">mod_authn_dbd</a></code>
    using dbm as a cache engine:</p>
    <pre class="prettyprint lang-config">#AuthnCacheSOCache is optional.  If specified, it is server-wide
AuthnCacheSOCache dbm
&lt;Directory "/usr/www/myhost/private"&gt;
    AuthType Basic
    AuthName "Cached Authentication Example"
    AuthBasicProvider socache dbd
    AuthDBDUserPWQuery "SELECT password FROM authn WHERE user = %s"
    AuthnCacheProvideFor dbd
    Require valid-user
    AuthnCacheContext dbd-authn-example

</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
<h2><a name="dev" id="dev">Cacheing with custom modules</a></h2>
    <p>Module developers should note that their modules must be enabled
    for cacheing with mod_authn_socache.  A single optional API function
    <var>ap_authn_cache_store</var> is provided to cache credentials
    a provider has just looked up or generated.  Usage examples are
    available in <a href=";revision=957072">r957072</a>, in which three authn providers are enabled for cacheing.</p>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="AuthnCacheContext" id="AuthnCacheContext">AuthnCacheContext</a> <a name="authncachecontext" id="authncachecontext">Directive</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Specify a context string for use in the cache key</td></tr>
<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>AuthnCacheContext <var>directory|server|custom-string</var></code></td></tr>
<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>directory</code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>directory</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Base</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_authn_socache</td></tr>
    <p>This directive specifies a string to be used along with the supplied
    username (and realm in the case of Digest Authentication) in constructing
    a cache key.  This serves to disambiguate identical usernames serving
    different authentication areas on the server.</p>
    <p>Two special values for this are <var>directory</var>, which uses
    the directory context of the request as a string, and <var>server</var>
    which uses the virtual host name.</p>
    <p>The default is <var>directory</var>, which is also the most
    conservative setting.  This is likely to be less than optimal, as it
    (for example) causes <var>$app-base</var>, <var>$app-base/images</var>,
    <var>$app-base/scripts</var> and <var>$app-base/media</var> each to
    have its own separate cache key.  A better policy is to name the
    <code class="directive">AuthnCacheContext</code> for the password
    provider: for example a <var>htpasswd</var> file or database table.</p>
    <p>Contexts can be shared across different areas of a server, where
    credentials are shared.  However, this has potential to become a vector
    for cross-site or cross-application security breaches, so this directive
    is not permitted in <var>.htaccess</var> contexts.</p>

<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="AuthnCacheEnable" id="AuthnCacheEnable">AuthnCacheEnable</a> <a name="authncacheenable" id="authncacheenable">Directive</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Enable Authn caching configured anywhere</td></tr>
<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>AuthnCacheEnable</code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config</td></tr>
<tr><th><a href="directive-dict.html#Override">Override:</a></th><td>None</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Base</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_authn_socache</td></tr>
    <p>This directive is not normally necessary: it is implied if
    authentication cacheing is enabled anywhere in <var>httpd.conf</var>.
    However, if it is not enabled anywhere in <var>httpd.conf</var>
    it will by default not be initialised, and is therefore not
    available in a <var>.htaccess</var> context.  This directive
    ensures it is initialised so it can be used in <var>.htaccess</var>.</p>

<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="AuthnCacheProvideFor" id="AuthnCacheProvideFor">AuthnCacheProvideFor</a> <a name="authncacheprovidefor" id="authncacheprovidefor">Directive</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Specify which authn provider(s) to cache for</td></tr>
<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>AuthnCacheProvideFor <var>authn-provider</var> [...]</code></td></tr>
<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>None</code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>directory, .htaccess</td></tr>
<tr><th><a href="directive-dict.html#Override">Override:</a></th><td>AuthConfig</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Base</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_authn_socache</td></tr>
    <p>This directive specifies an authentication provider or providers
    to cache for.  Credentials found by a provider not listed in an
    AuthnCacheProvideFor directive will not be cached.</p>

    <p>For example, to cache credentials found by <code class="module"><a href="../mod/mod_authn_dbd.html">mod_authn_dbd</a></code>
    or by a custom provider <var>myprovider</var>, but leave those looked
    up by lightweight providers like file or dbm lookup alone:</p>
    <pre class="prettyprint lang-config">AuthnCacheProvideFor dbd myprovider</pre>

<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="AuthnCacheSOCache" id="AuthnCacheSOCache">AuthnCacheSOCache</a> <a name="authncachesocache" id="authncachesocache">Directive</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Select socache backend provider to use</td></tr>
<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>AuthnCacheSOCache <var>provider-name[:provider-args]</var></code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config</td></tr>
<tr><th><a href="directive-dict.html#Override">Override:</a></th><td>None</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Base</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_authn_socache</td></tr>
<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Optional provider arguments are available in
Apache HTTP Server 2.4.7 and later</td></tr>
    <p>This is a server-wide setting to select a provider for the
    <a href="../socache.html">shared object cache</a>, followed by
    optional arguments for that provider.
    Some possible values for <var>provider-name</var> are "dbm", "dc",
    "memcache", or "shmcb", each subject to the appropriate module
    being loaded.  If not set, your platform's default will be used.</p>

<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="AuthnCacheTimeout" id="AuthnCacheTimeout">AuthnCacheTimeout</a> <a name="authncachetimeout" id="authncachetimeout">Directive</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Set a timeout for cache entries</td></tr>
<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>AuthnCacheTimeout <var>timeout</var> (seconds)</code></td></tr>
<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>300 (5 minutes)</code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>directory, .htaccess</td></tr>
<tr><th><a href="directive-dict.html#Override">Override:</a></th><td>AuthConfig</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Base</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_authn_socache</td></tr>
    <p>Cacheing authentication data can be a security issue, though short-term
    cacheing is unlikely to be a problem.  Typically a good solution is to
    cache credentials for as long as it takes to relieve the load on a
    backend, but no longer, though if changes to your users and passwords
    are infrequent then a longer timeout may suit you.  The default 300
    seconds (5 minutes) is both cautious and ample to keep the load
    on a backend such as dbd (SQL database queries) down.</p>
    <p>This should not be confused with session timeout, which is an
    entirely separate issue.  However, you may wish to check your
    session-management software for whether cached credentials can
    "accidentally" extend a session, and bear it in mind when setting
    your timeout.</p>

<div class="bottomlang">
<p><span>Available Languages: </span><a href="../en/mod/mod_authn_socache.html" title="English">&nbsp;en&nbsp;</a> |
<a href="../fr/mod/mod_authn_socache.html" hreflang="fr" rel="alternate" title="Franais">&nbsp;fr&nbsp;</a></p>
</div><div class="top"><a href="#page-header"><img src="../images/up.gif" alt="top" /></a></div><div class="section"><h2><a id="comments_section" name="comments_section">Comments</a></h2><div class="warning"><strong>Notice:</strong><br />This is not a Q&amp;A section. Comments placed here should be pointed towards suggestions on improving the documentation or server, and may be removed again by our moderators if they are either implemented or considered invalid/off-topic. Questions on how to manage the Apache HTTP Server should be directed at either our IRC channel, #httpd, on Freenode, or sent to our <a href="">mailing lists</a>.</div>
<script type="text/javascript"><!--//--><![CDATA[//><!--
var comments_shortname = 'httpd';
var comments_identifier = '';
(function(w, d) {
    if (w.location.hostname.toLowerCase() == "") {
        d.write('<div id="comments_thread"><\/div>');
        var s = d.createElement('script');
        s.type = 'text/javascript';
        s.async = true;
        s.src = '' + comments_shortname + '&page=' + comments_identifier;
        (d.getElementsByTagName('head')[0] || d.getElementsByTagName('body')[0]).appendChild(s);
    else { 
        d.write('<div id="comments_thread">Comments are disabled for this page at the moment.<\/div>');
})(window, document);
//--><!]]></script></div><div id="footer">
<p class="apache">Copyright 2017 The Apache Software Foundation.<br />Licensed under the <a href="">Apache License, Version 2.0</a>.</p>
<p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p></div><script type="text/javascript"><!--//--><![CDATA[//><!--
if (typeof(prettyPrint) !== 'undefined') {