How to restrict access to mod_cluster Manager

The mod_cluster distribution includes a manager application which can be used to test your cluster topology and manage as well deployed applications across the cluster. In this tutorial we will show how to protect access to the mod_cluster_manager application with a password.

In order to protect our mod_cluster_manager application we will use a standard Apache directive named AuthUserFile directive which sets the name of a textual file containing the list of users and passwords for user authentication. We will use the utility htpasswd to maintain the password file for HTTP Basic Authentication.

Let’s see a concrete example. we will create an user “admin” with password “admin”:

$ htpasswd -c /etc/modclusterpassword admin
New password: 
Re-type new password: 
Adding password for user admin

Here is the file created by htpasswd:

cat /etc/modclusterpassword 

Now let’s include a few directives into our mod_cluster_manager definition, so that a basic HTTP authentication will be requested for accessing our manager web application:

<Location /mod_cluster_manager>
   SetHandler mod_cluster-manager

   AuthType Basic
   AuthName "MCM"
   AuthUserFile /etc/modclusterpassword
   Require user admin

   Order deny,allow
   Deny from all
   Allow from all

As you can see, we are using the Apache AuthUserFile directive to specify the path to a file containing user names and password hashes for HTTP basic authentication.

Security note! Make sure that the AuthUserFile is stored outside the document tree of Apache. Do not put it in the directory that it protects. Otherwise, clients may be able to download the AuthUserFile.

Now restart Apache web server and try to access the mod_cluster_manager application:

mod_cluster tutorial jboss wildfly

As you can see, now Apache Web server prompts for BASIC authentication.

Finally, keep in mind that HTTP basic authentication is not a secure method of protecting web applications. It is recommended to use more secure authentication methods, such as OAuth or SSH certificates, whenever possible.