Tuesday, 7 February 2012

Adding password controlled access to a CloudControl PHP deployment

I have recently spent some time evaluating cloud-based PHP hosting suppliers (which is another conversation entirely ... stay tuned).

One of the issues I came across, which is arguably trivial in a traditional apache/PHP environment was to add BASIC AUTH authentication to a site using .htaccess, and .htpasswd type configuration.

I will assume that anyone reading this has already mastered the art of CloudControl based deployment. This article will only cover what you need to do to make a .htpasswd based BASIC AUTH solution work.

DISCLAIMER:
BASIC AUTH is not a prefect solution for user authentication. Always prefer use of HTTPS-based connections, and implement proper authentication and authorization mechanisms in your application. CloudControl offer https based traffic as standard, e.g. https://<deployment>.<app>.cloudcontrolled.com, or https://<app>.cloudcontrolled.com if you are on the default deployment.

As I am quite new to this environment, I had to chat with their support guys (via email), but I have to say the experience was very positive. Responses where timely, and technically precise - good work guys !

So, to implement this strategy, you need to follow these steps:

  • (Maybe) Change the way you layout your deployment in the repository. In order for this process to work you need to (if you don't already do this) move the files in your staging location.repository to a sub-folder, thus allowing 'private' files, such as a .htpasswd to be securely stored.

What you might have before would look something like this:

 <repo root>
|
+-------- index.php
|
+-------- ... other stuff ...

What you need to do is move everything to a sub-folder, e.g. publc/ so the structure looks like this:

 <repo root>
|
+-------- public/
|
+-------- index.php
|
+-------- ... other stuff ...

  • Create a .ccconfig.yaml file to describe the deployment layout. A full description of how this file works can be found here: https://www.cloudcontrol.com/documentation/platform-components/config-file, but for the purposes of what we are doing here, we only need the minimal configuration as shown below. This file should be saved into the root of your staging location/repository.

BaseConfig:
WebContent: /public

Your staging location/repository should then look something like:

 <repo root>
|
+-------- public/
| |
| +-------- index.php
| |
| +-------- ... other stuff ...
|
+-------- .ccconfig

  • Create a suitable .htpasswd file. If you need help with this, there is a site that may be of use: http://www.htaccesstools.com/htpasswd-generator/. What you generate should look something like the example below when you are done. This file should be saved into the root of your staging location/repository.

test:$apr1$wk6zMZHa$Qzs5wtkncXeXlUjaBboro0


Your staging location/repository should now look something like:


 <repo root> /
|
+-------- public/
| |
| +-------- index.php
| |
| +-------- ... other stuff ...
|
+-------- .ccconfig
|
+-------- .htpasswd

  • Build a suitable .htaccess file. If you need help with this, there is a site that may be of use: http://www.htaccesstools.com/htaccess-authentication/. What you generate should look something like the example below when you are done. This file should be saved into the public sub-folder of your staging location/repository.


NB: I am assuming that you do not already have a .htaccess - if you do, then append these lines to the top of the file.

NB: Replace the depXXX xml with your deployment id. This can be found in the CloudControl console. Look under the application deployment page, and you will see a string starting with depXXX in the SFTP location that is given.

AuthType Basic
AuthName "My Protected Area"
AuthUserFile /data/local/depXXX/current/.htpasswd
Require valid-user

Your staging location/repository should now look something like this:


 <repo root> /
|
+-------- public/
| |
| +-------- .htaccess
| |
| +-------- index.php
| |
| +-------- ... other stuff ...
|
+-------- .ccconfig
|
+-------- .htpasswd


  • Deploy !! Perform your normal deployment routine from the base of your staging location/repository. Again, I am assuming you already know how to do this.

Thats it ! Worked a charm for me, and wasn't documented anywhere so I thought best to write it down before I forget ;)