This is a "Business License" feature only.
In a corporate or private environment, you may want to prevent public access to the iCanText application (HTML/JS files). By configuring Apache to require authentication, you ensure that only authorized personnel can load the application.
Furthermore, iCanText needs to know who is connected. Since the application runs in the browser (client-side), it cannot directly see the server-side authentication variables.
We solve this using an Identity Bridge configuration in .htaccess:
REMOTE_USER upon success.X-Remote-User containing the login is injected into responses../whoami to read this header.Regardless of the authentication method chosen (File, LDAP, Kerberos...), the mechanism to transmit the identity to the application remains the same.
Add the following block to the .htaccess file located at the root of your application (e.g., https://your-domain.com/.htaccess). This requires Apache 2.4+ with mod_headers and mod_rewrite enabled.
File: .htaccess (Core Logic)
RewriteEngine On
# =========================================================
# A. IDENTITY TRANSMISSION LOGIC
# =========================================================
# 1. Take the authenticated user (REMOTE_USER) and put it
# into a custom HTTP header "X-Remote-User".
# "always" ensures the header is sent even on redirects/errors.
# Note: This syntax requires Apache 2.4.10 or later.
RequestHeader unset X-Remote-User
Header always set X-Remote-User "expr=%{REMOTE_USER}"
# =========================================================
# B. THE "WHOAMI" ENDPOINT
# =========================================================
# 2. When the JS application requests "./whoami", Apache
# intercepts it and returns a simple "204 No Content".
# Because of the rule above, this 204 response will
# contain the X-Remote-User header.
RewriteRule ^whoami$ - [R=204,L]
# =========================================================
# C. AUTHENTICATION BLOCKS (See Step 2 below)
# =========================================================
# Paste your chosen authentication method here...
Select one of the methods below and append the code to your .htaccess file.
Best for small teams or personal servers. You manage a file containing usernames and encrypted passwords.
Prerequisite: Generate a file using htpasswd -c /path/to/.htpasswd username.
# --- Basic File Authentication ---
AuthType Basic
AuthName "iCanText Private Access"
AuthUserFile /var/www/private/.htpasswd
Require valid-user
Ideal for corporate environments. Apache verifies credentials against a Domain Controller or LDAP server. Requires mod_authnz_ldap.
# --- Active Directory Authentication ---
AuthType Basic
AuthName "Corporate Login"
AuthBasicProvider ldap
# Configure the LDAP connection URL
# Syntax: ldap://host:port/basedn?attribute?scope?filter
AuthLDAPURL "ldap://dc01.corp.local:389/DC=corp,DC=local?sAMAccountName?sub?(objectClass=user)"
# Account used to search the directory (Bind DN)
AuthLDAPBindDN "CN=ApacheAuth,CN=Users,DC=corp,DC=local"
AuthLDAPBindPassword "secret_password"
Require valid-user
Provides transparent Single Sign-On (no password prompt) for Windows/Linux domain-joined clients. Requires mod_auth_gssapi (recommended) or mod_auth_kerb.
Note: Kerberos often requires server-level configuration (Keytabs) that might not be accessible on shared hosting. Ensure you have the keytab file accessible to Apache.
# --- Kerberos SSO Authentication ---
AuthType GSSAPI
AuthName "Corporate SSO"
# Clean headers for GSSAPI negotiation
GssapiBasicAuth On
GssapiCredStore keytab:/etc/apache2/krb5.keytab
Require valid-userOnce configured, any request to your domain should trigger an authentication prompt (unless using SSO).
To verify that the application can identify you, use the browser's Developer Tools (Network tab) or a command line tool to request the whoami endpoint. You should receive a 204 No Content status and the X-Remote-User header.
# Example using curl (replace user:pass with your credentials) curl -I -u alice:secret https://your-domain.com/whoami # Expected Output: HTTP/1.1 204 No Content Date: Mon, 01 Jan 2024 12:00:00 GMT Server: Apache X-Remote-User: alice <-- This is what iCanText reads