mod_auth_openpgp 0.2.1

mod_auth_openpgp is an Apache module that implements access authorization to servers, vhosts, etc.

  Add it to your Download Basket!

 Add it to your Watch List!


Rate it!
send us
an update
The Apache License 2.0 
Arturo Busleiman
ROOT \ Internet \ HTTP (WWW)
mod_auth_openpgp is an Apache module that implements access authorization to servers, vhosts, or directories when incoming requests' HTTP OpenPGP signatures are valid and known by the local keyring

Quick-Building instructions:

Edit to suit your needs/desires.
Run it: ./
Modify your Apache's configuration as needed (see below)


· I'm using gpgme 1.1.2 and libgpg-error 1.0. It also benefits from mod_access, although the X-Auth-OpenPGP header that gets added to signed requests can be checked using PHP, CGI, etc.


Turn it on for specific virtual hosts (or server globally) using the "OpenPGPEngine on" command and with mod_access directives, for example:

< VirtualHost *:80 >
ServerName localhost
ServerAdmin root@localhost
DocumentRoot "/var/www/localhost/htdocs"
Options FollowSymlinks

< ifmodule mpm_peruser_module >
ServerEnvironment apache apache
< /ifmodule >

# Turn on the OpenPGP Engine for this VirtualHost
OpenPGPEngine on

# if the X-Auth-OpenPGP header has the "true" value,
# then set the valid_signature env var to be used as
# decisive factor in the Allow sentence of mod_access.
# X-Auth-OpenPGP cannot be spoofed, as it gets resetted
# if the module has been enabled for the vhost.
# In the future, valid signed requests will also
# have a header which tells mod_access the keyid, eMail address
# and fingerprint of each user [TODO for 0.2.0]

SetEnvIf X-Auth-OpenPGP ^true valid_signature

Order Deny,Allow
Deny from all
Allow from env=valid_signature
< /directory >

< /virtualhost >

And that's it. Go grab Enigform and try it out. Of course, the 'apache' user needs a valid gpg configuration and keyring, or mod_auth_openpgp won't be able to verify signed requests.

What's New in This Release:

· A new OpenPGP Discovery method that HTTP+OpenPGP aware clients (like Firefox+Enigform) can use to test if a host supports/announces mod_auth_openpgp was added.

Last updated on June 19th, 2007

#Apache module #access authorization #vhosts authorization #mod_auth_openpgp #Apache #module #server

Add your review!