DISCLAIMER: This HOW-TO deals with a security issue, and therefore
it comes in the flavor of "AS IS". If you choose to follow along, you're doing
so at your own risk.
-------------------------------------------------------------------------------------
Ever visit a site where certain sections were only available to memebers? This is a very useful feature built right into Apache server that allows
an admin to "lock" certain sections of a site out and have only certain people access it by means of implementing usernames and passwords.
This How-To is a "generic" way to lock out directories, please keep this in mind. Read up about the different options available to you in the docs @ www.apache.org.
Apache handles
the process with two files: .htaccess and .htpasswd. Also, there is a program needed to generate the .htpasswd file called htpasswd. This is typically located in /usr/local/bin/htpasswd, as per the stock installation of Apache.
Let's get started...
cd /dir/that/you/want/to/secure
vi .htaccess
-=- Example of .htaccess for basic authorization -=-
AuthName "Private Section" ||| <<<< --- change this to meet your needs
AuthType Basic
AuthUserFile /directory/you/want/to/protect/or/a/dir/outside/.htpasswd
require valid-user
-=- EOF -=-
Now save your changes and exit VI.
Now you have to generate the passwords for the users you'll be allowing into this particular section of the site. First we use the -c switch to create the .htpasswd, in subsequent
additions of users, the -c switch isn't used...
# htpasswd -c /directory/you/want/to/protect/or/a/dir/outside/.htpasswd <<username>>
At this point it should prompt you for a password for this username...enter it accordingly.
*** Note *** I had some difficulty with the default encryption used for generating the passwords, I think it was to do with DES, I'm not
sure. Forcing MD5 encryption worked. If you're experiencing some problems where the usernames/passwords aren't being accepted when you're testing afterwards, you might want to give MD5 a try by using the -m switch with htpasswd. ***
Also, for a mission-critical applications, it's good practice to move the .htpasswd file OUTSIDE of the directory you're protecting... somewhere else, far far away =). This way it's a bit more secure.
Now that
you've generated the password file, it's time to make some changes to the directory in question within the Apache httpd.conf file. For this you should stop Apache (./apachectl stop).
vi httpd.conf ((wherever you have it located))
<Directory "/directory/you're/protecting">
Options FollowSymLinks
AllowOverride AuthConfig
Order allow,deny
Allow from all
</Directory>
Add the above in where the <Directory> tags are being addressed. You should now be ready to go, restart Apache (./apachectl start) and enjoy.
By: s0kett
Authorization and Apache
|
|
|
|
|
|
|
|
[Home] [FBSD Articles] [Scripts Corner] [Contribute] [Search] [FBSD Links] [Files]
About Us
FreeBSD Articles
*Hardware
*Networking
*Security
*Software
*X Windows
Forums
Defcon1 Forum
Files / Scripts
Newbies Corner
Tech. Talk
Tips and Tricks
FreeBSD Links
Articles in other
Languages :
*French Articles
*Spanish Articles
Want to Help ?
Click Here
Email Users
This site cannot be duplicated without permission
© 1998 - 2008 Defcon1, www.defcon1.org , Copyrights for all materials on this web site are held by the individual authors, artists, photographers or creators. Materials may not be reproduced or otherwise distributed without permission
of www.defcon1.org and the content's original author.