Authorization and Apache
DISCLAIMER: This HOW-TO deals with a security issue, and therefore it comes in the flavor of "AS IS". If you choose to follow along, you're doing so at your own risk. -------------------------------------------------------------------------------------
Ever visit a site where certain sections were only available to memebers? This is a very useful feature built right into Apache server that allows an admin to "lock" certain sections of a site out and have only certain people access it by means of implementing usernames and passwords. This How-To is a "generic" way to lock out directories, please keep this in mind. Read up about the different options available to you in the docs @ www.apache.org.
Apache handles the process with two files: .htaccess and .htpasswd. Also, there is a program needed to generate the .htpasswd file called htpasswd. This is typically located in /usr/local/bin/htpasswd, as per the stock installation of Apache.
Let's get started...
cd /dir/that/you/want/to/secure
vi .htaccess
-=- Example of .htaccess for basic authorization -=-
AuthName "Private Section" ||| <<<< --- change this to meet your needs AuthType Basic AuthUserFile /directory/you/want/to/protect/or/a/dir/outside/.htpasswd require valid-user
-=- EOF -=-
Now save your changes and exit VI.
Now you have to generate the passwords for the users you'll be allowing into this particular section of the site. First we use the -c switch to create the .htpasswd, in subsequent additions of users, the -c switch isn't used...
# htpasswd -c /directory/you/want/to/protect/or/a/dir/outside/.htpasswd <<username>>
At this point it should prompt you for a password for this username...enter it accordingly.
*** Note *** I had some difficulty with the default encryption used for generating the passwords, I think it was to do with DES, I'm not sure. Forcing MD5 encryption worked. If you're experiencing some problems where the usernames/passwords aren't being accepted when you're testing afterwards, you might want to give MD5 a try by using the -m switch with htpasswd. ***
Also, for a mission-critical applications, it's good practice to move the .htpasswd file OUTSIDE of the directory you're protecting... somewhere else, far far away =). This way it's a bit more secure.
Now that you've generated the password file, it's time to make some changes to the directory in question within the Apache httpd.conf file. For this you should stop Apache (./apachectl stop).
vi httpd.conf ((wherever you have it located))
<Directory "/directory/you're/protecting"> Options FollowSymLinks AllowOverride AuthConfig Order allow,deny Allow from all </Directory>
Add the above in where the <Directory> tags are being addressed. You should now be ready to go, restart Apache (./apachectl start) and enjoy.
By: s0kett
|