Monday, November 10, 2008

Password protect web folder

Apache authentication can be configured to require web site visitors to login with a user id and password. This is different than adding a login form on a web page and creating your own authentication. This tutorial describes the various methods available for authentication with Apache and its' configuration. Login protection is applied to the web pages stored in a directory. The login dialog box which requests the user id and password is provided by the web browser at the request of Apache. Apache allows the configuration to be entered in its' configuration files (i.e. main configuration file /etc/httpd/conf/httpd.conf, supplementary configuration files /etc/httpd/conf.d/component.conf or in a file which resides within the directory to be password protected.

Apache password file authentication:

Directory protection using .htaccess and .htpasswd

This tutorial applies to Apache based web servers. It requires:

1. Editing the server configuration file (httpd.conf) to enable/allow a directory structure on the server to be password protected. Basically the default access permission statement need modification.
2. The creation and addition of two files specifying the actual logins and passwords. (.htaccess and .htpasswd)

Use this sparingly because Apache will have to check all directories and subdirectories specified in the configuration file for the existence of the .htaccess file adding to a servers latency.

When trying to access a file in a protected directory, the user will be presented with a window (dialog box) requesting a username and password. This protection applies to all sub-directories. Other .htaccess files in sub directories may respecify access rules.

Apache authentication uses the modules mod_auth and mod_access.

Apache configuration file:

File: /etc/httpd/conf/httpd.conf (older systems used access.conf)

Default: This disables the processing of .htaccess files for the system.


AllowOverride None


or for a specified directory:


AllowOverride None


Change to and/or specify directory to protect:


AllowOverride All


OR


AllowOverride AuthConfig


AllowOverride parameters: AuthConfig FileInfo Indexes Limits Options

The name of the "distributed" and user controlled configuration file .htaccess is defined with the directive: (default shown)

AccessFileName .htaccess

Password protection by a single login:

Password files:

1. Create the directory you want to password protect (example: membersonly)
2. Create a file /home/domain/public_html/membersonly/.htaccess in that director that looks something like this:

AuthName "Add your login message here."
AuthType Basic
AuthUserFile /home/domain/public_html/membersonly/.htpasswd
AuthGroupFile /dev/null
require user name-of-user


In this case the "name-of-user" is the login name you wish to use for accessing the web site.

[Pitfall] The literature is full of examples of the next method but I never got it to work.

One can use Apache directives to specify access and restriction:

AuthName "Add your login message here."
AuthType Basic
AuthUserFile /home/domain/public_html/membersonly/.htpasswd
AuthGroupFile /dev/null
require user name-of-user





Also see: List of Apache directives. If an incorrect directive is used in the .htaccess file it will result in a server error. Check your log files: /var/log/httpd/error_log.
The name of the access file .htaccess is specified by the httpd.conf directive AccessFileName.

3. Create the password file /home/domain/public_html/membersonly/.htpasswd using the program htpasswd:

htpasswd -c .htpasswd name-of-user


Man page: htpasswd

Example file: .htpasswd

user1:KgvCSeExtS4kM
USER1:KgvCSeExtS4kM
User1:KgvCSeExtS4kM


Flexible password protection by group access permissions:

This example differs from the previous example in that it allows for greater control and flexibility by using groups.

Password files:

1. Create a file .htgroup in that directory that contains the groupname and list of users:

member-users: user1 user2 user3 ... etc


Where member-users is the name of the group.

2. Modify .htaccess in the membersonly directory so it looks something like:

AuthName "Add your login message here."
AuthType Basic
AuthUserFile /home/domain/public_html/membersonly/.htpasswd
AuthGroupFile /home/domain/public_html/membersonly/.htgroup
require group member-users


3. Create the password file .htpasswd using the program htpasswd for each user as above. You don't need the -c option if you are using the same .htpasswd file. (-c is only to create a new file)

htpasswd -c /home/domain/public_html/membersonly/.htpasswd user1
htpasswd /home/domain/public_html/membersonly/.htpasswd user2

Restrict access based on domain or IP address:

Allow specified domain to access site:

Order deny, allow
Deny from all
Allow from allowable-domain.com
Allow from XXX.XXX.XXX
Deny from evil-domain.com

Specify first three (or one, or two, ...) octets of IP address defining allowable domain.


Placing Authentication directives in httpd.conf exclusively instead of using .htaccess:

The purpose of using the "distributed configuration file" .htaccess is so that users may control authentication. It can also be set in the Apache configuration file httpd.conf WITHOUT using the .htaccess file. This can improve server performance as the server will not have to look for the .htaccess file in each subdirectory.

File: httpd.conf (portion)

..
...


AllowOverride AuthConfig
AuthName "Add your login message here."
AuthType Basic
AuthUserFile /home/domain/public_html/membersonly/.htpasswd
AuthGroupFile /dev/null
require user name-of-user


...
..
Posted by Joseph Martinez at 5:24 PM

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)