|
DISCLAIMER: This HOW-TO deals with a security issue, and therefore
it comes in the flavor of "AS IS". If you choose to follow along, you're doing
so at your own risk.
-------------------------------------------------------------------------------------
Ever visit a site where certain sections were only available to memebers? This is a very useful feature built right into
Apache server that allows an admin to "lock" certain sections of a site out and have only certain people access it by means of implementing usernames and passwords. This How-To is a
"generic" way to lock out directories, please keep this in mind. Read up about the different options available to you in the docs @ www.apache.org.
Apache
handles the process with two files: .htaccess and .htpasswd. Also, there is a program needed to generate the .htpasswd file called htpasswd. This is typically located in /usr/local/bin/htpasswd, as per the
stock installation of Apache.
Let's get started...
cd /dir/that/you/want/to/secure
vi .htaccess
-=- Example of .htaccess for basic authorization -=-
AuthName "Private Section" ||| <<<< --- change this to meet your needs
AuthType Basic
AuthUserFile /directory/you/want/to/protect/or/a/dir/outside/.htpasswd
require valid-user
-=- EOF -=-
Now save your changes and exit VI.
Now you have to generate the passwords for the users you'll be allowing into this particular section of the site. First we use the -c
switch to create the .htpasswd, in subsequent additions of users, the -c switch isn't used...
# htpasswd -c /directory/you/want/to/protect/or/a/dir/outside/.htpasswd <<username>>
At this
point it should prompt you for a password for this username...enter it accordingly.
*** Note *** I had some difficulty with the default encryption used for generating the passwords, I think it was to do with
DES, I'm not sure. Forcing MD5 encryption worked. If you're experiencing some problems where the usernames/passwords aren't being accepted when you're testing afterwards, you might want to give MD5 a try by
using the -m switch with htpasswd. ***
Also, for a mission-critical applications, it's good practice to move the .htpasswd file OUTSIDE of the directory you're protecting... somewhere else, far far away
=). This way it's a bit more secure.
Now that you've generated the password file, it's time to make some changes to the directory in question within the Apache httpd.conf file. For this you
should stop Apache (./apachectl stop).
vi httpd.conf ((wherever you have it located))
<Directory "/directory/you're/protecting">
Options FollowSymLinks
AllowOverride AuthConfig
Order allow,deny
Allow from all
</Directory>
Add the above in where the <Directory> tags are being addressed. You should now be ready to
go, restart Apache (./apachectl start) and enjoy.
By: s0kett
|
