Tool-BarfreeBSD ArticlesSearch Our SiteHOMEfreeBSD LinksContribute to FreeBSD HelpFreeBSD FilesFreeBSD Script Corner

Authorization and Apache

DISCLAIMER: This HOW-TO deals with a security issue, and therefore it comes in the flavor of "AS IS". If you choose to follow along, you're doing so at your own risk. 

Ever visit a site where certain sections were only available to memebers? This is a very useful feature built right into Apache server that allows an admin to "lock" certain sections of a site out and have only certain people access it by means of implementing usernames and passwords. This How-To is a "generic" way to lock out directories, please keep this in mind. Read up about the different options available to you in the docs @

Apache handles the process with two files: .htaccess and .htpasswd. Also, there is a program needed to generate the .htpasswd file called htpasswd. This is typically located in /usr/local/bin/htpasswd, as per the stock installation of Apache.

Let's get started...

cd /dir/that/you/want/to/secure

vi .htaccess

-=- Example of .htaccess for basic authorization -=-

AuthName "Private Section" ||| <<<< --- change this to meet your needs
AuthType Basic
AuthUserFile /directory/you/want/to/protect/or/a/dir/outside/.htpasswd
require valid-user

-=- EOF -=-

Now save your changes and exit VI.

Now you have to generate the passwords for the users you'll be allowing into this particular section of the site. First we use the -c switch to create the .htpasswd, in subsequent additions of users, the -c switch isn't used...

# htpasswd -c /directory/you/want/to/protect/or/a/dir/outside/.htpasswd <<username>>

At this point it should prompt you for a password for this username...enter it accordingly.

*** Note *** I had some difficulty with the default encryption used for generating the passwords, I think it was to do with DES, I'm not sure. Forcing MD5 encryption worked. If you're experiencing some problems where the usernames/passwords aren't being accepted when you're testing afterwards, you might want to give MD5 a try by using the -m switch with htpasswd. ***

Also, for a mission-critical applications, it's good practice to move the .htpasswd file OUTSIDE of the directory you're protecting... somewhere else, far far away =).  This way it's a bit more secure.

Now that you've generated the password file, it's time to make some changes to the directory in question within the Apache httpd.conf file. For this you should stop Apache (./apachectl stop).

vi httpd.conf ((wherever you have it located))

<Directory "/directory/you're/protecting">
  Options FollowSymLinks
  AllowOverride AuthConfig
  Order allow,deny
  Allow from all

Add the above in where the <Directory> tags are being addressed. You should now be ready to go, restart Apache (./apachectl start) and enjoy.

By: s0kett

© 1997 - 20013 Defcon1, , Copyrights for all materials on this web site are held by the individual authors, artists, photographers or creators. Materials may not be reproduced or otherwise distributed without permission of and the content's original author.

Tool-Bar-2Defcon1  Webmail