By: Kurt Seifried, [email protected], Copyright Kurt Seifried, 2001
Often times most users simply want to secure access to a certain set of directories or files on their website. Fortunately most web servers provide this capability with reasonably easy to use tools.
9.1 Apache based
Apache supports a wide variety of authentication methods, several of which can be considered "standard" and are typically included in vendor packages of Apache. You can assign security to files and directories with Apache, the configuration for this is either done in the central httpd.conf file or in the defined "AccessFileName". For example to make ".htaccess" files your access file you would add the following to httpd.conf:
AccessFileName .htaccess
And in order to prevent people from downloading these files you would add the following to your httpd.conf:
<Files ~ "^\.ht">
Order allow,deny
Deny from all
</Files>
This means that any file starting with ".ht" (i.e. .htaccess, .htpasswd, .htgroup, .htfoobar) will not be sent if a client requests it.
You will then need to configure Apache to allow for specific features, using the "AllowOverride" directive within a "<Directory"> configuration section. Typically the safest thing to do is define a "<Directory />" that disables everything and then enable features as needed on a per directory basis. For example to allow .htaccess files in /var/www/secure-area:
<Directory /var/www/> AllowOverride AuthConfig Order allow,deny Allow from all </Directory>
If your .htaccess file does not work and "AccessFileName" is defined then this is probably the problem.
To enable password authentication you need to create a .htaccess file, and a password file minimally, you can also use a groups file which allows you to have a large centralized password file for multiple directories with different access requirements. Into your .htaccess file you will need to put an AuthUserFile directive (the password file), AuthName directive (the name of this restricted area), the AuthType (i.e. basic or digest, typically basic is used), and a require directive (i.e. what conditions someone must meet to gain access). You can also optionally place a Order directive if you need to create a more complex authentication requirement (more on this later).
To create a basic password file for apache you use the "htpasswd" command, the basic options are "-c" to create a new file, and "-m", "-d" and "-s" to specify the encryption method (MD5, Crypt and SHA1 respectively). You can also use "-b" to specify the password instead of entering it when prompted, this is useful for importing large numbers of users. So to create a basic .htpassword file you would:
[[email protected] www]$ htpasswd -c .htpassword joesmith New password: Re-type new password: Adding password for user joesmith
Using the password "test" and the default encryption method of Crypt we would end up with a .htpassword file that looks like:
joesmith:Dw0yWEhkXNT/U
So, to password protect a directory, using the file ".htpasswords" as the passwords file you would minimally need:
AuthUserFile .htpasswd
AuthName example01
AuthType Basic
require valid-user
So when someone tries to access the directory the .htaccess file is placed in they would be prompted for a username and password, they would need to enter the username "joesmith" and the password "test" to gain access.
The next step would be to use the groups capability, this is useful if you have several directories you want to protect with a variety of different policies, i.e. the group "sales" has access to the sales directory, and the group "marketing" has access to the marketing directory.
In the directory "/wwwroot/sales/" you would place an .htaccess file with the following:
AuthUserFile /wwwroot/.htpassword AuthGroupFile /wwwroot/.htgroup AuthName sales-area AuthType Basic require valid-user require group sales
In the directory "/wwwroot/marketing/" you would place an .htaccess file with the following:
AuthUserFile /wwwroot/.htpassword AuthGroupFile /wwwroot/.htgroup AuthName marketing-area AuthType Basic require valid-user require group marketing
You would then need to add users to the /wwwroot/.htpassword file, for something like:
janedoe:BBQ3KOR1fNBDU bobmarley:PpP/7iZvLWJiw joesmith:BRJ3YT11fYbcs sysadmin:BvQpL.pb1xH0w
And the groups file would look like:
sales:janedoe,bobmarley,sysadmin marketing:joesmith,sysadmin
Note that a user can belong to multiple groups. In this case the users "janedoe" ,"bobmarley" and "sysadmin" would be allowed into marketing, and the users "joesmith" and "sysadmin" would be allowed into sales.
Flat text files such as the above examples are easy to start out with, however if you have many users and groups they will quickly become very slow, and to solve this problem you can use dbm files.
Please see the following URL for more on dbm authentication:
http://www.apacheweek.com/features/dbmauth
For these two authentication methods to work you should make sure that the following lines (or something similar) are in your httpd.conf file:
LoadModule auth_module modules/mod_auth.so LoadModule anon_auth_module modules/mod_auth_anon.so LoadModule db_auth_module modules/mod_auth_db.so AddModule mod_auth.c AddModule mod_auth_anon.c AddModule mod_auth_db.c
http://www.apacheweek.com/features/userauth
http://www.apacheweek.com/features/dbmauth
9.1.1 Apache-SSL
See main Apache section.
9.1.2 Apache mod-ssl
See main Apache section.
9.1.3 Raven
See main Apache section.
9.1.4 Red Hat Secure Server
See main Apache section.
9.1.5 Stronghold
See main Apache section.
http://www.c2.net/products/sh3/
Stronghold was purchased by Red Hat.
9.2 Netscape
To be added.
9.2.1 Netscape Enterprise
To be added.
9.3 Roxen
To be added.
9.4 Zeus
To be added.
9.5 Novell
To be added.
9.6 IBM Websphere
See main Apache section.
9.7 Volera
To be added.
9.8 Squid
To be added.