by Cory Rauch 2007-05-07 Category: Web-Security
When you want to limit access to web pages, Apache offers password protection. In this article we are going to describe how to use this feature. The system we are going to describe uses a text file similar to the passwd file located in the etc directory to store usernames and encrypted passwords. When a user accesses a password protected page, they will be prompted for username / password. When Apache receives this info, it compares the stored encrypted password with an encrypted version of the password supplied by the user. If all compares, the user is allowed access.
Requirements
To use this feature you need to following installed and running:
- Apache Web Server Software
- mod_auth
- htpasswd (Included with Apache)
Because this effect's only the directory you are working in, users can run the 'htpasswd' program with write permissions to the web directory. So you basically need write permission to the web directory you would like to password protect.
Configuring
The basic steps to password protecting a web directory are, edit '.htaccess' file to look for password file, run htpasswd, create a username/password file, and add user accounts with htpasswd. All web files accessed in that directory are then password protected.
To do this, first edit the local '.htaccess' file in the directory you would like to password protect (Create a plain new text file if none exists). Then include the following in this file:
|
AuthName "Password Protected" |
Next, create a password file by running 'htpasswd'. The password file can be located anywhere Apache has access to it and I recommend that you store this in a non-web directory, such as your home directory. To create a username/password file (usually called '.htpasswd') type the following:
| # htpasswd -cm .htpasswd username |
This will create the new password file and a user account to it.
You should now have password protection enable.
NOTE: If you want to store the password file in a web directory make sure you deny access to it by specifying the following in your httpd.conf file:
|
<Files ~ "^/.ht"> |
This will deny access to files starting with '.ht', so make sure you prefix your password file with '.ht'.
Managing Users
This section covers managing users and groups.
To add additional users simply type:
| # htpasswd -m .htpasswd username |
To delete a user, simply edit the password file and remove the line corresponding to the user you want to delete.
Let's say you want to limit access to a user or a few users. To accomplish this, include the following in you '.htaccess' file:
|
AuthName "Password Protected" |
This will allow user1 and user2 access to this web directory.
When you have a large set of users you want to have different access rights, grouping users can be a very handy way of doing this. How this works is you first create a group file like below:
Ex. groupfile:
|
techs: user1 user2 user3 |
Then include the 'AuthGroupFile' directive in your '.htaccess' file, example below:
|
AuthName "Password Protected" |
And finally adjust the require line to match the access right you want. For example above we gave the 'techs' group access rights.
Conclusion
Apache's password protection feature can be a handy way of limiting access to web pages. Please check back for our next technical article.
Other ImprovedSource Articles:
How to speed up the rendering of your website
Why we need a Javascript-Based Database?
PHP v5.2 vs PHP v5.1