Join the social network of Tech Nerds, increase skill rank, get work, manage projects...
 
  • Basic Authentication with Apache

    • 0
    • 0
    • 0
    • 0
    • 0
    • 0
    • 0
    • 0
    • 506
    Comment on it

    Sometimes we have some sensitive information on our website or an information which is intended for only a small group of people, we need a way to authenticate the users visiting that particular information.
    Authentication is any process by which you verify that someone is who they claim they are. Apache provides two modules for two types of Authentication namely, mod_auth_basic and mod_auth_digest. In this article, we will discuss about basic authentication only. The directives discussed below will need to be either in a section of the main server configuration file or in a .htaccess file(also known as directory specific configuration file).
    If we plans to use .htaccess file, we will need to have a server configuration that permits putting authentication directives in these files. For authentication, we will need an AllowOverride directive like the following :

    AllowOverride AuthConfig 

    Or, if the case is of main server configuration file, we will need to have write permission to that file.
    The basic requirement for basic authentication is to create a password file. This file should not be accessible from the web so that users can not download the file. Apache comes with a utility named as htpasswd which can be used to create the password file. It is located on the bin directory of the Apache installation. To make an entry in the password file, we need to type in the following command :

    htpasswd /usr/local/apache/passwd/passwords  

    htpasswd will ask for password and then to confirm it. To create a new file c option needs to be used.
    Now, we need to configure the server to request a password and authenticate the users. As discussed above, we can do this in two ways.

    In main server configuration file : Open the main server configuration file, place the following directive in section :

    <Directory /path/to/directory/to/be/secured>
    AuthType Basic
    AuthName "Authentication Required"
    # (Following line optional)
    AuthBasicProvider file
    AuthUserFile /usr/local/apache/passwd/passwords
    Require valid-user
    </Directory>
    

    The lines to focus on are AuthType, AuthName, AuthUserFile, and !Require.

    • AuthType tells Apache what type of authentication to use. In our case, basic authentication.
    • AuthName is what will be displayed on the password prompt from the browser.
    • AuthUserFile is the location of your htpasswd file.
    • Require tells Apache which authenticated users will be granted access to a resource. In our case, any authenticated user will be granted access.

    In .htaccess file : Create an .htaccess file in the directory we need to protect. Add the following lines to the .htaccess file :

    AuthType Basic
    AuthName "Authentication Required"
    AuthUserFile "/etc/htpasswd/.htpasswd"
    Require valid-user
    

    Now we need to create a block in main apache config file in order to have Apache process this htaccess file.

    <Directory "/path/to/directory/to/be/secured">
      AllowOverride AuthConfig
      # The Options below is an example. Use what you deem is necessary.
      Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
      Order allow,deny
      Allow from all
    </Directory>
    

    Apache needs to be restarted for changes to take effect.

 0 Comment(s)

Sign In
                           OR                           
                           OR                           
Register

Sign up using

                           OR                           
Forgot Password
Fill out the form below and instructions to reset your password will be emailed to you:
Reset Password
Fill out the form below and reset your password: