How to Configure Your Website Using Htaccess in Linux with Apache
Step 01: For this to work successfully you will have to be logged in as root or using one of the sudo or su options.
Step 02: We will need to create the folder that will have to be authenticated. Since the default location in apache is /var/www/html we will create it here. You will do this by using the mkdir command.
[root@linux ~]# mkdir /var/www/html/testfolder
Restrict web page under /var/www/html/testfolder using basic authentication:
Step 03: Next we need to add the .htaccess & .htpasswd files to the personal folder. We first need to change the directory of the folder we wish to protect.
[root@linux ~]# cd /var/www/html/testfolder
Step 04: Next we can create the .htaccess file.
[root@linux ~]# vi .htaccess
Step 05: Press i to insert and add the following content.
AuthUserFile /var/www/html/testfolder/.htpasswd
AuthGroupFile /www.null
AuthName "Authorization Required"
AuthType Basic
require user USER_NAME
N.B. Change "test folder" to the name of your folder and change "USER_NAME" to the user name you wish to use.
Press your esc button then :wq to save your file in your vi editor.
Step 06: Next we'll create the .htpasswd file. We want to run htpasswd on the path of the folder we want to protect.
[root@linux ~]# htpasswd -c /var/www/html/testfolder/.htpasswd USER_NAME
New password:
Re-type new password:
Adding password for user USER_NAME
Step 07 : Next we will have to edit the apache httpd.conf (on some systems called the apache2.conf) file.
[root@linux ~]# vi /etc/httpd/conf/httpd.conf
Step 08: You will have to scroll all the way to the bottom to add the following directory.
#FOR MY TEST FOLDER
<Directory "/var/www/html/testfolder">
AllowOverride AuthConfig
</Directory>
Step 09: Finally save httpd.conf by typing esc :qw! and restart apache.
[root@linux ~]# service httpd restart
Step 10: To add new users, use the same command without the -c switch. For example, to add the user mahbub, type
# htpasswd .htpasswd mahbub
Step 11: To delete users, open the .htpasswd file, using your favorite unix editor, like vi, and delete the row(s) associated with the specific user(s) that you want to remove.
Restrict web page under /var/www/html/testfolder using Digest authentication:
Step 12: Add the following lines in the htttpd.conf file
<Directory "/var/www/htdocs/testfolder" >
Options None
AllowOverride None
AuthType Digest
AuthName "Protected Area"
AuthDigestFile /usr/local/Apache/conf/digest_passwd
AuthDigestGroupFile /usr/local/apache/conf/groups
Require valid-user
Order deny,allow
Deny from all
</Directory>
Step 13:create a valid user as
# htdigest -c /usr/local/apache/conf/digest_passwd "Protected Area" username
Step 14:Now restart http service
Theory of User authentication
Apache allows us to require user authentication for access to certain directories. The authentication method can be one of two types, Basic or Digest.
Basic authentication
To set up a directory that requires a user to supply a username and password we would use something like the following in our httpd.conf file:
<Directory "/var/www/htdocs/protected" >
Order deny,allow
Deny from all
Allow from 192.168.1.
AuthName "Private Information"
AuthType Basic
AuthUserFile /usr/local/apache/conf/passwd
AuthGroupFile /usr/local/apache/conf/groups
require group <group-name>
</Directory>
Firstly we have denied access to all users but those on our internal network to the directory /var/www/htdocs/protected. To require a password we use the
AuthType Basic
directive. Our password file is /usr/local/apache/conf/passwd, as specified by the AuthUserFile
directive and, similarly, we specify a group file. The last line require group <group-name>
means that a user must be a member of <group-name> in order to be allowed access to the directory.Of course, for this to work, we must set up our password and group files. For the group file simply create a file, /usr/local/apache/conf/groups, containing the line:
group-name: user1 user2
You can specify as many groups as you wish on separate lines. List users separated by a space.
Next we create the password file with the command
htpasswd -cm /usr/local/apache/conf/passwd user1
. This will prompt for a password and create a user with name user1
in the file /usr/local/apache/conf/passwd. The c
option will create the file if it doesn't exist, and the m
option will MD5 hash the password (SHA1 and crypt options are also available, but SHA1 does not work with some Apache versions). Subsequent users can be added using htpasswd -m /usr/local/apache/conf/passwd user1
.If you do not want to use groups you could use
require valid-user user1 user2
in order to only allow access to certain users.The disadvantage of Basic Authentication is that passwords are sent as plain text from the client to the server, meaning that it is simple for a malicious user with access to the network can obtain the password using a network traffic analyzer. Digest Authentication tries to prevent this.
Digest Authentication
In digest authentication the password is never transmitted across the network. Instead the server generates a nonce, a one-time random number, and sends it to the client's browser, which then hashes the nonce with the user's password and sends the resulting hash back to the server. The server then performs the same hash and compares the result. This is considerably more secure than Basic Authentication, though not so widely used. One disadvantage of Digest Authentication is that it requires setting up a different password file for each realm on the server, as the realm name is used when creating the necessary hashes. With Basic Authentication, one password file can be used across the board.
To create an area protected by Digest Authentication, we use something like the following.
<Directory "/var/www/htdocs/protected" >
Options None
AllowOverride None
AuthType Digest
AuthName "Protected Area"
AuthDigestFile /usr/local/Apache/conf/digest_passwd
AuthDigestGroupFile /usr/local/apache/conf/groups
Require valid-user
Order deny,allow
Deny from all
</Directory>
This time we set
AuthType Digest
, and the AuthName "Protected Area"
directive is required. In place of AuthUserFile
and AuthGroupFile
directives we use the AuthDigestFile
and AuthDigestGroupFile
directives. The group file is the same as previously, but we need to set up the password file using the command htdigest -c /usr/local/apache/conf/digest_passwd "Protected Area" user1
. Note the use of the htdigest
program in place of htpassword
and the AuthName
in the command. Again the c
option creates the file if it doesn't exist.Article Written By : Mahabub Bhai.
No comments:
Post a Comment