Open Source

Secure your Web sites with Apache's .htaccess

Use this tutorial to require a username and password for specific files and/or directories on an Apache-based Web site.


You don’t have to have expensive software or degrees in forensics to secure access to your company Web sites; instead, you just need the Apache Web server and .htaccess. To show you some of the security features of this tool, here’s a look at how to password protect your http directories with .htaccess.

The access.conf file
More than likely, you're using a recent version of Apache that uses the access.conf file. In my Linux distribution (Red Hat 8.0), this file is located in /etc/httpd/conf. If your distribution is different, and doesn't locate this file in the same place, simply run locate access.conf to find out where access.conf is tucked away. Take a look at this file; in it you may find something that looks like:
 
<Directory>
<Directory /var/www/html/admin/>
   Options Indexes FollowSymLinks
   AllowOverride AuthConfig
   order allow,deny
   allow from all
</Directory>
 

The snippet above defines for Apache what directory (in this case, /var/www/html/admin) is to be configured with password protection. The <Directory> tag begins the directive and the </Directory> tag ends the directive. The second <Directory> tag defines the exact location this directive is to configure for password protection. Of course, the above directive is defining more than just a directory. For example, the Options listed are:
  • Indexes: Allows the server to generate a directory listing for a directory if no DirectoryIndex is specified
  • FollowSymLinks: Allows the server to follow symbolic links in that directory
  • AllowOverride: Sets whether any Options can be overridden by the declarations in an .htaccess file
  • AuthConfig: Allows usage of the authorization directives
  • Order: Controls the order in which allow and deny directives are evaluated.
  • Allow: Specifies which requester (a domain name, all, an IP address, a partial IP address, network/netmask pair) can access a given directory

The above directives are the primary directives you will use for a password-protected directory. What you will want to do is to define, in a directive similar to the above, the directory you want to password protect and how you want it protected. To do this you must su to root, edit the file, save the file, and restart httpd (which can be achieved with the /etc/rc.d/init.d/httpd restart command).

File setup
With the directories defined, it's time to actually create the files and passwords associated with the directories. The first thing you want to do is to change to the directory you want to protect (for this example, I'll say /var/www/html/admin/). Now create the .htaccess file with the command touch .htaccess. Open that file up (with your favorite text editor) and enter the following, where USERNAME is the actual username that the administrator or user will log on with:
 
AuthUserFile /var/www/html/admin/.htpasswd
AuthGroupFile /www.null
AuthName "Authorization Required"
AuthType Basic
 
<Limit GET POST>
require user USERNAME
</Limit>
 

Here you see the following directives:
  • AuthUserFile is the path to the password file that I will create momentarily.
  • AuthGroupFile is the path to the group password file.
  • AuthName creates what is referred to as a realm of protection that allows users, once successfully logged on, to access any area defined by the same realm.
  • AuthType is the type of authorization to set (this should be set to Basic).
  • Within the <Limit> tags you will define just who is allowed access to this particular directory.

Set .htaccess passwords
In order to finish up the .htaccess setup, a password must be created for the user with the htpasswd command. This command will create the password for the indicated user as well as create the necessary password file (as configured in the AuthUserFile directive from the above section).

The syntax of this command is htpasswd password_file_name user. In this case, you are not only creating the user password, you are also creating the password file, so you must add the -c (create) flag. Thus, the user will be OBED and the password file (.htpasswd) will be located in the /var/www/html/admin/ directory. For this process to happen, you will run the command htpasswd -c /var/www/html/admin/.htpasswd OBED. Upon hitting [Enter] you will be prompted for a password that will be associated with the user, and the directory will now only be accessible to those in the .htpasswd file.

Using groups
Using single user files is not so convenient when you have a number of users that need access to a specific directory. If you have a need to allow a group access to a specified directory, you will want to make use of the AuthGroupFile directive in the .htaccess file. In this same file, you will replace the require user USERNAME with require group GROUPNAME. You can also use a combination of user and group or even multiple entries of either (or combinations). For example, you could have the following directives in your .htaccess file:
 
require user USERNAME
require group GROUP1 GROUP2
 

The next step, in using groups, is to create the group file. A group file consists of a group name, followed by a colon, followed by a space-separated list of included users. Let's say you have a group called staff that includes users buffy, willow, giles, xander, and dawn. The entry in the group file for this group would look like
 
staff: buffy willow giles xander dawn



The group is limited to 8 KB in size (or 8,000 characters).

With the group file in place, you will still need to use .htaccess to create the passwords for the group members (as shown above). Now, to give a new user access to the particular directory, you simply have to add his or her user name to the group file.

Logging on
When a user attempts to access the restricted page she will be greeted with a logon, as shown in Figure A.

Figure A


Looking for something much bigger?
Should your needs become so large that a flat-text database file falls short, you can look to the dbmmanage tool to create standard database format files to use with .htaccess. This method requires a bit more information, which can be found on the Apache Web site.

 

About Jack Wallen

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website jackwallen.com.

Editor's Picks