Protect Web sites with Apache Server's HTTP authentication system

<b>Web sites</b> commonly protect sensitive data behind a login screen, which requires users to enter valid credentials before permitting them access. This document outlines the process of protecting access to areas of a Web site using <b>Apache Server's</b> built-in <b>HTTP authentication system</b>.

Web sites commonly protect sensitive data behind a login screen, which requires users to enter valid credentials before permitting them access. This login screen is part of a larger authentication application, usually written in a Web scripting language like PHP or Perl, which interfaces with a database to verify user credentials and grant or deny access.

There is only problem with this system. Writing such an authentication application usually requires a fair amount of code, as well as development and deployment time. If you're a Webmaster or systems administrator without the time or required programming skills, however, don't panic—you can create a quick and effective authentication system for your site in just a few minutes using features built into the Apache Web server.

This document outlines the process of protecting access to areas of a Web site using Apache's built-in HTTP authentication system.

Step 1: Ensure that your version of Apache supports HTTP authentication

A "stock" Apache build is configured to support HTTP authentication by default. However, if you're using a customized or stripped-down build, your version of Apache may not include support for this feature. To check this, run the server with the -l command-line option, which lists the compiled-in modules, and ensure that the resulting list includes an entry for mod_authasshown in Listing A.

Listing A

shell> /usr/local/apache/bin/httpd -l
Compiled-in modules:

If such an entry is not present, you will need to recompile your Apache server and include support for this feature before proceeding to the next step. Information on how to do this may be obtained from the Apache Web site.

You should also look in the Apache configuration file, httpd.conf, and ensure that the directive AllowOverride All is present in the entry for the Web server document root. If this is not present, you can add it.

Step 2: Create a user/password database

From the command prompt, switch to a directory outside the Web server root and run the htpasswd utility. This utility, included as part of the Apache distribution in its bin/ directory, creates a password database that can be used by the Web server to verify user credentials and thereby grant access to sensitive data. Listing B shows you how to use it:

Listing B

shell> cd /usr/local/apache
shell> /usr/local/apache/bin/htpasswd -c users.dat john
New password: ******
Re-type new password: ******
Adding password for user john

Enter a username and password when prompted to do so, and htpasswd will create a new password database containing this information in encrypted form. Repeat this step as many times as you need to, adding a new user every time. However, the -c option passed to htpasswd on the command line should only appear the first time you run the command, as it is used to initialize a new password file; omit it from all subsequent htpasswd calls.

Caution: Ensure that the password database created in this step is stored outside the Web server document root. Doing this ensures that malicious users cannot download it through a Web browser.

Step 3: Enable the Apache authentication system

Once the password database is initialized, switch to the directory you wish to protect. In your favorite text editor, create a new text file containing the directives shown in Listing C and save it as .htaccess:

Listing C

AuthType Basic
AuthName "Protected Area"
AuthUserFile /usr/local/apache/users.dat
Require valid-user

These directives tell Apache to protect the directory from casual access, and force the client browser to authenticate itself before allowing access. The path provided to the AuthUserFile directive must, of course, reflect the path to the password database created in the previous step.

Step 4: Restart Apache for the new settings to take effect

Once the password database and .htaccess file are created, restart the Web server for the changes to take effect.

shell> /usr/local/apache/bin/apachectl restart

To test the authentication system, browse to the directory you protected in Step 3. Your browser should pop up a dialog box asking for a user name and password. Only if your input matches a user/password combination previously created in Step 2 will you be granted access.

So there you have it—a quick and dirty security system, requiring minimal investment of time and code. Go on out there, and start securing your data!