Protect Web sites with Apache Server's HTTP authentication system

Web sites commonly protect sensitive data behind a login screen, which requires users to enter valid credentials before permitting them access. This document outlines the process of protecting access to areas of a Web site using Apache Server's built-in HTTP authentication system.

Web
sites commonly protect sensitive data behind a login screen, which requires
users to enter valid credentials before permitting them access. This login
screen is part of a larger authentication application, usually written in a Web
scripting language like PHP
or Perl,
which interfaces with a database to verify user credentials and grant or deny
access.

There
is only problem with this system. Writing such an authentication application
usually requires a fair amount of code, as well as development and deployment
time. If you’re a Webmaster or systems administrator without the time or
required programming skills, however, don’t panic—you can create a quick and
effective authentication system for your site in just a few minutes using
features built into the Apache
Web server.

This
document outlines the process of protecting access to areas of a Web site using
Apache’s built-in HTTP
authentication system.

Step 1: Ensure that your version of Apache supports HTTP authentication

A
“stock” Apache build is configured to support HTTP authentication by
default. However, if you’re using a customized or stripped-down build, your
version of Apache may not include support for this feature. To check this, run
the server with the -l command-line option, which lists the compiled-in modules,
and ensure that the resulting list includes an entry for mod_authasshown
in Listing A.

Listing A

shell> /usr/local/apache/bin/httpd -l
Compiled-in modules:
http_core.c
mod_env.c
mod_log_config.c
mod_mime.c
mod_negotiation.c
mod_status.c
mod_include.c
mod_autoindex.c
mod_dir.c
mod_cgi.c
mod_asis.c
mod_imap.c
mod_actions.c
mod_userdir.c
mod_alias.c
mod_access.c
mod_auth.c
mod_setenvif.c
mod_php5.c

If
such an entry is not present, you will need to recompile your Apache server and
include support for this feature before proceeding to the next step.
Information on how to do this may be obtained from the Apache Web
site.

You should also look in the
Apache configuration file, httpd.conf, and ensure that the directive AllowOverride All is
present in the entry for the Web server document root. If
this is not present, you can add it.

Step 2: Create a user/password database

From
the command prompt, switch to a directory outside the Web server root and run
the htpasswd utility. This
utility, included as part of the Apache distribution in its bin/ directory, creates a password database
that can be used by the Web server to verify user credentials and thereby grant
access to sensitive data. Listing B
shows you how to use it:

Listing B

shell> cd /usr/local/apache
shell> /usr/local/apache/bin/htpasswd -c users.dat john
New password: ******
Re-type new password: ******
Adding password for user john

Enter
a username and password when prompted to do so, and htpasswd will create a new password database
containing this information in encrypted form. Repeat this step as many times
as you need to, adding a new user every time. However, the -c option passed to htpasswd on the command line should only appear
the first time you run the command, as it is used to initialize a new password
file; omit it from all subsequent htpasswd calls.

Caution: Ensure that the password database created in this step is
stored outside the Web server document root. Doing this ensures that malicious
users cannot download it through a Web browser.

Step 3: Enable the Apache authentication system

Once
the password database is initialized, switch to the directory you wish to
protect. In your favorite text editor, create a new text file containing the
directives shown in Listing C and save it as .htaccess:

Listing C

AuthType Basic
AuthName “Protected Area”
AuthUserFile /usr/local/apache/users.dat
Require valid-user

These
directives tell Apache to protect the directory from casual access, and force
the client browser to authenticate itself before allowing access. The path
provided to the AuthUserFile directive must,
of course, reflect the path to the password database created in the previous
step.

Step 4: Restart Apache for the new settings to take effect

Once
the password database and .htaccess file are created, restart the Web server for the changes to
take effect.

shell> /usr/local/apache/bin/apachectl restart

To
test the authentication system, browse to the directory you protected in Step
3. Your browser should pop up a dialog box asking for a user name and password.
Only if your input matches a user/password combination previously created in
Step 2 will you be granted access.

So
there you have it—a quick and dirty security system, requiring minimal
investment of time and code. Go on out there, and start securing your data!

TechRepublic Premium editorial calendar: IT policies, checklists, toolkits and research for download

TechRepublic Premium content helps you solve your toughest IT issues and jump-start your career or next project.

Payroll

The Best Human Resources Payroll Software of 2023

With a lot of choices in the market, we have highlighted the top six HR and payroll software options for 2023.

A computer running Windows 11. — Image: Microsoft.

Software

Windows 11 update brings Bing Chat into the taskbar

Microsoft's latest Windows 11 allows enterprises to control some of these new features, which also include Notepad, iPhone and Android news.

A software engineer works from home. — Image: tanatat/Adobe Stock

CXO

Tech jobs: No rush back to the office for software developers as salaries reach $180,000

Salaries for remote roles in software development were higher than location-bound jobs in 2022, Hired finds.

Project management process to manage and develop with resources to deliver quality product, agile development cycle, businessman project manager balance on clock juggling project management elements. — Image: Nuthawut/Adobe Stock

Software

The 10 best agile project management software for 2023

With so many agile project management software tools available, it can be overwhelming to find the best fit for you. We've compiled a list of 10 tools you can use to take advantage of agile within your organization.

A user typing a password. — Image: Song_about_summer/Adobe Stock

Security

1Password is looking to a password-free future. Here’s why

With phishing-based credentials theft on the rise, 1Password CPO Steve Won explains why the endgame is to 'eliminate’ passwords entirely.

PURPOSE The purpose of this policy from TechRepublic Premium is to provide guidelines for employee performance reviews, which will clearly document accomplishments and areas of opportunity via an encouraging and thought-provoking analysis. This will assist in determining the next steps for employees as well as their future at the organization. This policy can be customized ...

PURPOSE The purpose of this policy from TechRepublic Premium is to provide guidelines for requesting, filing and permitting paid/unpaid time off as well as to ensure coverage during holidays, vacation(s) and other absences where staffing levels must be consistent to meet the needs of the business. From the policy: TIME OFF GUIDELINES All time off ...

Protect Web sites with Apache Server’s HTTP authentication system