Getting More Out Of Apache (Part 2) - Eyes Only (Page 2 of 8 )
Security has always been a prime concern so far as the Internet isconcerned; barely a week passes without media reports of security breachesat one Web site or another. If this is something you're concerned about(and you should be), you can set up Apache to protect confidentialinformation on your Web site with a simple form of user authentication.
Apache's user authentication mechanism is based on the traditionalusername-password challenge mechanism. When the Web server receives arequest for a directory or file that it knows to be a protectedresource (aka "realm"), it responds by sending the client browser anauthentication challenge. It is only after receiving a valid username andpassword back from the client browser that access is granted to the realm.
The concept is simple, and it works well; however, implementing it requiresa little more work.
The simplest way to add protection to a specific directory is via the".htaccess" file. In order to see how this works, create a file named".htaccess" in the directory you wish to protect. Open the file in yourfavourite text editor and add the following lines to it:
# members table
AuthType Basic
AuthName "Top-Secret Information"
AuthUserFile /usr/local/apache/auth/mfre/users
require valid-user
The first two directives are pretty standard - the AuthType directivespecifies the type of authentication (usually "Basic", although there isalso a "Digest" type of authentication), while the AuthName directivespecifies a name or description for the resource. This description willappear in the client browser when the user attempts to access the protecteddirectory, so you should choose something descriptive.
The AuthUserFile directive specifies the location for the file containing alist of authorized users, together with their passwords. This file should*always* be placed outside the Web server root, in an area notaccessible to a browser; if this is not done, anyone can download the fileand view the information in it.
Finally, the "require valid-user" statement specifies the kinds of usersthat have access to this directory - in this case, it means that all validusers (read: users listed in the authorization file) have the ability toview the contents of the directory. You could further restrict the numberof people allowed access by specifying user or group names - for example,the statement "require user joe beth" would only allow users "joe" and"beth" access to this area.
You should be aware, however, that the server will only read the".htaccess" file if it is configured to do so. In order to confirm this,open up your main Apache configuration file, "httpd.conf", and look for the
tags which reference your Web server root. These tags shouldlook something like this:
...stuff...
AllowOverride All
...stuff...
The
AllowOverride All
directive tells the server that global configuration parameters can beoverridden by local ones - the parameters in the per-directory ".htaccess"file.Next: Identity Check >>
More Administration Articles
More By icarus, (c) Melonfire
