HomeApache An Introduction to Security Measures in Apache 2.2
An Introduction to Security Measures in Apache 2.2
This article is aimed at giving you a practical and interesting introduction to the two methods of authentication available to you as an administrator of Apache. It is only a first step, and not intended as the only step if you are configuring a commercial web server.
Getting familiar with the Apache security modules is a logical next step when you have mastered the basics of setting the HTTP server up and configuring it for personal use. Although the modules and declarations used in this article are the same as those used in live web servers, due to differences in implementation and setup, I want to point out that this isn't a tutorial intended for the configuration of web servers available to and accessed by the entire online community. This is intended to introduce you to the authentication modules and commands, and for use on a home or test web server. I hope that this is a first step for you and that you will find it useful merely as a first step if you are looking to configure a commercial web server.
You can also use the techniques outlined in this article in a scenario that is growing ever more popular: that of making a folder on your home computer available to you across the Internet wherever you happen to be. This is not the same as a web server hosting a public site because in theory only you (and anyone else you share your security credentials with) will be able to access it. You will need more that what is discussed in this tutorial to accomplish the complete setup, including either a static IP address or a router capable of dynamic DNS, an account with a DNS provider and a hardware firewall (if your router cannot do this as well), but there are plenty of tutorials out there that cover this subject already so I'm just going to look at the configuration options available to you through Apache.
There are basically two types of visitor authentication methods available to you via Apache: basic and digest. These each have a series of provider modules which implement the authentication in a different way, including alias, anonymous, DBD and DBM, default and file. SSL is also available, but this is an encryption standard, not an authentication method. Each method of authentication (which is not the same as authorization, I hasten to add) has a module that enables it to work, and a set of directives and statements that instruct it how to work. Not all of these modules are loaded by default, a quick inspection of the httpd.conf file quickly reveals, although the auth_basic_module is, so let's have a quick look at that one first.