An Introduction to Security Measures in Apache 2.2 - Configure it right
(Page 2 of 4 )

The following directives can be placed either into the main Apache configuration file, the httpd.conf file, or into individual .htaccess files (or distributed configuration files).  However, it is recommended that they be placed into the configuration file rather than using the .htaccess method.  The reason for this is for both performance and security. Apache will look in every directory for .htaccess files every time a document is requested if it is configured to allow them. 

The security aspect is less of a problem when used in the scenario of this tutorial because you probably aren't an ISP with lots of users wanting to configure their own directories, however, a misconfiguration of the <FilesMatch "^.ht"> directive will allow remote users to view the files in a browser.  Apache themselves state that .htaccess files should only ever be used when you don't have access to the main server configuration file, so heed their advice and save yourself problems if you are ever in a position of making these kinds of configuration decisions on a live, publicly accessed web server.

The following statements can happily reside in any <Directory> section of your configuration file.  The folder I use to serve documents from on my own machine is C:www but you could just as easily share and protect your music folder.

<Directory "C:/Documents & Settings/username/My Documents/My Music" >

The following directives will cause Apache to require a valid username and password to be entered when requesting any document from the www directory:

<Directory "C:/www">
  AuthUserFile "C:/hidden/passwords.txt"
  AuthType basic
  AuthName "Restricted Area"
  Require valid-user
</Directory>

Firstly, we specify the path to the file that contains the usernames and passwords.  Next we declare which type of authentication we are using.  The AuthName directive allows us to set the text that appears in the header of the credentials prompt and also allows us to set a realm where an already authenticated visitor can request other protected directories (provided they also have AuthName "Restricted Area" in their respective <directory> section) without needing to enter the password again. 

Finally, the Require directive states that any authenticated visitors may access the directory. Alternatively, you could specify individual users that are allowed access.  There are other directives that can be used, such as the Satisfy statement, but in this situation, nothing else is required.

Next: Password >>
 

More Apache Articles
More By Dan Wellman

Comments On: An Introduction to Security Measures in Apache 2.2

· Hi Everyone, I found this part of the Apache setup very interesting and logical...    · You should also have something like this under httpd.conf or .htaccess to make sure...    · When using PHP5 & Apache for digest authentication, I found that I had to change the...   >>> Post your comment now!