Home arrow Apache arrow Page 2 - An Introduction to Security Measures in Apache 2.2

Configure it right - Apache

This article is aimed at giving you a practical and interesting introduction to the two methods of authentication available to you as an administrator of Apache. It is only a first step, and not intended as the only step if you are configuring a commercial web server.

TABLE OF CONTENTS:
  1. An Introduction to Security Measures in Apache 2.2
  2. Configure it right
  3. Password
  4. More on Passwords
By: Dan Wellman
Poor Best
Rating: starstarstarstarstar / 5
January 30, 2007

print this article
SEARCH DEV SHED

TOOLS YOU CAN USE

advertisement

The following directives can be placed either into the main Apache configuration file, the httpd.conf file, or into individual .htaccess files (or distributed configuration files).  However, it is recommended that they be placed into the configuration file rather than using the .htaccess method.  The reason for this is for both performance and security. Apache will look in every directory for .htaccess files every time a document is requested if it is configured to allow them. 

The security aspect is less of a problem when used in the scenario of this tutorial because you probably aren't an ISP with lots of users wanting to configure their own directories, however, a misconfiguration of the <FilesMatch "^.ht"> directive will allow remote users to view the files in a browser.  Apache themselves state that .htaccess files should only ever be used when you don't have access to the main server configuration file, so heed their advice and save yourself problems if you are ever in a position of making these kinds of configuration decisions on a live, publicly accessed web server.

The following statements can happily reside in any <Directory> section of your configuration file.  The folder I use to serve documents from on my own machine is C:www but you could just as easily share and protect your music folder.

<Directory "C:/Documents & Settings/username/My Documents/My Music" >

The following directives will cause Apache to require a valid username and password to be entered when requesting any document from the www directory:

<Directory "C:/www">
  AuthUserFile "C:/hidden/passwords.txt"
  AuthType basic
  AuthName "Restricted Area"
  Require valid-user
</Directory>

Firstly, we specify the path to the file that contains the usernames and passwords.  Next we declare which type of authentication we are using.  The AuthName directive allows us to set the text that appears in the header of the credentials prompt and also allows us to set a realm where an already authenticated visitor can request other protected directories (provided they also have AuthName "Restricted Area" in their respective <directory> section) without needing to enter the password again. 

Finally, the Require directive states that any authenticated visitors may access the directory. Alternatively, you could specify individual users that are allowed access.  There are other directives that can be used, such as the Satisfy statement, but in this situation, nothing else is required.



 
 
>>> More Apache Articles          >>> More By Dan Wellman
 

blog comments powered by Disqus
   

APACHE ARTICLES

- Apache Unveils Cassandra 1.2
- Apache on ARM Chips? Dell and Calxeda Help M...
- The Down Side of Open Source Software
- VMware Unveils Serengeti for Apache Hadoop
- SAP Takes Steps to Improve Hadoop Integration
- Looking to Hone Apache Hadoop Skills?
- How to Install Joomla on WAMPP
- Working with XAMPP and Wordpress
- GUI Available for Apache Camel
- Reduce Server Load for Apache and PHP Websit...
- Creating a VAMP (Vista, Apache, MySQL, PHP) ...
- Putting Apache in Jail
- Containing Intrusions in Apache
- Server Limits for Apache Security
- Setting Permissions in Apache
Find More Apache Articles

Developer Shed Affiliates

 

© 2003-2013 by Developer Shed. All rights reserved. DS Cluster - Follow our Sitemap

Dev Shed Tutorial Topics: