HomeApache Page 3 - An Introduction to Security Measures in Apache 2.2
Password - Apache
This article is aimed at giving you a practical and interesting introduction to the two methods of authentication available to you as an administrator of Apache. It is only a first step, and not intended as the only step if you are configuring a commercial web server.
Now, you may be wondering whether to create a text file containing a username and a password, but you don't need to worry because Apache can also do this for you. Open up a command prompt (Start menu à run, then type cmd à enter)and change to the bin directory of wherever you have installed Apache. For a default installation just type:
cd C:Program FilesApache Software FoundationApache2.2bin
Once you've pressed enter, the prompt should change to reflect this. To create the password file type:
htpasswd -c C:hiddenpasswords.txt AuthUser
The CLI will respond by asking you to type a password and then verify the password. In place of AuthUser (which is case sensitive), you could use any other valid usernames. Note that the path to the file must already exist; Apache will create the passwords.txt file for you (denoted by the -c flag) but not the directory(s) it resides within. Apache will also encrypt the password (but not the username) for you using md5 encryption by default. Other encryption methods can be used, such as CRYPT or SHA, but md5 is perfect for our needs. You can add other usernames and passwords to the existing passwords.txt file by removing the -c flag.
Using plain text files for the password information in this example is fine, but if you have many users and passwords, using the file-based authentication provider would cause delays and slowdowns on your server. In this case you may wish to use a database instead to store the usernames and passwords. As the file method is the default method, you would need to specify a different authentication provider. This could be done by including the AuthBasicProvider dbm declaration in the above <Directory> section. This would force the use of the mod_authn_dbm module instead of the mod_authn_file module.
Save the configuration file and then restart Apache and when trying to access your protected directory. You should see something like the following:
This is what happens on the Windows platform. Others may differ wildly but one thing that should be common across all platforms is the expressed warning of insecure data transfer. This is because the credentials supplied by the visitor are sent to Apache in plain text and can therefore be easily discovered if intercepted on route. To improve matters, we can use the digest method of authentication instead which does not transmit information in plain text and is therefore far more secure, even over a non-secure connection. This is very easy to implement and requires just a couple of additions and tweaks to the basic method. Create a new directory in the directory from which Apache serves documents and then add the following new section to the httpd.conf file:
All we have done is changed AuthType to digest and added the AuthDigestDomain directive. This can be either a relative URI, as in this example, or a full domain name. Don't forget to uncomment the LoadModule auth_digest_module line in the modules section near the top of Apache to enable it.