An Introduction to Security Measures in Apache 2.2 - Password
(Page 3 of 4 )

Now, you may be wondering whether to create a text file containing a username and a password, but you don't need to worry because Apache can also do this for you. Open up a command prompt (Start menu à run, then type cmd à enter)and change to the bin directory of wherever you have installed Apache. For a default installation just type:

cd C:Program FilesApache Software FoundationApache2.2bin

Once you've pressed enter, the prompt should change to reflect this.  To create the password file type:

htpasswd -c C:hiddenpasswords.txt AuthUser

The CLI will respond by asking you to type a password and then verify the password.  In place of AuthUser (which is case sensitive), you could use any other valid usernames.  Note that the path to the file must already exist; Apache will create the passwords.txt file for you (denoted by the -c flag) but not the directory(s) it resides within.  Apache will also encrypt the password (but not the username) for you using md5 encryption by default.  Other encryption methods can be used, such as CRYPT or SHA, but md5 is perfect for our needs.  You can add other usernames and passwords to the existing passwords.txt file by removing the -c flag.

Using plain text files for the password information in this example is fine, but if you have many users and passwords, using the file-based authentication provider would cause delays and slowdowns on your server.  In this case you may wish to use a database instead to store the usernames and passwords.  As the file method is the default method, you would need to specify a different authentication provider.  This could be done by including the AuthBasicProvider dbm declaration in the above <Directory> section.  This would force the use of the mod_authn_dbm module instead of the mod_authn_file module.

Save the configuration file and then restart Apache and when trying to access your protected directory. You should see something like the following:

This is what happens on the Windows platform. Others may differ wildly but one thing that should be common across all platforms is the expressed warning of insecure data transfer.  This is because the credentials supplied by the visitor are sent to Apache in plain text and can therefore be easily discovered if intercepted on route.  To improve matters, we can use the digest method of authentication instead which does not transmit information in plain text and is therefore far more secure, even over a non-secure connection.  This is very easy to implement and requires just a couple of additions and tweaks to the basic method.  Create a new directory in the directory from which Apache serves documents and then add the following new section to the httpd.conf file:

<Directory "C:/www/secure">
  AuthUserFile "C:/hidden/.digestpasswords"
  AuthType digest
  AuthName "More Secure Protected Area"
  AuthDigestDomain /secure/
  Require valid-user
</Directory>

All we have done is changed AuthType to digest and added the AuthDigestDomain directive.  This can be either a relative URI, as in this example, or a full domain name.  Don't forget to uncomment the LoadModule auth_digest_module line in the modules section near the top of Apache to enable it.

Next: More on Passwords >>
 

More Apache Articles
More By Dan Wellman

Comments On: An Introduction to Security Measures in Apache 2.2

· Hi Everyone, I found this part of the Apache setup very interesting and logical...    · You should also have something like this under httpd.conf or .htaccess to make sure...    · When using PHP5 & Apache for digest authentication, I found that I had to change the...   >>> Post your comment now!