Home arrow Apache arrow Page 3 - An Introduction to Security Measures in Apache 2.2

Password - Apache

This article is aimed at giving you a practical and interesting introduction to the two methods of authentication available to you as an administrator of Apache. It is only a first step, and not intended as the only step if you are configuring a commercial web server.

TABLE OF CONTENTS:
  1. An Introduction to Security Measures in Apache 2.2
  2. Configure it right
  3. Password
  4. More on Passwords
By: Dan Wellman
Rating: starstarstarstarstar / 5
January 30, 2007

print this article
SEARCH DEV SHED

TOOLS YOU CAN USE

advertisement

Now, you may be wondering whether to create a text file containing a username and a password, but you don't need to worry because Apache can also do this for you. Open up a command prompt (Start menu run, then type cmd enter)and change to the bin directory of wherever you have installed Apache. For a default installation just type:

cd C:Program FilesApache Software FoundationApache2.2bin

Once you've pressed enter, the prompt should change to reflect this.  To create the password file type:

htpasswd -c C:hiddenpasswords.txt AuthUser

The CLI will respond by asking you to type a password and then verify the password.  In place of AuthUser (which is case sensitive), you could use any other valid usernames.  Note that the path to the file must already exist; Apache will create the passwords.txt file for you (denoted by the -c flag) but not the directory(s) it resides within.  Apache will also encrypt the password (but not the username) for you using md5 encryption by default.  Other encryption methods can be used, such as CRYPT or SHA, but md5 is perfect for our needs.  You can add other usernames and passwords to the existing passwords.txt file by removing the -c flag.

Using plain text files for the password information in this example is fine, but if you have many users and passwords, using the file-based authentication provider would cause delays and slowdowns on your server.  In this case you may wish to use a database instead to store the usernames and passwords.  As the file method is the default method, you would need to specify a different authentication provider.  This could be done by including the AuthBasicProvider dbm declaration in the above <Directory> section.  This would force the use of the mod_authn_dbm module instead of the mod_authn_file module.

Save the configuration file and then restart Apache and when trying to access your protected directory. You should see something like the following:

This is what happens on the Windows platform. Others may differ wildly but one thing that should be common across all platforms is the expressed warning of insecure data transfer.  This is because the credentials supplied by the visitor are sent to Apache in plain text and can therefore be easily discovered if intercepted on route.  To improve matters, we can use the digest method of authentication instead which does not transmit information in plain text and is therefore far more secure, even over a non-secure connection.  This is very easy to implement and requires just a couple of additions and tweaks to the basic method.  Create a new directory in the directory from which Apache serves documents and then add the following new section to the httpd.conf file:

<Directory "C:/www/secure">
  AuthUserFile "C:/hidden/.digestpasswords"
  AuthType digest
  AuthName "More Secure Protected Area"
  AuthDigestDomain /secure/
  Require valid-user
</Directory>

All we have done is changed AuthType to digest and added the AuthDigestDomain directive.  This can be either a relative URI, as in this example, or a full domain name.  Don't forget to uncomment the LoadModule auth_digest_module line in the modules section near the top of Apache to enable it.



 
 
>>> More Apache Articles          >>> More By Dan Wellman
 

blog comments powered by Disqus
escort Bursa Bursa escort Antalya eskort
   

APACHE ARTICLES

- Apache Unveils Cassandra 1.2
- Apache on ARM Chips? Dell and Calxeda Help M...
- The Down Side of Open Source Software
- VMware Unveils Serengeti for Apache Hadoop
- SAP Takes Steps to Improve Hadoop Integration
- Looking to Hone Apache Hadoop Skills?
- How to Install Joomla on WAMPP
- Working with XAMPP and Wordpress
- GUI Available for Apache Camel
- Reduce Server Load for Apache and PHP Websit...
- Creating a VAMP (Vista, Apache, MySQL, PHP) ...
- Putting Apache in Jail
- Containing Intrusions in Apache
- Server Limits for Apache Security
- Setting Permissions in Apache

Developer Shed Affiliates

 


Dev Shed Tutorial Topics: