An Introduction to Security Measures in Apache 2.2

This article is aimed at giving you a practical and interesting introduction to the two methods of authentication available to you as an administrator of Apache. It is only a first step, and not intended as the only step if you are configuring a commercial web server.

Getting familiar with the Apache security modules is a logical next step when you have mastered the basics of setting the HTTP server up and configuring it for personal use.  Although the modules and declarations used in this article are the same as those used in live web servers, due to differences in implementation and setup, I want to point out that this isn’t a tutorial intended for the configuration of web servers available to and accessed by the entire online community.  This is intended to introduce you to the authentication modules and commands, and for use on a home or test web server.  I hope that this is a first step for you and that you will find it useful merely as a first step if you are looking to configure a commercial web server.

You can also use the techniques outlined in this article in a scenario that is growing ever more popular: that of making a folder on your home computer available to you across the Internet wherever you happen to be.  This is not the same as a web server hosting a public site because in theory only you (and anyone else you share your security credentials with) will be able to access it.  You will need more that what is discussed in this tutorial to accomplish the complete setup, including either a static IP address or a router capable of dynamic DNS, an account with a DNS provider and a hardware firewall (if your router cannot do this as well), but there are plenty of tutorials out there that cover this subject already so I’m just going to look at the configuration options available to you through Apache.

There are basically two types of visitor authentication methods available to you via Apache: basic and digest.  These each have a series of provider modules which implement the authentication in a different way, including alias, anonymous, DBD and DBM, default and file.  SSL is also available, but this is an encryption standard, not an authentication method.  Each method of authentication (which is not the same as authorization, I hasten to add) has a module that enables it to work, and a set of directives and statements that instruct it how to work.  Not all of these modules are loaded by default, a quick inspection of the httpd.conf file quickly reveals, although the auth_basic_module is, so let’s have a quick look at that one first.

{mospagebreak title=Configure it right}

The following directives can be placed either into the main Apache configuration file, the httpd.conf file, or into individual .htaccess files (or distributed configuration files).  However, it is recommended that they be placed into the configuration file rather than using the .htaccess method.  The reason for this is for both performance and security. Apache will look in every directory for .htaccess files every time a document is requested if it is configured to allow them. 

The security aspect is less of a problem when used in the scenario of this tutorial because you probably aren’t an ISP with lots of users wanting to configure their own directories, however, a misconfiguration of the <FilesMatch "^.ht"> directive will allow remote users to view the files in a browser.  Apache themselves state that .htaccess files should only ever be used when you don’t have access to the main server configuration file, so heed their advice and save yourself problems if you are ever in a position of making these kinds of configuration decisions on a live, publicly accessed web server.

The following statements can happily reside in any <Directory> section of your configuration file.  The folder I use to serve documents from on my own machine is C:www but you could just as easily share and protect your music folder.

<Directory "C:/Documents & Settings/username/My Documents/My Music" >

The following directives will cause Apache to require a valid username and password to be entered when requesting any document from the www directory:

<Directory "C:/www">
 
AuthUserFile "C:/hidden/passwords.txt"
 
AuthType basic
 
AuthName "Restricted Area"
 
Require valid-user
</Directory>

Firstly, we specify the path to the file that contains the usernames and passwords.  Next we declare which type of authentication we are using.  The AuthName directive allows us to set the text that appears in the header of the credentials prompt and also allows us to set a realm where an already authenticated visitor can request other protected directories (provided they also have AuthName "Restricted Area" in their respective <directory> section) without needing to enter the password again. 

Finally, the Require directive states that any authenticated visitors may access the directory. Alternatively, you could specify individual users that are allowed access.  There are other directives that can be used, such as the Satisfy statement, but in this situation, nothing else is required.

{mospagebreak title=Password}

Now, you may be wondering whether to create a text file containing a username and a password, but you don’t need to worry because Apache can also do this for you. Open up a command prompt (Start menu à run, then type cmd à enter)and change to the bin directory of wherever you have installed Apache. For a default installation just type:

cd C:Program FilesApache Software FoundationApache2.2bin

Once you’ve pressed enter, the prompt should change to reflect this.  To create the password file type:

htpasswd -c C:hiddenpasswords.txt AuthUser

The CLI will respond by asking you to type a password and then verify the password.  In place of AuthUser (which is case sensitive), you could use any other valid usernames.  Note that the path to the file must already exist; Apache will create the passwords.txt file for you (denoted by the -c flag) but not the directory(s) it resides within.  Apache will also encrypt the password (but not the username) for you using md5 encryption by default.  Other encryption methods can be used, such as CRYPT or SHA, but md5 is perfect for our needs.  You can add other usernames and passwords to the existing passwords.txt file by removing the -c flag.

Using plain text files for the password information in this example is fine, but if you have many users and passwords, using the file-based authentication provider would cause delays and slowdowns on your server.  In this case you may wish to use a database instead to store the usernames and passwords.  As the file method is the default method, you would need to specify a different authentication provider.  This could be done by including the AuthBasicProvider dbm declaration in the above <Directory> section.  This would force the use of the mod_authn_dbm module instead of the mod_authn_file module.

Save the configuration file and then restart Apache and when trying to access your protected directory. You should see something like the following:

This is what happens on the Windows platform. Others may differ wildly but one thing that should be common across all platforms is the expressed warning of insecure data transfer.  This is because the credentials supplied by the visitor are sent to Apache in plain text and can therefore be easily discovered if intercepted on route.  To improve matters, we can use the digest method of authentication instead which does not transmit information in plain text and is therefore far more secure, even over a non-secure connection.  This is very easy to implement and requires just a couple of additions and tweaks to the basic method.  Create a new directory in the directory from which Apache serves documents and then add the following new section to the httpd.conf file:

<Directory "C:/www/secure">
  AuthUserFile "C:/hidden/.digestpasswords"
  AuthType digest
  AuthName "More Secure Protected Area"
  AuthDigestDomain /secure/
  Require valid-user
</Directory>

All we have done is changed AuthType to digest and added the AuthDigestDomain directive.  This can be either a relative URI, as in this example, or a full domain name.  Don’t forget to uncomment the LoadModule auth_digest_module line in the modules section near the top of Apache to enable it.

{mospagebreak title=More on Passwords}

Instead of using htpasswd to create the passwords file, we need to use htdigest.  The creation of a username and password can be achieved with the following command (again in a command prompt set to the Apache bin directory):

htdigest -c C:hidden.digestpasswords "More Secure Protected Area" AuthUser

This time, the username, AuthName and the password are stored.  Again the password is encrypted using md5.  There is now no warning of basic security in the username and password prompt:

There is one more thing that Apache advises us to add when using the digest method of authentication. Because the digest method is still classed as experimental, there are flaws in the way that different browsers handle it.  There is a known issue with Internet Explorer whereby GET requests with a query string are not RFC compliant.  In order to allow Apache to work around this issue, it is recommended that the following conditional environment variable be used:

BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On

Just place this in the <Directory> section containing the digest directives.

SSL would be the next logical step in making connections to Apache even more secure, but unfortunately it is outside of the scope of this article.  The Apache documentation provides a wealth of further reading and information, but I hope this article has given you a practical and interesting introduction to the two methods of authentication available to you as an administrator of Apache.

[gp-comments width="770" linklove="off" ]

antalya escort bayan antalya escort bayan Antalya escort diyarbakir escort