Subject: Protect Apache web resources with directive defined in configuration file
Author: AwsEC2
In response to: Protect Apache web resources with .htaccess & .htpasswd
Posted on: 09/11/2012 08:01:21 PM
Alternatively, if you are administrator, you can place any access rules inside the directory directive in the configuration file /etc/httpd/conf/httpd.conf or /etc/httpd/conf.d/*.conf.
Sample directive defined in /etc/httpd/conf/httpd.conf:
<Directory /usr/local/awstats/wwwroot/cgi-bin>
AuthType Basic
AuthName "AWStats - Web, FTP, and Mail Statistics"
AuthUserFile /usr/local/awstats/wwwroot/.awstats.pwd
Require valid-user
</Directory>
Sample directive defined in file under
/etc/httpd/conf.d:
$ cat /etc/httpd/conf.d/awstats.conf
<Directory /usr/local/awstats/wwwroot/cgi-bin>
AuthType Basic
AuthName "AWStats - Web, FTP, and Mail Statistics"
AuthUserFile /usr/local/awstats/wwwroot/.awstats.pwd
Require valid-user
</Directory>
>
> On 09/11/2012 07:33:06 PM
AwsEC2 wrote:
.htaccess
The .htaccess file is ACLs in simple text file placed in the directory you want the contents of the file to affect. The rules in the .htaccess file will be enforced on whatever directory it is in and all sub-directories as well, as in SubEntry ACLs
Sample .htaccess file for most cases:
$ cat /home/ec2-user/example2.com/.htaccess
AuthType basic
AuthName "Ooops! Protected Resource ..."
AuthUserFile /home/ec2-user/example2.com/.htpasswd
Require valid-user
Sample .htaccess file for a more complicated case:
$ cat /home/ec2-user/example2.com/.htaccess
## ACCESS INSTRUCTION LIST ###
AuthType basic
AuthName "Ooops! Temporarily Under Construction ..."
AuthUserFile /home/ec2-user/example2.com/.htpasswd
AuthUserFile /home/ec2-user/example2.com/.htpasswd # multiple location
AuthGroupFile /dev/null # optional
Require John # password prompt for John
Require valid-user # password prompt for everyone else from AuthUserFile
Order Deny,Allow
Deny from all
Allow from 192.168.64.5 # Your, the developers IP address
Allow from w3.org # css/xhtml check jigsaw.w3.org/css-validator/
Allow from googlebot.com # Allows google to crawl your pages
Satisfy Any # no password required if host/ip is Allowed
.htpasswd
The .htpasswd file is the second part of the affair. The .htpasswd file is also a simple text file which contains username/password pairs. The password will be stored in encrypted form and the username will be in plaintext.
Format:
<username>:<encrypted_password>
Sample .htpasswd file:
john:a5MfE987hgwbg
Lauren:98qiJH6hjkp4K
Troubleshooting:
The username in .htpasswd is case-sensitive. John and john are two different users.
Make sure the permissions on the .htaccess and .htpasswd files are set so that Apache can read them.
chmod 0644 .htaccess
chmod 0644 .htpasswd
.htaccess files can be completely ignored by Apache if the administrators opt it with an AllowOverride None directive. In other words, .htaccess files work only if your web administrators allow the following settings:
or
References:
