Author |
Topic: How to protect Apache web resources |
|
AwsEC2 member offline |
|
posts: |
39 |
joined: |
08/28/2012 |
from: |
CA |
|
|
|
|
|
How to protect Apache web resources |
Protecting resource on the web is something that most admin will have to do at one point or another. Whether the content is personal or under construction, there comes a time when that content must only be accessed by authorized users. The Apache web server allows two ways to achieve this purpose: One way is placing the access rules in an external file (.htaccess) which resides directly inside the protected directory. The other way is placing the access rules inside directory dicretives of configuration file httpd.conf or conf.d/*.conf
|
|
|
|
|
|
|
AwsEC2 member offline |
|
posts: |
39 |
joined: |
08/28/2012 |
from: |
CA |
|
|
|
|
|
Protect Apache web resources with .htaccess & .htpasswd |
.htaccess
The .htaccess file is ACLs in simple text file placed in the directory you want the contents of the file to affect. The rules in the .htaccess file will be enforced on whatever directory it is in and all sub-directories as well, as in SubEntry ACLs
Sample .htaccess file for most cases:
$ cat /home/ec2-user/example2.com/.htaccess
AuthType basic
AuthName "Ooops! Protected Resource ..."
AuthUserFile /home/ec2-user/example2.com/.htpasswd
Require valid-user
Sample .htaccess file for a more complicated case:
$ cat /home/ec2-user/example2.com/.htaccess
## ACCESS INSTRUCTION LIST ###
AuthType basic
AuthName "Ooops! Temporarily Under Construction ..."
AuthUserFile /home/ec2-user/example2.com/.htpasswd
AuthUserFile /home/ec2-user/example2.com/.htpasswd # multiple location
AuthGroupFile /dev/null # optional
Require John # password prompt for John
Require valid-user # password prompt for everyone else from AuthUserFile
Order Deny,Allow
Deny from all
Allow from 192.168.64.5 # Your, the developers IP address
Allow from w3.org # css/xhtml check jigsaw.w3.org/css-validator/
Allow from googlebot.com # Allows google to crawl your pages
Satisfy Any # no password required if host/ip is Allowed
.htpasswd
The .htpasswd file is the second part of the affair. The .htpasswd file is also a simple text file which contains username/password pairs. The password will be stored in encrypted form and the username will be in plaintext.
Format:
<username>:<encrypted_password>
Sample .htpasswd file:
john:a5MfE987hgwbg
Lauren:98qiJH6hjkp4K
Troubleshooting: The username in .htpasswd is case-sensitive. John and john are two different users. Make sure the permissions on the .htaccess and .htpasswd files are set so that Apache can read them.
chmod 0644 .htaccess
chmod 0644 .htpasswd
.htaccess files can be completely ignored by Apache if the administrators opt it with an AllowOverride None directive. In other words, .htaccess files work only if your web administrators allow the following settings:
or
|
|
|
|
|
|
|
AwsEC2 member offline |
|
posts: |
39 |
joined: |
08/28/2012 |
from: |
CA |
|
|
|
|
|
Protect Apache web resources with directive defined in configuration file |
Alternatively, if you are administrator, you can place any access rules inside the directory directive in the configuration file /etc/httpd/conf/httpd.conf or /etc/httpd/conf.d/*.conf.
Sample directive defined in /etc/httpd/conf/httpd.conf:
<Directory /usr/local/awstats/wwwroot/cgi-bin>
AuthType Basic
AuthName "AWStats - Web, FTP, and Mail Statistics"
AuthUserFile /usr/local/awstats/wwwroot/.awstats.pwd
Require valid-user
</Directory>
Sample directive defined in file under /etc/httpd/conf.d:
$ cat /etc/httpd/conf.d/awstats.conf
<Directory /usr/local/awstats/wwwroot/cgi-bin>
AuthType Basic
AuthName "AWStats - Web, FTP, and Mail Statistics"
AuthUserFile /usr/local/awstats/wwwroot/.awstats.pwd
Require valid-user
</Directory>
|
|
|
|
|
|
|
AwsEC2 member offline |
|
posts: |
39 |
joined: |
08/28/2012 |
from: |
CA |
|
|
|
|
|
htpasswd Command |
You can manage user and password pairs by utility command 'htpasswd':
Syntax:
htpasswd [-c] <.htpasswd> <user_name>
Here the option '-c' stands for '-create' to create a new file.
Example:
# htpasswd -c /usr/local/awstats/wwwroot/.awstats.pwd John
New password: ***
Re-type new password: ***
Adding password for user John
|
|
|
|
|
|
|