Howto setup user authentication
Ever wanted to have your website have user/password restrictions
on whatever you want? Now you can learn how to do so with
an Apache Server. First off, having Apache installed and
running is required. Ok, now theres really only 2 steps
to this:
- create a file with user names and passwords
- tell the server what you want protected and which users
are allowed
First Step:
For the first step you will use the program htpasswd.
It creates a user file and can add or modify users. For
security reasons you should not create the file under the
root directory. I made it under /usr/local/etc/httpd/ and
will use this to show examples. To create a new user file
and add the username "josh" with the password "hampster"
to the file /usr/local/etc/httpd/users:
htpasswd -c /usr/local/etc/httpd/users josh
"-c" tells htpasswd to create a new users file. After you
run this command, you will be prompted for a password for
josh, and confirm it by entering again. You can add other
users the same way but without the "-c" option. You can
also use the same command to modify the password of an existing
user. Whenlooking at the /usr/local/etc/httpd/users file,
it might look like this:
josh:WruU808BHQai36
john:Hg52aBNOP9o0j7
The first field being your username, second being your encrypted
password.
Second Step:
To get the server to use the usernames and passwords from
the file you just made, you need to create a file called
".htaccess" in the directory you want secured. In this file
you need to write:
AuthName "restricted stuff"
AuthType Basic
AuthUserFile /usr/local/etc/httpd/users
require user josh john
Ok, now to explain that...The first directive, Authname,
specifies the realm name for this protection. A realm is
the section of your site that you want to be restricted.
Once a user has entered a valid username and password, any
other resource within the same realm name can be accessed
with the same username and password. This can be used to
create 2 areas which share the same username and password.
The AuthType directive tells the server what protocol
is to be used for authenticaion. Right now Basic
is the only method available.
AuthUserFile tells the server the location of the
user file created by htpasswd.
The last directive I used, require user josh john,
tells the server that only the users josh and john can access
the restricted source.
Try it out to goto this page:
Try Me
login: guest
password: guest
That's pretty much it, you might want to play with the access.conf
file in /etc/httpd/conf/. Here's what mine looks like:
##
## access.conf -- Apache HTTP server configuration file
##
# access.conf: Global access configuration
# Online docs at http://www.apache.org/
# This file defines server settings which affect which types
of services
# are allowed, and in what circumstances.
# Each directory to which Apache has access, can be configured
with respect
# to which services and features are allowed and/or disabled
in that
# directory (and its subdirectories).
# Originally by Rob McCool
# First, we configure the "default" to be a very restrictive
set of
# permissions.
<Directory />
Options None
AllowOverride AuthConfig
</Directory>
# Note that from this point forward you must specifically
allow
# particular features to be enabled - so if something's
not working as
# you might expect, make sure that you have specifically
enabled it
# below.
# This should be changed to whatever you set DocumentRoot
to.
<Directory /home/httpd/html>
# This may also be "None", "All", or any combination of
"Indexes",
# "Includes", "FollowSymLinks", "ExecCGI", or "MultiViews".
# Note that "MultiViews" must be named *explicitly* ---
"Options All"
# doesn't give it to you.
Options Indexes Includes FollowSymLinks
# This controls which options the .htaccess files in directories
can
# override. Can also be "All", or any combination of "Options",
"FileInfo",
# "AuthConfig", and "Limit"
AllowOverride ALL
# Controls who can get stuff from this server.
order allow,deny
allow from all
<Directory>
# /home/httpd/cgi-bin should be changed to whatever your
ScriptAliased
# CGI directory exists, if you have that configured.
<Directory /home/httpd/cgi-bin>
AllowOverride AuthConfig
Options ExecCGI
</Directory>
# Allow server status reports, with the URL of http://servername/server-status
# Change the ".your_domain.com" to match your domain to
enable.
#<Location /server-status>
#SetHandler server-status
#order deny,allow
#deny from all
#allow from .your_domain.com
#</Location>
# Allow access to local system documentation from localhost
Alias /doc /usr/doc
<Directory /usr/doc>
order deny,allow
deny from all
allow from localhost
Options Indexes FollowSymLinks
</Directory>
# There have been reports of people trying to abuse an old
bug from pre-1.1
# days. This bug involved a CGI script distributed as a
part of Apache.
# By uncommenting these lines you can redirect these attacks
to a logging
# script on phf.apache.org. Or, you can record them yourself,
using the script
# support/phf_abuse_log.cgi.
#<Location /cgi-bin/phf*>
#deny from all
#ErrorDocument 403 http://phf.apache.org/phf_abuse_log.cgi
#</Location>
# You may place any other directories or locations you wish
to have
# access information for after this one.
Josh
|