Howto setup user authentication

Ever wanted to have your website have user/password restrictions on whatever you want? Now you can learn how to do so with an Apache Server. First off, having Apache installed and running is required. Ok, now theres really only 2 steps to this:

1. create a file with user names and passwords
2. tell the server what you want protected and which users are allowed
   

First Step:

For the first step you will use the program htpasswd. It creates a user file and can add or modify users. For security reasons you should not create the file under the root directory. I made it under /usr/local/etc/httpd/ and will use this to show examples. To create a new user file and add the username "josh" with the password "hampster" to the file /usr/local/etc/httpd/users:

htpasswd -c /usr/local/etc/httpd/users josh

"-c" tells htpasswd to create a new users file. After you run this command, you will be prompted for a password for josh, and confirm it by entering again. You can add other users the same way but without the "-c" option. You can also use the same command to modify the password of an existing user. Whenlooking at the /usr/local/etc/httpd/users file, it might look like this:

josh:WruU808BHQai36
john:Hg52aBNOP9o0j7

Second Step:

To get the server to use the usernames and passwords from the file you just made, you need to create a file called ".htaccess" in the directory you want secured. In this file you need to write:

AuthName "restricted stuff"
AuthType Basic
AuthUserFile /usr/local/etc/httpd/users

require user josh john

Ok, now to explain that...The first directive, Authname, specifies the realm name for this protection. A realm is the section of your site that you want to be restricted. Once a user has entered a valid username and password, any other resource within the same realm name can be accessed with the same username and password. This can be used to create 2 areas which share the same username and password.

The AuthType directive tells the server what protocol is to be used for authenticaion. Right now Basic is the only method available.

AuthUserFile tells the server the location of the user file created by htpasswd.

The last directive I used, require user josh john, tells the server that only the users josh and john can access the restricted source.

Try it out to goto this page: Try Me
login: guest
password: guest

That's pretty much it, you might want to play with the access.conf file in /etc/httpd/conf/. Here's what mine looks like:

##
## access.conf -- Apache HTTP server configuration file
##
# access.conf: Global access configuration
# Online docs at http://www.apache.org/
# This file defines server settings which affect which types of services
# are allowed, and in what circumstances.
# Each directory to which Apache has access, can be configured with respect
# to which services and features are allowed and/or disabled in that
# directory (and its subdirectories).
# Originally by Rob McCool
# First, we configure the "default" to be a very restrictive set of
# permissions.

<Directory />
Options None
AllowOverride AuthConfig
</Directory>

# Note that from this point forward you must specifically allow
# particular features to be enabled - so if something's not working as
# you might expect, make sure that you have specifically enabled it
# below.

# This should be changed to whatever you set DocumentRoot to.

<Directory /home/httpd/html>

# This may also be "None", "All", or any combination of "Indexes",
# "Includes", "FollowSymLinks", "ExecCGI", or "MultiViews".
# Note that "MultiViews" must be named *explicitly* --- "Options All"
# doesn't give it to you.

Options Indexes Includes FollowSymLinks

# This controls which options the .htaccess files in directories can
# override. Can also be "All", or any combination of "Options", "FileInfo",
# "AuthConfig", and "Limit"

AllowOverride ALL

# Controls who can get stuff from this server.

order allow,deny
allow from all
<Directory>


# /home/httpd/cgi-bin should be changed to whatever your ScriptAliased
# CGI directory exists, if you have that configured.

<Directory /home/httpd/cgi-bin>
AllowOverride AuthConfig
Options ExecCGI
</Directory>

# Allow server status reports, with the URL of http://servername/server-status
# Change the ".your_domain.com" to match your domain to enable.
#<Location /server-status>
#SetHandler server-status
#order deny,allow
#deny from all
#allow from .your_domain.com
#</Location>
# Allow access to local system documentation from localhost

Alias /doc /usr/doc
<Directory /usr/doc>
order deny,allow
deny from all
allow from localhost
Options Indexes FollowSymLinks
</Directory>

# There have been reports of people trying to abuse an old bug from pre-1.1
# days. This bug involved a CGI script distributed as a part of Apache.
# By uncommenting these lines you can redirect these attacks to a logging
# script on phf.apache.org. Or, you can record them yourself, using the script
# support/phf_abuse_log.cgi.
#<Location /cgi-bin/phf*>
#deny from all
#ErrorDocument 403 http://phf.apache.org/phf_abuse_log.cgi
#</Location>
# You may place any other directories or locations you wish to have
# access information for after this one.

Josh