Apache authentication

Author: Nediam <javier@nediam.com.mx>
Publication date: 2008-12-22

The Apache authentication is used when you need to protect your web content from public access. This is basic security and is only recommended when the information is not so vital because either with Basic or Digest authentication (the two methods Apache supports) in both methods the web content is send to the network without encryption. So if you really need all your data to travel encrypted, use SSL.

1. Add the directives in your httpd.conf (inside a <Directory> section) or in a .htaccess file. These are the main directives related to authentication:

   AuthType Basic|Digest
   AuthName realm-name
   AuthUserFile file-path
   AuthGroupFile file-path
   Require entity-name [entity-name] ...
   

   The difference between Basic and Digest is that with Basic the password is sent across the network in clear text whereas with Digest it's sent encrypted. The following are five examples where you can see how apache authentication works. Remeber, these directives must be in your httpd.conf (inside a <Directory> section) or in a .htaccess file:
   
   Example 1:

   AuthType Basic
   AuthName "My Site"
   AuthUserFile /usr/local/apache2/.htpassword
   Require user bob
   Order Allow,Deny
   Allow from All
   

   Example 2:

   AuthType Digest
   AuthName "My Site"
   AuthDigestFile /usr/local/apache2/.htdigest
   Require user john bob
   Order Allow,Deny
   Allow from All
   

   Example 3:

   AuthType Basic
   AuthName "My Site"
   AuthUserFile /usr/local/apache2/.htpassword
   Require valid-user
   Order Allow,Deny
   Allow from All
   

   Example 4:

   AuthType Basic
   AuthName "My Site"
   AuthUserFile /usr/local/apache2/.htpassword
   AuthGroupFile /usr/local/apache2/.htgroup
   Require group researchers
   Order Allow,Deny
   Allow from All
   

   Example 5:

   AuthType Digest
   AuthName "My Site"
   AuthDigestFile /usr/local/apache2/.htdigest
   AuthDigestGroupFile /usr/local/apache2/.htgroup
   Require group researchers
   Order Allow,Deny
   Allow from All
   

2. Create your user and group files (the group file is only used in examples 4 and 5):
   SERVER:/usr/local/apache2/~# ./bin/htpasswd -cm .htpassword john
   SERVER:/usr/local/apache2/~# ./bin/htpasswd -m .htpassword michael
   SERVER:/usr/local/apache2/~# ./bin/htpasswd -m .htpassword bob
   SERVER:/usr/local/apache2/~# ./bin/htdigest -c .htdigest "Mi Site" john
   SERVER:/usr/local/apache2/~# ./bin/htdigest .htdigest "Mi Site" michael
   SERVER:/usr/local/apache2/~# ./bin/htdigest .htdigest "Mi Site" bob
   SERVER:/usr/local/apache2/~# echo researchers: john michael bob > .htgroup
   Tip: the -c flag creates a new file
   
   
3. Restart your httpd (if you modify the httpd.conf file) and test the configuration by trying to browse the site:
   SERVER:~# /usr/local/apache2/bin/apachectl restart
   
   


References:

• Apache Documentation - Authentication, Authorization and Access Control - http://httpd.apache.org/docs/2.0/howto/auth.html
• RFC 2617: HTTP Authentication: Basic and Digest Access Authentication - http://www.ietf.org/rfc/rfc2617.txt?number=2617


The latest version of this document is available at: http://nediam.com.mx/tips/apache_auth.php



<< 0 comments >>



TOP