Wednesday, September 19, 2007

How to implement password protection in sensitive directory in Apache Web Server?

If any website contains sensitive information or is intended for only a small group of known people, apache provides some standard ways of protecting. Method mentioned below is applicable in Apache 2.x.Location of Apache configuration file may differ.

Basics of password protection in Website

•Make adjustments in /etc/httpd/conf/httpd.conf ( Apache 2.0 in RHEL Destro)
•Make password file (using htpasswd utility)
•Prepare .htaccess file (to provide user names who are authorized to access)

Adjustments in httpd.conf:-

We need to have a server configuration that permits putting authentication directives in these files. This is done with the AllowOverride directive.Following directive have been in added in httpd.conf under :-

AllowOverride AuthConfig

AllowOverride must be “None” in all the other situations. It is good security practice and it also improves Apache performance. In case of virtual hosting (shared hosting with single IP),AllowOverride should in disabled(by equating it None) in main configuration section of Apache and it should be enabled inside .

Make password file :-

You'll need to create a password file. This file should be placed somewhere not accessible from the web. To create the file, use the htpasswd utility that came with Apache. htpasswd stands for HyperText Password.

% htpasswd -c /usr/local/apache/passwd/passwd shailesh.mishra

-c is being used for the first user so that htpasswd utility can create the file. Above command will create one password file named “passwd” in location /usr/local/apache/passwd.

htpasswd will ask you for the password, and then ask you to type it again to confirm it.

To add more users, use only htpasswd (without –c,or else it will again creat another file). Password is encrypted.

Prepare .htaccess file :-

Till now, we have configured httpd to accept user authentication for a particular directory. We have also made password file. But we need to attach this password file so that it can be used for user verification. This will be done with the help of .htaccess file. We need to create one file with the name .htaccess with the following content and store in the directory which needs to be protected.This file must be named as .htaccess as this name is specified in Apache Configuration file httpd.conf)

AuthType Basic
AuthName "Any Message which will be displayed in Login Box"
AuthUserFile /usr/local/apache/passwd/passwd
Require valid-user

If all the steps are properly followed, when user tries to access the password protected site, Login window will appear. User can login by providing user-id and password.

Parameter AuthConfig is used to tell Apache that authentication needs to be implemented.

No comments: