Password Protect Your Webserver Pages
September 9, 2011Password Protect Your Webserver Pages
Managing user access to a Linux Intranet server is painless and quick as long as you know the basics of .htaccess files.Yet, I find some new administrators get frustrated by the lack of complete information on the internet. In some HOWTO guides, details regarding .htaccess are given, without mentioning that Apache must be configured and offering solutions. My hope is that this brief article gives a complete look at managing access with the use of Apache overrides and .htaccess. Since the goal is to make it as easy as pie, I will cut the techno talk and get to the points.
| First, although this article applies to just about any Apache/Linux web server, it is most beneficial in the context of Intranet servers or when a website needs to control or secure certain web pages within directories for a set of specific users. Second, you do not have to be a Linux administrator or expert to do these steps. You only need rudimentary knowledge of Linux, have root or super user access to the server, and be familiar with a text editor like vi, emacs, or something like kwrite. You can find good text editor help here. |
Step 1. Configure Apache to Allow Access Authorization
You need to find the httpd.conf file on your Linux server.
This file is the Apache web server configuration file that includes lots of very useful Apache web server controls.
For now, simply open it using a text editor. For Fedora users this is done by simply going to /etc/httpd and opening httpd.conf. For others using various flavors, try using this command to identify the location of the httpd.conf file and edit it: locate httpd.conf
Once you open this file using a text editor, please scroll down until you see not the first but the second occurance of this text: AllowOverride None
Change the line that says:
AllowOverride None
to instead say:
AllowOverride AuthConfig
Be sure to NOT CHANGE THE first occurance of this in the apache file which is the default. Change the secondoccurance which is actually the overide. This is VERY IMPORTANT! If you run into trouble make a backup of your httpd.conf file (type: cp httpd.conf httpd.conf.back) and then try using this example. Be sure to reboot the server after you copy our example file.
Step 2. Identify the Folder/Directory to Protect
You should now identify which folders (aka Directories) under your web server you would like to protect. For instance if I want to only allow a certain list of users to access my html files under the Private folder it would look something like the following.
On the Linux server the actual directory path would be:
/var/www/html/Private
On the web browser the path would be:
http://office.server.com/Private
Obviously, I'm giving an example to help you see the difference between the folder/directory name on the Linux server and how it looks to web browsers. You MUST change to the appropriate directory/folder when using the steps below. So in my case I type this command first before beginning on my Fedora server:
cd /var/www/html/Private
Step 3. Add Access Files to the Folder
Once you identify the folder you wish to safeguard, then you need to create two files in this folder. The files are: .htaccess and .htpasswd. The .htaccess file displays the access login information needed for users and also includes the list of specific users who can login. The .htpasswd file includes the individual users and their passwords.
Create .htaccess file in your Folder by using a text editor to create .htaccess. Notice that you must include the . (dot) before the file name!
The file should atleast include these lines:
AuthName "Login to the Private Area"
AuthType Basic
AuthUserFile /var/www/html/Private/.htpasswd
Require user andrea
Note that the AuthName requires quotes and whatever is in quotes will display on the login window when a user tries to access your private folder with a web browser. It is vital that you properly set the path for the AuthUserFile and obviously replace the word Private with whatever folder you are trying to password protect.
Also be sure to include the user login names of the people you plan to allow to this folder next to the Require user line. In my case, I simply added myself to this folder as a user (andrea).
Now, create the .htpasswd file in the same Folder but NOT by using a text editor. Instead use this command from the command line on your Linux server.
Type this command at the prompt:
htpasswd -cmb .htpasswd andrea ann2cute
Note that you must use your own name and password (replace andrea and ann2cute) and that the option cmb does the following: First it forces Creating of a new .htpasswd file. Since this is your first time adding a user it is necessary. Next the m option forces encryption and b allows you to include the user name and password immediately. In my case I created a new .htpasswd file, then added the user andrea and her password ann2cute.
Step 4. Add Additional Users
To add users you simply need to edit both files again. First, add a user to the .htaccess file by opening it in a text editor and including the new person (my example is bradley).
The .htaccess file should include these lines:
AuthName Login to the Private Area
AuthType Basic
AuthUserFile /var/www/html/Private/.htpasswd
Require user andrea bradley
Remember to save the file when youre done adding the new user!
Now add the user (my example being bradley) to the .htpasswd file using this command:
htpasswd mb .htpasswd bradley brad4chad
In my example, I used the htpasswd command to add using encryption the user bradley to the .htpasswd file that already exists and include his password as brad4chad. That's it!
Step 5. Test the Password Function
Now test that the Apache server is accepting this new protected folder by going to it in a web browser. In my case I test the url http://office.server.com/Private and up comes a pop-up window that requires User Name and Password. I type in my user name and password and instantly I see the index.html page I put in my folder! People who don't have a login won't get access to your web pages within this folder.
What if it didnt work? Almost always this is a result of the httpd process not being restarted. You can easily restart this process to pick up the changes in your updated httpd.conf file by either rebooting or restarting the process. A reboot works fine, so long as you can tolerate a web server outage for a minute or two. Or, on most flavors you can type this command as root user: ./httpd start
Step 6. What About Removing Users
There may come a time when you need to delete users from the access. You can do this easily enough by again editing the .htaccess file and running a command to delete the user from the .htpasswd file.
First, edit the .htaccess file and remove the user you do not wish to allow access to and save the file.
Second, delete the user from the .htpasswd file by typing this command at the prompt: htpasswd D bradley
The option D is for delete. It should prompt you that user bradley was deleted.
Posted by Mohamed Adam. Posted In : Password Protect your webserver pages