Apache Security - Ivan Ristic [93]
Outside Apache, many third-party authentication modules enable authentication against LDAP, Kerberos, various database servers, and every other system known to man. If you have a special need, the Apache module repository at http://modules.apache.org is the first place to look.
Basic Authentication Using Plaintext Files
The easiest way to add authentication to Apache configuration is to use mod_auth , which is compiled in by default and provides Basic authentication using plaintext password files as authentication source.
You need to create a password file using the htpasswd utility (in the Apache /bin folder after installation). You can keep it anywhere you want but ensure it is out of reach of other system users. I tend to keep the password file at the same place where I keep the Apache configuration so it is easier to find:
# htpasswd -c /usr/local/apache/conf/auth.users ivanr
New password: ******
Re-type new password: ******
Adding password for user ivanr
This utility expects a path to a password file as its first parameter and the username as its second. The first invocation requires the -c switch, which instructs the utility to create a new password file if it does not exist. A look into the newly created file reveals a very simple structure:
# cat /usr/local/apache/conf/auth.users
ivanr:EbsMlzzsDXiFg
You need the htpasswd utility to encrypt the passwords since storing passwords in plaintext is a bad idea. For all other operations, you can use your favorite text editor. In fact, you must use the text editor because htpasswd provides no features to rename accounts, and most versions do not support deletion of user accounts. (The Apache 2 version of the httpasswd utility does allow you to delete a user account with the -D switch.)
To password-protect a folder, add the following to your Apache configuration, replacing the folder, realm, and user file specifications with values relevant for your situation:
# Choose authentication protocol
AuthType Basic
# Define the security realm
AuthName "Book Review"
# Location of the user password file
AuthUserFile /usr/local/apache/conf/auth.users
# Valid users can access this folder and no one else
Require valid-user
After you restart Apache, access to the folder will require valid login credentials.
Working with groups
Using one password file per security realm may work fine in simpler cases but does not work well when users are allowed access to some realms but not the others. Changing passwords for such users would require changes to all password files they belong to. A better approach is to have only one password file. The Require directive allows only named users to be allowed access:
# Only the book reviewers can access this folder
Require user reviewer1 reviewer2 ivanr
But this method can get out of hand as the number of users and realms rises. A better solution is to use group membership as the basis for authentication. Create a group file, such as /usr/local/apache/conf/auth.groups, containing a group definition such as the following:
reviewers: reviewer1 reviewer2 ivanr
Then change the configuration to reference the file and require membership in the group reviewers in order to allow access:
AuthType Basic
AuthName "Book Review"
AuthUserFile /usr/local/apache/conf/auth.users
# Location of the group membership file
AuthGroupFile /usr/local/apache/conf/auth.groups
# Only the book reviewers can access this folder
Require group reviewers
Basic Authentication Using DBM Files
Looking up user accounts in plaintext files can be slow, especially