I'm no web pro and the Apache2 documentation, although very thourough, was way too heavy for what I was trying to figure out. About 90 minutes into epic failure with various how-to and guide sites I was able to mangle my own configuration. Again -- I'm no apache master and I'm not really interested in learning everything to know about Apache right now. There are security concerns to be considered, but I am looking for something simple to protect an internal website. Your results may vary, but my case is that I have an internal webserver that I want to use to host a couple of departmental documents and files - nothing serious or top-secret here. If you are working with a public or internet server this may not be for you but might get you started in the right direction.
Under Debian/Ubuntu there are sites-available and sites-enabled for your virtual hosts. The configuration files for each of the sites are stored under /etc/apache2/sites-available, generally a single text file with the name of the site. In my case, I want to modify the default site as it is the main document root of this particular server.
# pico /etc/apache2/sites-available/default
Look for the directive that has your path you want to protect. Again, I want the document root of this server so I will be editing the seciton with . Change the line (under your directive only) AllowOverrides None to AllowOverrides All
Save the file with CTRL-X and reload the Apache configuration with the following command
# /etc/init.d/apache2 reload
Now that the configuration has been modified you can create the password file and the access file for the directory to be secured. It is a rule of thumb to not keep the password file in the document root so keep that in mind and place it somewhere that the webserver can read but users can not.
# htpasswd -c /path/to/password/.htpasswd username
Once the password file has been created (I called mine .htpasswd) you can add a user later with this command
# htpasswd /path/to/password/.htpasswd username
And to delete a user from this list, use this command (there are no confirmation prompts to delete)
# htpasswd -D /path/to/password/.htpasswd username
With the configuration changed and the password file created (.htpasswd in my case), we can now create the directory access change file called .htaccess. You need to place this file in the same directory that you changed the AllowOverride directive in your site configuration above AND reloaded apache2 or it will not work.
# pico /path/to/directory/needing/password/.htaccess
AuthName "Foo"
AuthType Basic
AuthFile /path/to/password/file/.htpasswd
Require valid-user
The AuthName directive can be anything you want to be displayed in the popup for the username/password box just be sure to encapsulate it between quotation marks or you will get a 500 Internal Server error when you go to test it.
No comments:
Post a Comment