l xmlns="http://www.w3.org/1999/l">
Securing Apache
In addition to properly configuring Apache, you can secure access to directories (or even the entire server) through authentication. Before you enable authentication in the server, you're going to need to create an authentication database of users and passwords.
To create an Apache password file
1. | Log in as root, or use su to become root. | 2. | cd /path/to/apache Change to the directory with your Apache httpd.conf file (Code Listing 9.7). This isn't a requirement, as you can put the password file anywhere. Don't put your password file in a directory that's accessible through the Web server, as this would be a security risk. | 3. | htpasswd - c
/path/basic-auth-passwords user
Create (the -c option) the basic-auth-passwords file in path (you can put this in the same directory as httpd.conf, and you can name it anything). Add user to this file after prompting for user's password. This password is used only for this Web server, and it should be different from the user's usual passwords.
Code listing 9.7. Creating a password file for use with Apache's basic authentication.
bsd# cd /usr/local/etc/apache2
bsd# htpasswd -c basic-auth-passwords chrish
New password:
Re-type new password:
Adding password for user chrish
bsd# chmod 640 basic-auth-passwords
bsd# htpasswd basic-auth-passwords megatron
New password:
Re-type new password:
Adding password for user megatron
| 4. | At the "New password" prompt, enter user's password. Enter the password again at the "Re-type new password" prompt to verify it. | 5. | chmod 640 /path/basic-auth-passwords Make the basic-auth-passwords file readable/writable by root, and readable by members of root's primary group (usually wheel, but admin on Mac OS X). | 6. | htpasswd /path/basic-auth-passwords user Use the htpasswd command without the -c option to add more users to the basic-auth-passwords file. |
To enable basic authentication in Apache
You can specify these authentication directives in .htaccess files or in the httpd.conf file's Directory directive.
1. | Log in as root, or use su to become root. | 2. | Use your favorite text editor to edit the httpd.conf file. | 3. | Find the Directory directive you want to restrict to authenticated users. You can add this to the default Directory directive if you want to restrict the entire site. | 4. | Add the following directives to the Directory block:
AuthType Basic
AuthName "message"
AuthUserFile
/path/basic-auth-passwords
Require valid-user
The message is displayed in visitors' Web browsers when they are prompted for a user name and password to access the site. Replace the path with the full path to your basic-auth-passwords file. | 5. | Save the httpd.conf file and exit your editor. | 6. | apachectl -t && apachectl restart Check the httpd.conf for syntax errors and restart the server. | 7. | Use your favorite Web browser to access an authenticated part of the browser. You should be prompted for a user name and password before being allowed to access the page. |
|