Sunday, 16 November 2014

Tutorial on .htpasswd and .htaccess with apache(httpd) in Linux

If there is a situation that have to dealt with like a public website but with some secret information.
How can we protect the information ? .

We can use .htpasswd and .htaccess in that time.

How  ? Lets see................

Open your terminal and type as

                        vim /etc/httpd/conf/httpd.conf

and find line no : 334 to 338. This is the area of httpd.conf that dealt with .htaccess

    334 # AllowOverride controls what directives may be placed in .htaccess files.
    335 # It can be "All", "None", or any combination of the keywords:
    336 #   Options FileInfo AuthConfig Limit
    337 #
    338     AllowOverride AuthConfig
 

Now look at line no 338 , before modifying it will look like

                     AllowOverride None

You have to modify it to

                     AllowOverride AuthConfig

Now make sure that if you have some website and VirtualHost configuration of that website is successfully completed.



For my case that website is website1.com and now open your terminal and type as

                   #  vim /var/www/html/website1/protected/.htaccess

Then Write below lines

                   AuthUserFile /var/www/html/website1/protected/.htpasswd
                   AuthType basic
                   AuthName " My Personal Files"
                   Require valid-user

So what they means , here we go.....

AuthUserFile  : This is the path of .htpasswd file. Make sure you are giving proper path. If you give wrong path , it wont allow to login. Dont panic we are admins , we can make it solve by giving proper path.

AuthType : The AuthType directive selects that method that is used to authenticate the user. The most common method is Basic, and this is the method implemented by mod_auth_basic. It is important to be aware, however, that Basic authentication sends the password from the client to the server unencrypted. This method should therefore not be used for highly sensitive data, unless accompanied by mod_ssl. Apache supports one other authentication method: AuthType Digest. This method is implemented by mod_auth_digest and was intended to be more secure. This is no longer the case and the connection should be encrypted with mod_ssl instead.

AuthName : So AuthName can be anything , its the name get displayed on that password window.

Require : So this is to define to whom we have to allow to access.

For Example :

Require valid-user  # means only the valid user who are in .htpasswd file
Require raja raaz # means among the users of .htpasswd file allow only raja and raaz

But

Require valid-user raja is wrong way of usage because if you give so it doesnt make any sense.

I hope that explanation is fine. Now save and close that file and now we are going to create users for it.

# htpasswd -c /var/www/html/website1/protected/.htpasswd raja  Password

Location of htpasswd file is completely upto you but .htaccess must be inside of protected directory which intended to be protected.

To add one more user you can use this command
# htpasswd  /var/www/html/website1/protected/.htpasswd raaz  Password

If you mentioned -c here then it will overwrite old .htpasswd file. So dont  mention -c while adding one more user.
Now raja is username and Password is password to access. This will store in  /var/www/html/website1/protected/.htpasswd location. After you added user.

You can try. Just try to access  website1.com/protected in your browser and it will ask you username and password and only allowed are able to access those content.

Hope it helps.

In case of any queries please let me know.


References:

http://www.colostate.edu/~ric/htpass.html
http://www.anchor.com.au/hosting/support/password_protection_using_htaccess
http://www.seas.upenn.edu/cets/answers/auth-htpasswd.html
http://httpd.apache.org/docs/2.2/howto/auth.html


 Thank you

No comments:

Post a Comment