HTTP Authentication using Apache Web Server

HTTP Authentication using Apache Web Server is used to give password protected access to the files or folders present in your web server. Using it, you can also decide to whom you want to give the access. If you have information on your web site that is sensitive or intended for only a small group of people, the techniques in this blog will help you make sure that the people that see those pages are the people that you wanted to see them.

Prerequisites

You can put HTTP authentication in two ways:

1. Using Directives directly in the apache2.conf file.
2. Using Directives in .htaccess file. This file is stored in the folder to which you want to give restricted access.

If you plan to use .htaccess files, you will need to have a server configuration that permits putting authentication directives in these files.Since we’re talking here about authentication, you will need an AllowOverride directive like the following:

Creating Password File

You need to create a password file which will store the information about user and password. Whenever someone needs access to a file or folder which is restricted, the user and password is searched in this file for granting the access. The password file should be restricted from the user . For instance, if the default root is /var/www/html then the password should be present in /var/www/password.

To create the password we will use the command given below. The command will generate a password for a particular user and save it in the password file

[js]htpasswd -c /var/www/password/passwords mohit[/js]

This command is creating a file passwords for user mohit . ‘-c’ is used to create a file. This file will store the password information for user mohit. After typing the above command, it will ask to enter the password twice as shown below:

[js]htpasswd -c /var/www/password/passwords mohit
New password: mypassword
Re-type new password: mypassword
Adding password for user mohit[/js]

Protecting a Folder

Consider protecting a folder var/www/secret . You can protect it either using .htaccess file or editing the main configuration file of apache.  Add the following lines in the configuration file or create .htaccess file in the secret folder:

[js]AuthType Basic
AuthName "Restricted Files"
# (Following line optional)
AuthBasicProvider file
AuthUserFile /var/www/password/passwords
Require user mohit[/js]

Here Basic is the Authentication type. Restricted files is the name given to the prompt. file is the authentication medium. AuthUserFile is the file in which credentials are stored. Require user is the user who needs to be authenticated.

After adding the above lines, restart the apache server and you are done. Now whenever you will try to access the directory var/www/secret , it will prompt for user and password.

Allowing access for a single IP and restricting access from others

[js]Directory /var/www/secret>
AuthType Basic
AuthName "Restricted Files"
# (Following line optional)
AuthBasicProvider file
AuthUserFile /var/www/password/passwords
Require user mohit
Order deny,allow
Deny from all
Allow from 10.1.1.118
Satisfy any
Require ip 10.1.1.118
[/js]
 

Giving access to more than one user

Create a group for the users whom you want to give the access. Suppose we want to create a group named GroupName and want to give access to the users in GroupName. The password of these users must also be added to the password file.

[js]GroupName: rbowen dpitts sungo rshersey
AuthType Basic
AuthName "By Invitation Only"
# Optional line:
AuthBasicProvider file
AuthUserFile /var/www/password/passwords
AuthGroupFile /var/www/groups
Require group GroupName[/js]

Instead of creating a group, you can also add users to the password file and add Require valid-user . It will give access to all the users who are listed in the password file.