HTTP Authentication using Apache Web Server is used to give password protected access to the files or folders present in your web server. Using it, you can also decide to whom you want to give the access. If you have information on your web site that is sensitive or intended for only a small group of people, the techniques in this blog will help you make sure that the people that see those pages are the people that you wanted to see them.
You can put HTTP authentication in two ways:
- Using Directives directly in the apache2.conf file.
- Using Directives in .htaccess file. This file is stored in the folder to which you want to give restricted access.
If you plan to use .htaccess files, you will need to have a server configuration that permits putting authentication directives in these files.Since we’re talking here about authentication, you will need an AllowOverride directive like the following:
Creating Password File
You need to create a password file which will store the information about user and password. Whenever someone needs access to a file or folder which is restricted, the user and password is searched in this file for granting the access. The password file should be restricted from the user . For instance, if the default root is /var/www/html then the password should be present in /var/www/password.
To create the password we will use the command given below. The command will generate a password for a particular user and save it in the password file
htpasswd -c /var/www/password/passwords mohit
This command is creating a file passwords for user mohit . ‘-c’ is used to create a file. This file will store the password information for user mohit. After typing the above command, it will ask to enter the password twice as shown below:
htpasswd -c /var/www/password/passwords mohit New password: mypassword Re-type new password: mypassword Adding password for user mohit
Protecting a Folder
Consider protecting a folder var/www/secret . You can protect it either using .htaccess file or editing the main configuration file of apache. Add the following lines in the configuration file or create .htaccess file in the secret folder:
AuthType Basic AuthName "Restricted Files" # (Following line optional) AuthBasicProvider file AuthUserFile /var/www/password/passwords Require user mohit
Here Basic is the Authentication type. Restricted files is the name given to the prompt. file is the authentication medium. AuthUserFile is the file in which credentials are stored. Require user is the user who needs to be authenticated.
After adding the above lines, restart the apache server and you are done. Now whenever you will try to access the directory var/www/secret , it will prompt for user and password.
Allowing access for a single IP and restricting access from others
Directory /var/www/secret> AuthType Basic AuthName "Restricted Files" # (Following line optional) AuthBasicProvider file AuthUserFile /var/www/password/passwords Require user mohit Order deny,allow Deny from all Allow from 10.1.1.118 Satisfy any Require ip 10.1.1.118
Giving access to more than one user
Create a group for the users whom you want to give the access. Suppose we want to create a group named GroupName and want to give access to the users in GroupName. The password of these users must also be added to the password file.
GroupName: rbowen dpitts sungo rshersey AuthType Basic AuthName "By Invitation Only" # Optional line: AuthBasicProvider file AuthUserFile /var/www/password/passwords AuthGroupFile /var/www/groups Require group GroupName
Instead of creating a group, you can also add users to the password file and add Require valid-user . It will give access to all the users who are listed in the password file.