Archive

Archive for the ‘Htaccess in Linux’ Category

Htaccess in Linux

December 15, 2009 Leave a comment

How to Configure Your Website Using Htaccess in Linux with Apache

Step 01: For this to work successfully you will have to be logged in as root or using one of the sudo or su options.

Step 02: We will need to create the folder that will have to be authenticated. Since the default location in apache is /var/www/html we will create it here. You will do this by using the mkdir command.

[root@linux ~]# mkdir /var/www/html/testfolder

Restrict web page under /var/www/html/testfolder using basic authentication:

Step 03: Next we need to add the .htaccess & .htpasswd files to the personal folder. We first need to change the directory of the folder we wish to protect.

[root@linux ~]# cd /var/www/html/testfolder

Step 04: Next we can create the .htaccess file.

[root@linux ~]# vi .htaccess

Step 05: Press i to insert and add the following content.

AuthUserFile /var/www/html/testfolder/.htpasswd

AuthGroupFile /www.null

AuthName "Authorization Required"

AuthType Basic

require user USER_NAME

N.B. Change “test folder” to the name of your folder and change “USER_NAME” to the user name you wish to use.

Press your esc button then :wq to save your file in your vi editor.

Step 06: Next we’ll create the .htpasswd file. We want to run htpasswd on the path of the folder we want to protect.

[root@linux ~]# htpasswd -c /var/www/html/testfolder/.htpasswd USER_NAME

New password: 

Re-type new password: 

Adding password for user USER_NAME

Step 07 : Next we will have to edit the apache httpd.conf (on some systems called the apache2.conf) file.

[root@linux ~]# vi /etc/httpd/conf/httpd.conf

Step 08: You will have to scroll all the way to the bottom to add the following directory.

#FOR MY TEST FOLDER

<Directory "/var/www/html/testfolder">

AllowOverride AuthConfig

</Directory>

Step 09: Finally save httpd.conf by typing esc :qw! and restart apache.

[root@linux ~]# service httpd restart

Step 10: To add new users, use the same command without the -c switch. For example, to add the user mahbub, type

# htpasswd .htpasswd mahbub

Step 11: To delete users, open the .htpasswd file, using your favorite unix editor, like vi, and delete the row(s) associated with the specific user(s) that you want to remove.

Restrict web page under /var/www/html/testfolder using Digest authentication:

Step 12: Add the following lines in the htttpd.conf file

<Directory "/var/www/htdocs/testfolder" >
 Options None
 AllowOverride None
 AuthType Digest
 AuthName "Protected Area"
 AuthDigestFile /usr/local/Apache/conf/digest_passwd
 AuthDigestGroupFile /usr/local/apache/conf/groups
 Require valid-user
 Order deny,allow
 Deny from all
</Directory>

Step 13:create a valid user as

# htdigest -c /usr/local/apache/conf/digest_passwd "Protected Area" username

Step 14:Now restart http service

Theory of User authentication

Apache allows us to require user authentication for access to certain directories. The authentication method can be one of two types, Basic or Digest.

Basic authentication

To set up a directory that requires a user to supply a username and password we would use something like the following in our httpd.conf file:

<Directory "/var/www/htdocs/protected" >
 Order deny,allow
 Deny from all
 Allow from 192.168.1.
 AuthName "Private Information"
 AuthType Basic
 AuthUserFile /usr/local/apache/conf/passwd
 AuthGroupFile /usr/local/apache/conf/groups
 require group <group-name>
</Directory>

Firstly we have denied access to all users but those on our internal network to the directory /var/www/htdocs/protected. To require a password we use the AuthType Basic directive. Our password file is /usr/local/apache/conf/passwd, as specified by the AuthUserFile directive and, similarly, we specify a group file. The last line require group <group-name> means that a user must be a member of <group-name> in order to be allowed access to the directory.

Of course, for this to work, we must set up our password and group files. For the group file simply create a file, /usr/local/apache/conf/groups, containing the line:

group-name: user1 user2

You can specify as many groups as you wish on separate lines. List users separated by a space.

Next we create the password file with the command htpasswd -cm /usr/local/apache/conf/passwd user1. This will prompt for a password and create a user with name user1 in the file /usr/local/apache/conf/passwd. The c option will create the file if it doesn’t exist, and the m option will MD5 hash the password (SHA1 and crypt options are also available, but SHA1 does not work with some Apache versions). Subsequent users can be added using htpasswd -m /usr/local/apache/conf/passwd user1.

If you do not want to use groups you could use require valid-user user1 user2 in order to only allow access to certain users.

The disadvantage of Basic Authentication is that passwords are sent as plain text from the client to the server, meaning that it is simple for a malicious user with access to the network can obtain the password using a network traffic analyzer. Digest Authentication tries to prevent this.

Digest Authentication

In digest authentication the password is never transmitted across the network. Instead the server generates a nonce, a one-time random number, and sends it to the client’s browser, which then hashes the nonce with the user’s password and sends the resulting hash back to the server. The server then performs the same hash and compares the result. This is considerably more secure than Basic Authentication, though not so widely used. One disadvantage of Digest Authentication is that it requires setting up a different password file for each realm on the server, as the realm name is used when creating the necessary hashes. With Basic Authentication, one password file can be used across the board.

To create an area protected by Digest Authentication, we use something like the following.

<Directory "/var/www/htdocs/protected" >
 Options None
 AllowOverride None
 AuthType Digest
 AuthName "Protected Area"
 AuthDigestFile /usr/local/Apache/conf/digest_passwd
 AuthDigestGroupFile /usr/local/apache/conf/groups
 Require valid-user
 Order deny,allow
 Deny from all
</Directory>

This time we set AuthType Digest, and the AuthName "Protected Area" directive is required. In place of AuthUserFile and AuthGroupFile directives we use the AuthDigestFile and AuthDigestGroupFile directives. The group file is the same as previously, but we need to set up the password file using the command htdigest -c /usr/local/apache/conf/digest_passwd "Protected Area" user1. Note the use of the htdigest program in place of htpassword and the AuthName in the command. Again the c option creates the file if it doesn’t exist.

Article Written By : Mahabub Bhai.

Advertisements