Securing a site directory in Apache 2 within the httpd.conf file
- Aim: provide basic access protection via password authentication and IP restrictions
- Environment tested: CentOS 5.2, Apache 2
- File to be modified: httpd.conf
- File location in tested configuration: /etc/httpd/conf/httpd.conf
Advantages: security directives are stored within the httpd.conf file, better than using .htaccess files.
Disadvantages: password is sent in clear text, so someone sniffing the network can grab authentication information.
Link to Apache 2.0 relevent documentation:
http://httpd.apache.org/docs/2.0/howto/auth.html
Explanation
- This is a directory-based security restriction stored in the Apache configuration file.
- It requires a passwords file and uses the AllowOverride AuthConfig directive, providing basic authentication to the directory.
- IP access restriction is done through the Allow from directive.
How-to
Step 1: Create a password file (important: create the file in a path that’s not accessible from the web site; i.e., if your site is served from /var/www/html, use /var/www or another location).
To create the passwords file, the syntax is:
htpasswd -c /pathtofile/passwordsfilename username
Ex: htpasswd -c /var/www/passwords chris
You are prompted to assign a password for the user chris.
To add additional users in the passwords file, run:
htpasswd /var/www/passwords newusername
Replace newusername with whatever user you want to add.
Step 2: Enable password based authentication and restrict access via IP addresses
Inside the directory directives, you add the AllowOverride directive, setting it to Auth config. Then, specify the Order allow deny directives, adding the IP you want in the Allow from or Deny From lines. Then, you add the AuthType, AuthName, AuthUserFile, and Require user directives.
Ex: AllowOverride AuthConfig
Order allow,deny
Allow from 127.0.0.1 192.168.1.0/24 123.123.123.1
AuthType Basic
AuthName "Restricted Files"
AuthUserFile /var/www/passwords
Require user chris
The breakdown:
AllowOverride AuthConfig - Apache will use authentication for the directory
Order allow,deny - specifies in which order the directives are executed; I selected an allow only model
Allow from 127.0.0.1 192.168.1.0/24 123.123.123.1 - Access to the directory is only allowed by localhost, my home network scope and a single external address
AuthType Basic - Apache uses basic authentication (clear text password)
AuthName "Restricted Files" - String that will be displayed in the authentication window when trying to access the directory
AuthUserFile /var/www/passwords - Password file to use for authentication
Require user chris - User required to authenticate
This is a sample completed entry in the main server configuration section in httpd.conf
#----Securing a directory via password and IP restrictions-----------
#Christian's note: added 10 feb 209
Options Indexes FollowSymLinks
AllowOverride AuthConfig
Order allow,deny
Allow from 127.0.0.1 192.168.1.0/24 123.123.123.1
AuthType Basic
AuthName "Restricted Files"
AuthUserFile /var/www/passwords
Require user chris
#-------------------------------------------------------------