Greytree

TamWiki

For a mouse who is a packrat

Technology » Securing A Web Site With Apache HTTP Auth
often times, one wants to keep people away from a web site for either privacy or other restrictions. HTTP Authorization is one way to do that. This page describes how to do that with Apache

Summary:this is what goes at the top of the site

(redirected from Main.SecuringAWebSiteWithApacheHTTPAuth)

Next: Strong Passwords >>

Up: ^Security^

On this page... (hide)

Keeping prying eyes away from information on web sites can be accomplished in many ways. One of the most simple (and, admittedly, least secure) is via HTTPAuth mechanism built into Apache. Apache has many methods of performing HTTP authorization; this howto will describe basic user authentication.

Making sure apache is configured for basic user authentication

Here we are describing basic authentication. For other types of authentication consult the apache documentation.

You need to ensure that the mod_auth_basic module is loaded when the server starts. In addition, you need the mod_authn_file and mod_authz_user, and optionally mod_authz_groupfile.

Configuring authentication

There are two manditory configuration steps and one optional step which you must complete in order to protect a resource using basic authentication.

  1. Create a password file
  2. Set the configuration to use this password file
  3. Optionally, create a group file

Create the password file

Assuming you have shell access to your web host, the command to create the password file is: 

 htpasswd -c /some/path/outside/your/web/site/passwords username

This will create a new password file somewhere outside your web site's directory structure. This is very important! You do not want the webserver to be able to serve up the password file if a malicious browser happens to guess it. If you are unable to put this file in a place outside the web site's hierarchy, you have to deny delivery of the file by modifying the .htaccess file. See PreventingApacheFromAccessingFiles?.

When you run the htpasswd tool, it will ask your for the password you want to use with username twice, to confirm you typed it correctly. Make a note of the password you entered, as it is not recoverable.

The -c flag is when you are creating the password file for the first time. You can add more users and passwords later to the same file by omitting the -c parameter. Caution: do not use the -c flag on subsequent additions to the password file, as it will erase the existing contents.

The password is stored in the password file in encrypted form, so that users on the system will not be able to read the file and immediately determine the passwords of all the users. Nevertheless, you should store the file in as secure a location as possible, with whatever minimum permissions on the file so that the web server itself can read the file. For example, if your server is configured to run as user www-data and group www-data, then you should set permissions on the file so that only the webserver can read the file and only root can write to it: 

 chown root.www-data /some/path/outside/your/web/site/passwords
 chmod 640 /some/path/outside/your/web/site/passwords

Set the configuration to use this password file

Once you have created the password file, you need to tell Apache about it, and tell Apache to use this file in order to require user credentials for admission. This configuration is done with the following directives:

AuthType
Authentication type being used. In this case, it will be set to Basic
AuthName
The authentication realm or name
AuthUserFile
The location of the password file
AuthGroupFile
The location of the group file, if any
Require
The requirement(s) which must be satisfied in order to grant admission

These directives may be placed in a .htaccess file in the particular directory being protected, or may go in the main server configuration file, in a <Directory> section, or other scope container.

The example shown below defines an authentication realm called ``By Invitation Only''. The password file located at /some/path/outside/your/web/site/passwords will be used to verify the user's identity. Only users named tamara or mouse will be granted access, and even then only if they provide a password which matches the password stored in the password file. 

 AuthType Basic
 AuthName "Please enter the proper identification to enter this site. If you do not have this information and you are authorized to see this, contact the webmaster."
 AuthUserFile /some/path/outside/your/web/site/passwords
 `Require user tamara mouse

The AuthName phrase will be displayed in the password pop-up box, where the user will have to type their credentials.

If you put these directives in the one of the server configuration files, you will need to restart your Apache server in order for the new configuration to take effect. Directives placed in .htaccess files take effect immediately, since .htaccess files are parsed each time files are served.

The next time that you load a file from that directory, you will see the familiar username/password dialog box pop up, requiring that you type the username and password before you are permitted to proceed.

Note that in addition to specifically listing the users to whom you want to grant access, you can specify that any valid user should be let in. This is done with the valid-user keyword: 

 Require valid-user

Optionally, create a group file

Sometimes you want to restrict access to a web site to a specific group of people. Instead of listing each individual user on the Require line, you can create an authentication group that lists the members of the group.

This is handled using authentication groups. An authentication group is, as you would expect, a group name associated with a list of members. This list is stored in a group file, which should be stored in the same location as the password file, so that you are able to keep track of these things.

The format of the group file is exceedingly simple. A group name appears first on a line, followed by a colon, and then a list of the members of the group, separated by spaces. Create you group file in a similar place as you created the passwords file (putting in the same directory, for example). As with the passwords file, the group file should be outside the web site hierarchy so Apache cannot serve it up. An example of a group file would be: 

 team: tamara mouse

Once this file has been created, you can Require that someone be in a particular group in order to get the requested resource. This is done with the Auth Group File? directive, as shown in the following example. 

 AuthType Basic
 AuthName "Please enter user and password to gain access."
 AuthUserFile /some/path/outside/your/web/site/passwords
 AuthGroupFile /some/path/outside/your/web/site/groups
 Require group team

The authentication process is now one step more involved. When a request is received, and the requested username and password are supplied, the group file is first checked to see if the supplied username is even in the required group. If it is, then the password file will be checked to see if the username is in there, and if the supplied password matches the password stored in that file. If any of these steps fail, access will be forbidden.

Note: it is a pretty good idea to have one passwords file and one group file per site/vhost, and simply refer to it in each directory you want to secure. You can keep adding users and groups to each file for setting the access for various needs.

Security caveat

Caution: user names and passwords are sent in the clear with basic authentication. Do not use a common password with any other application!

Basic authentication should not be considered secure for any particularly rigorous definition of secure.

Although the password is stored on the server in encrypted format, it is passed from the client to the server in plain text across the network. Anyone listening with any variety of packet sniffer will be able to read the username and password in the clear as it goes across.

Not only that, but remember that the username and password are passed with every request, not just when the user first types them in. So the packet sniffer need not be listening at a particularly strategic time, but just for long enough to see any single request come across the wire.

And, in addition to that, the content itself is also going across the network in the clear, and so if the web site contains sensitive information, the same packet sniffer would have access to that information as it went past, even if the username and password were not used to gain direct access to the web site.

Don't use basic authentication for anything that requires real security. It is a detriment for most users, since very few people will take the trouble, or have the necessary software and/or equipment, to find out passwords. However, if someone had a desire to get in, it would take very little for them to do so.

Basic authentication across an SSL connection, however, will be secure, since everything is going to be encrypted, including the username and password.

Ref: http://httpd.apache.org/docs/2.2/howto/auth.html


Tags:
apache, security, authentication
Categories: HowTos

Recent Changes | Printable View | Page History | Edit Page
Page last modified on April 17, 2012, at 08:59 PM by ImportText?