Monday, December 19, 2011

Password Protection to your Website Hosted on Apache Web Server

At times, when I am browsing the web, I click on a link such as this one and instead of a web page, I get a dialog box asking me to enter my user name and password. And only after I have been authenticated do I get access to the website (or page). This feature of password protection is very simple to implement in Apache web server.

Password authentication process contains two files:
1. .htpasswd :-
This file contains the user name - password combination of the users who are allowed access to the website or page. This file can reside anywhere in file system. But usually, it is created in the Apache web server directory ( /etc/httpd/conf/.htpasswd ). This is because, this file should not be accessible to the visitors of the site.

2. .htaccess :-
This file defines the actual rules based on which users are given access or denied access to the website. This file should reside in the base directory of one's website. For example, if my website is located in the path '/var/www/' and I want to provide user authentication to the entire website, then I will store the file .htaccess in the following location - '/var/www/rootuser/.htaccess '.

[ Note = Here iam using the configuration of apache web server which i have posted earlier ]

1] Create new users and share them access for website.
[root@server ~]# useradd anup
[root@server ~]# passwd anup

[root@server~]# useradd shubham
[root@server ~]# passwd shubham

2] Now create the .htpasswd file which contain the password of user to access web site.
[root@server ~]# htpasswd -cd /etc/httpd/conf/.htpasswd anup
New password:
Re-type new password:

[ Note = Here in above command -c used to Create a new file, -d Force CRYPT encryption of the password. Any number of users and their password may be entered in the same .htpasswd file per website.]

3] Create the .htaccess file which will prohibit the full website which is situated in /var/www/rootuser.
[root@server ~]# vim /var/www/rootuser/.htaccess
AuthUserFile /etc/httpd/conf/.htpasswd
AuthGroupFile /dev/null
AuthType Basic
require user anup shubham

[ Note = Here AuthUserFile is the location of .htpasswd file, AuthGroupFile to group file which contain the group of users. Here i don't have any group file hence it points to /dev/null, AuthName is Web site name, AuthType value is Basic that instructs apache to accept basic unencrypted password from remote user's web browser, require user this option tells the apache that only the user whith name anup & shubham have access.
4] Change permission of both file.
[root@server ~]# chmod 600 /etc/httpd/conf/.htpasswd
[root@server ~]# chmod 600 /var/www/html/rootuser/.htaccess

5] Make changes in apache main configuration file i.e. httpd.conf
[root@server ~]# vim /etc/httpd/conf/httpd.conf

<Directory /var/www/html/>
AllowOverride None

<Directory /var/www/rootuser/>
AllowOverride AuthConfig

6] Restart the apache web server
[root@server ~]# service httpd restart
** Now open the website from now any user who visit website will first have to enter username and password to access website.

No comments: