Protecting Apache directories

Swobodin's picture
Submitted by Swobodin on Tue, 2006-04-18 15:32. ::
Protecting an Apache directory with a login / password is very common and very simple. Your host may provide this feature, Webmin too. As many friends usually ask me about it, I think I should write a quick tutorial to redirect people who are asking about.
First, allow htaccess directive in the directory you want to set rules, this may be done from your httpd.conf (/etc/httpd/conf/httpd.conf) setting the AllowOverride flag to on
For example

Allow Override On

Go to the directory, and create a .htaccess file, in which set these values
AuthUserFile /var/www/html/Lab/_htpasswd # htpasswd file, in which you store logins and passwords
AuthType Basic # The only type I know
AuthName "Restricted Area. Please login to proceed" # Title of the popup
Require valid-user # "valid-user" is in lowercase
Protect your _htpasswd

Deny From All

To add a user who is allowed to access, use htpasswd command. The -c option will create the file, or erase it if exists; don't use it when appending.
htpasswd -c _htpasswd Swobodin
New password:
Re-type new password:
Adding password for user Swobodin
The passwords are encrypted in this case according to the system's crypt(), thus you may make passwords with other programming language.

PHP

$fp = fopen ("_htpasswd","a');
fputs($fp, "Swobodin:".crypt("mypass"));
fclose($fp);
?>

Perl

#!/usr/bin/perl -w
use strict;
use warnings;
use POSIX;
my $salt="Yh";
open FP,">>_htpasswd";
my $encrypted=crypt("mypass", $salt);
print FP ("Swobodin:", crypt("mypass", $salt));

C

#include
#define _XOPEN_SOURCE
#include
int
main (int argc, char *argv[])
{
  FILE *FP;
  if (argc != 4)
    {
      printf ("usage: %s File Login Password\n", argv[0]);
      return (-1);

    }
  FP = fopen (argv[1], "a+");
  char *encrypted = (char *) malloc (10);
  fprintf (FP, "%s: %s\n", argv[2], crypt (argv[3], "zz"));
  fclose (FP);
  return 0;
}
 Compile it
gcc -o myhtpasswd myhpasswd.c -lcrypt
 And run it
./myhtpaswd _htpasswd Swobodin mypass
login or register to post comments | printer friendly page
outofctrl
Another Apache security tip
Submitted by outofctrl on Tue, 2006-04-25 11:09.

Simple and nice article, Swobodin.

Another aspect of Apache which is occasionally misunderstood is the feature of default access.
That is, unless you take steps to change it, if the server can find its way to a file through normal URL mapping rules, it can serve it to clients.

For instance, consider the following example:

   1. # cd /; ln -s / public_html
   2. Accessing http://localhost/~root/

This would allow clients to walk through the entire filesystem. To work around this, add the following block to your server's configuration:


    Order Deny,Allow
    Deny from all

This will forbid default access to filesystem locations. Add appropriate blocks to allow access only in those areas you wish. For example,


    Order Deny,Allow
    Allow from all


    Order Deny,Allow
    Allow from all

Pay particular attention to the interactions of and directives; for instance, even if denies access, a directive might overturn it.

Also be wary of playing games with the UserDir directive; setting it to something like "./" would have the same effect, for root, as the first example above. If you are using Apache 1.3 or above, it is strongly recommended that you include the following line in your server configuration files:

UserDir disabled root

Hope it helpes...

-------------------------
OutOfCtrl
2.6.16-1.2096_FC-5-x86_64

login or register to post comments
Swobodin
Interesting
Swobodin's picture
Submitted by Swobodin on Thu, 2006-04-27 12:28.

Thanks OutOfControl! Interesting policy.
BTW, I had to modify some tags for XHTML compatibility.
Cheers!

No tengo tierra ni casa
No tengo nombre ni edad
Soy como el viento que pasa
¡Un viento de libertad!

login or register to post comments