Configuring Apache – Intermediate - Authentication
(Page 3 of 4 )
One of the many tasks you will be faced with as an administrator is preventing access to certain files for certain users. This is the process of authentication, making sure that the correct files only get viewed by those people who should be allowed to view them. This is a particularly difficult task for a Web server, since Apache by default will serve everything in its “DocumentRoot” structure publicly. This means you must specifically define when and where you want Apache to apply an authentication scheme.
Another complicating factor in this set up is the fact that Apache offers many different ways of applying and defining this authentication scheme. Also, some browsers only support certain ways of authenticating, so you must keep that in mind as well when deciding on a certain scheme for authentication. The two main different types of authentication are called Basic and Digest authentication.
Basic authentication has been around for a long time, and is supported by almost all browsers. This ubiquity is its main advantage. However, it has several disadvantages. First of all, from a security standpoint, Basic authentication sends passwords over the Internet in plain-text, like any other HTTP traffic, so any hacker listening to a user’s or server’s line has a very easy time of sniffing passwords. Also, because Basic authentication is very simplistic, it is often difficult for administrators to get the authentication scheme set up in the way that they want it.
Digest authentication is the other option. Digest authentication's main drawback is that it is less widely supported than Basic. However, Digest does not send username and password information over the Internet in plain-text. It uses a form of public key encryption to make it more difficult to break.
Now that we’ve discussed the different forms of authentication, let’s talk about how to implement them on Apache. First, we’ll talk about creating the files necessary to implement both of these schemes. Both Basic and Digest authentication store username and password information in simple flat files that sit in the server file system. To create these files, you must use one of two programs provided with Apache. For Basic, the program is called “htpasswd” and for Digest, it is called “htdigest.” These programs take as input that destination for the password file, a username and a password, and then add the correct information to that file. For exact usage of both of these utilities, see the Apache documentation.
To configure Apache to use Basic authentication for a certain directory, you would do something like the following:
<Directory /web/home/private>
AuthName “MyPrivateStuff”
AuthType Basic
AuthUserFile /web/htpasswd
Require valid-user
</Directory>
The “AuthName” directive determines what will be displayed to the client by the browser when it asks for a password. The “AuthType” directive tells Apache to use Basic authentication, “AuthUserFile” tells Apache where to find the corresponding “htpasswd” file for this directory and “Require valid-user” makes sure that Apache will not serve this file to anyone who is not an authenticated user.
Next: Authorization >>
More Web Hosting How-Tos Articles
More By Michael Swanson
