Password protect a web directory?

Open forum for security issues and info.
Forum rules
Any posts concerning pirated software or offering to buy/sell/trade commercial software are subject to removal.
mbourget
Posts: 24
Joined: Wed Mar 23, 2005 1:16 pm

Password protect a web directory?

Unread postby mbourget » Wed Apr 05, 2006 1:42 pm

I'm using my O2 to serve up my website. Is there a way to password protect a directory that will prompt the visitor with a login name and password? For example, I wish to protect /var/www/htdocs/private/

I had that option with one of my ISPs in the past but that was done in the background thru them.

Thanks,

Mike

mattc
Posts: 49
Joined: Sun Nov 02, 2003 12:50 pm
Location: UK

Unread postby mattc » Wed Apr 05, 2006 2:11 pm

If you're running Apache, you can use .htaccess and .htpasswd to do this via HTTP Basic Authentication.

There's a handy generator here: http://www.webmaster-toolkit.com/htaccess-generator.shtml

User avatar
foetz
Moderator
Moderator
Posts: 6543
Joined: Mon Apr 14, 2003 4:34 am
Contact:

Unread postby foetz » Wed Apr 05, 2006 4:15 pm

you can also set it up within httpd.conf like this:

Code: Select all

<Directory "/path/to/the/dir">
AuthName "displayed_on_top_of_message_window"
require user username
AuthUserFile /path/to/your/passdb
AuthType Basic
allow from all
order deny,allow
</Directory>


you have to use htpasswd to generate the file and edit users.

mbourget
Posts: 24
Joined: Wed Mar 23, 2005 1:16 pm

Unread postby mbourget » Fri Apr 07, 2006 7:46 am

Thanks guys! I tried it out but haven't gotten it to work yet. I'm guessing that I'm setting the path wrong in my .htaccess file. So far, it hasn't asked me for a password when I tried to access a file in the restricted directory. I put both .htaccess and .htpasswd files in the "private" directory.

This is what the website that mattc recommended created for the .htaccess file. Anyone see anything that does it? I'm guessing it's the AuthUserFile setting that's wrong.

AuthUserFile /var/www/htdocs/private/.htpasswd
AuthGroupFile /dev/null
AuthName "Password Protected Area"
AuthType Basic

<limit GET POST>
require valid-user
</limit>


Thanks,

Mike

User avatar
joerg
Donor
Donor
Posts: 2226
Joined: Thu Jan 08, 2004 6:57 am
Location: In an origin rack - Germany
Contact:

Unread postby joerg » Fri Apr 07, 2006 1:02 pm

Well.... its easy :)

A .htaccess file is used for overwriting the existing apache configuration. For allowing the use of htaccess or better which settings can be used, you have to set the AllowOverride in your main config. The default is 'AllowOveride none' which means your apache never will take noticed for a htaccess file.

Set 'AllowOverride Authconfig' to allow Auth related directives in a .htaccess file. If you get a 500er error this is the first sign that apache reads your .htaccess. To see whats going wrong take a look into the error.log. There you will find the reason whats is also needed.

regards
Joerg

User avatar
johnsmith
Posts: 128
Joined: Tue Mar 22, 2005 1:11 am
Location: Cairo
Contact:

Unread postby johnsmith » Fri Apr 07, 2006 1:05 pm

You can also put these restrictions in the apache config file, httpd.conf .

User avatar
foetz
Moderator
Moderator
Posts: 6543
Joined: Mon Apr 14, 2003 4:34 am
Contact:

Unread postby foetz » Fri Apr 07, 2006 2:16 pm

johnsmith wrote:You can also put these restrictions in the apache config file, httpd.conf .


yep, as i posted above.

also if you decide to use the .htaccess way you might also want to set another name for these files instead of htaccess for security reasons. this can be set via the 'AccessFileName' parameter within httpd.conf.


Return to “SGI: Security”

Who is online

Users browsing this forum: No registered users and 1 guest