Return-Path:
You probably also want to take a look at the Access Control howto, which discusses the + various ways to control access to your server.
+This article covers the "standard" way of protecting parts of your web site that most of you are going to use.
+ +If your data really needs to be secure, consider using
+ mod_ssl
in addition to any authentication.
Here's the basics of password protecting a directory on your server.
-You'll need to create a password file. This file should be +
First, you need to create a password file. Exactly how you do + this will vary depending on what authentication provider you have + chosen. More on that later. To start with, we'll use a text password + file.
+ +This file should be
placed somewhere not accessible from the web. This is so that
folks cannot download the password file. For example, if your
documents are served out of /usr/local/apache/htdocs
you
@@ -146,7 +157,10 @@
To create the file, use the htpasswd
utility that
came with Apache. This will be located in the bin
directory
- of wherever you installed Apache. To create the file, type:
To create the file, type:
If
htpasswd -c /usr/local/apache/passwd/passwords rbowen
@@ -164,8 +178,8 @@
htpasswd
is not in your path, of course
you'll have to type the full path to the file to get it to run.
- On my server, it's located at
- /usr/local/apache/bin/htpasswd
/usr/local/apache2/bin/htpasswd
Next, you'll need to configure the server to request a password and tell the server which users are allowed access. @@ -181,6 +195,8 @@
AuthType Basic
AuthName "Restricted Files"
+ # (Following line optional)
+ AuthBasicProvider file
AuthUserFile /usr/local/apache/passwd/passwords
Require user rbowen
mod_auth_basic
. It is important to be aware,
however, that Basic authentication sends the password from the client to
the server unencrypted. This method should therefore not be used for
- highly sensitive data. Apache supports one other authentication method:
- AuthType Digest
. This method is implemented by mod_auth_digest
and is much more secure. Only the most recent
- versions of clients are known to support Digest authentication.
+ highly sensitive data, unless accompanied by mod_ssl
.
+ Apache supports one other authentication method:
+ AuthType Digest
. This method is implemented by mod_auth_digest
and is much more secure. Most recent
+ browsers support Digest authentication.
The AuthName
directive sets
the Realm to be used in the authentication. The realm serves
@@ -212,6 +229,12 @@
will always need to ask again for the password whenever the
hostname of the server changes.
The AuthBasicProvider
is,
+ in this case, optional, since file
is the default value
+ for this directive. You'll need to use this directive if you are
+ choosing a different source for authentication, such as
+ mod_authn_dbm
or mod_auth_dbd
.
The AuthUserFile
directive sets the path to the password file that we just
created with htpasswd
. If you have a large number
@@ -317,79 +340,16 @@
different authentication method at that time.
Authentication by username and password is only part of the - story. Frequently you want to let people in based on something - other than who they are. Something such as where they are - coming from.
- -The Allow
and
- Deny
directives let
- you allow and deny access based on the host name, or host
- address, of the machine requesting a document. The
- Order
directive goes
- hand-in-hand with these two, and tells Apache in which order to
- apply the filters.
The usage of these directives is:
- -
- Allow from address
-
where address is an IP address (or a partial IP - address) or a fully qualified domain name (or a partial domain - name); you may provide multiple addresses or domain names, if - desired.
- -For example, if you have someone spamming your message - board, and you want to keep them out, you could do the - following:
- -
- Deny from 205.252.46.165
-
Visitors coming from that address will not be able to see - the content covered by this directive. If, instead, you have a - machine name, rather than an IP address, you can use that.
- -
- Deny from host.example.com
-
And, if you'd like to block access from an entire domain, - you can specify just part of an address or domain name:
- -
- Deny from 192.101.205
- Deny from cyberthugs.com moreidiots.com
- Deny from ke
-
Using Order
will let you
- be sure that you are actually restricting things to the group that you want
- to let in, by combining a Deny
and an Allow
directive:
- Order deny,allow
- Deny from all
- Allow from dev.example.com
-
Listing just the Allow
- directive would not do what you want, because it will let folks from that
- host in, in addition to letting everyone in. What you want is to let
- only those folks in.
You should also read the documentation for
mod_auth_basic
and mod_authz_host
which
contain some more information about how this all works.
mod_authn_alias
can also help in simplifying certain
authentication configurations.
And you may want to look at the Access + Control howto, which discusses a number of related topics.
+Available Languages: en | Modified: httpd/httpd/trunk/docs/manual/howto/auth.xml URL: http://svn.apache.org/viewcvs/httpd/httpd/trunk/docs/manual/howto/auth.xml?rev=355768&r1=355767&r2=355768&view=diff ============================================================================== --- httpd/httpd/trunk/docs/manual/howto/auth.xml (original) +++ httpd/httpd/trunk/docs/manual/howto/auth.xml Sat Dec 10 11:39:24 2005 @@ -81,6 +81,10 @@ of the request, but is not part of the authentication provider system.
+You probably also want to take a look at the Access Control howto, which discusses the + various ways to control access to your server.
+This article covers the "standard" way of protecting parts of your web site that most of you are going to use.
+ +If your data really needs to be secure, consider using
+
Here's the basics of password protecting a directory on your server.
-You'll need to create a password file. This file should be +
First, you need to create a password file. Exactly how you do + this will vary depending on what authentication provider you have + chosen. More on that later. To start with, we'll use a text password + file.
+ +This file should be
placed somewhere not accessible from the web. This is so that
folks cannot download the password file. For example, if your
documents are served out of /usr/local/apache/htdocs
you
@@ -137,7 +151,10 @@
To create the file, use the bin
directory
- of wherever you installed Apache. To create the file, type:
To create the file, type:
If /usr/local/apache/bin/htpasswd
/usr/local/apache2/bin/htpasswd
Next, you'll need to configure the server to request a
password and tell the server which users are allowed access.
@@ -172,6 +189,8 @@
AuthName "Restricted Files"
+ # (Following line optional)
+ AuthBasicProvider file
AuthUserFile /usr/local/apache/passwd/passwords
Require user rbowen
AuthType Digest
. This method is implemented by
The
The file
is the default value
+ for this directive. You'll need to use this directive if you are
+ choosing a different source for authentication, such as
+
The
Authentication by username and password is only part of the - story. Frequently you want to let people in based on something - other than who they are. Something such as where they are - coming from.
- -The
The usage of these directives is:
- -where address is an IP address (or a partial IP - address) or a fully qualified domain name (or a partial domain - name); you may provide multiple addresses or domain names, if - desired.
- -For example, if you have someone spamming your message - board, and you want to keep them out, you could do the - following:
- -Visitors coming from that address will not be able to see - the content covered by this directive. If, instead, you have a - machine name, rather than an IP address, you can use that.
- -And, if you'd like to block access from an entire domain, - you can specify just part of an address or domain name:
- -Using
Listing just the
You should also read the documentation for
And you may want to look at the Access + Control howto, which discusses a number of related topics.
+Authentication is any process by which you verify that someone is who they claim they are. Authorization is any process by which someone is allowed to be where they want to go, or to have information that they want to have.
- +Access control refers to the process of restricting, or + granting access to a resource based on arbitrary criteria. There + are a variety of different ways that this can be + accomplished.
+ +See: Access Control
+The CGI (Common Gateway Interface) defines a way for a web