Introduction

You probably also want to take a look at the Access Control howto, which discusses the + various ways to control access to your server.

The Prerequisites

@@ -137,7 +143,12 @@

Here's the basics of password protecting a directory on your server.

You'll need to create a password file. This file should be +

First, you need to create a password file. Exactly how you do + this will vary depending on what authentication provider you have + chosen. More on that later. To start with, we'll use a text password + file.

+ +

This file should be placed somewhere not accessible from the web. This is so that folks cannot download the password file. For example, if your documents are served out of /usr/local/apache/htdocs you @@ -146,7 +157,10 @@

To create the file, use the htpasswd utility that came with Apache. This will be located in the bin directory - of wherever you installed Apache. To create the file, type:

+ of wherever you installed Apache. If you have installed Apache from + a third-party package, it may be in your execution path.

+ +

To create the file, type:

htpasswd -c /usr/local/apache/passwd/passwords rbowen @@ -164,8 +178,8 @@

If htpasswd is not in your path, of course you'll have to type the full path to the file to get it to run. - On my server, it's located at - /usr/local/apache/bin/htpasswd


+    With a default installation, it's located at
+    /usr/local/apache2/bin/htpasswd
 
     Next, you'll need to configure the server to request a
     password and tell the server which users are allowed access.
@@ -181,6 +195,8 @@
     

       AuthType Basic

       AuthName "Restricted Files"

+      # (Following line optional)

+      AuthBasicProvider file

       AuthUserFile /usr/local/apache/passwd/passwords

       Require user rbowen
     
@@ -191,9 +207,10 @@
     implemented by mod_auth_basic. It is important to be aware,
     however, that Basic authentication sends the password from the client to
     the server unencrypted. This method should therefore not be used for
-    highly sensitive data. Apache supports one other authentication method:
-    AuthType Digest. This method is implemented by mod_auth_digest and is much more secure. Only the most recent
-    versions of clients are known to support Digest authentication.
+    highly sensitive data, unless accompanied by mod_ssl.
+    Apache supports one other authentication method:
+    AuthType Digest. This method is implemented by mod_auth_digest and is much more secure. Most recent
+    browsers support Digest authentication.
 
     The AuthName directive sets
     the Realm to be used in the authentication. The realm serves
@@ -212,6 +229,12 @@
     will always need to ask again for the password whenever the
     hostname of the server changes.
 
+    The AuthBasicProvider is,
+    in this case, optional, since file is the default value
+    for this directive. You'll need to use this directive if you are
+    choosing a different source for authentication, such as
+    mod_authn_dbm or mod_auth_dbd.
+
     The AuthUserFile
     directive sets the path to the password file that we just
     created with htpasswd. If you have a large number
@@ -317,79 +340,16 @@
     different authentication method at that time.


 
-What other neat stuff can I
-do?
-    Authentication by username and password is only part of the
-    story. Frequently you want to let people in based on something
-    other than who they are. Something such as where they are
-    coming from.
-
-    The Allow and
-    Deny directives let
-    you allow and deny access based on the host name, or host
-    address, of the machine requesting a document. The
-    Order directive goes
-    hand-in-hand with these two, and tells Apache in which order to
-    apply the filters.
-
-    The usage of these directives is:
-
-    
-      Allow from address
-    
-
-    where address is an IP address (or a partial IP
-    address) or a fully qualified domain name (or a partial domain
-    name); you may provide multiple addresses or domain names, if
-    desired.
-
-    For example, if you have someone spamming your message
-    board, and you want to keep them out, you could do the
-    following:
-
-    
-      Deny from 205.252.46.165
-    
-
-    Visitors coming from that address will not be able to see
-    the content covered by this directive. If, instead, you have a
-    machine name, rather than an IP address, you can use that.
-
-    
-      Deny from host.example.com
-    
-
-    And, if you'd like to block access from an entire domain,
-    you can specify just part of an address or domain name:
-
-    
-      Deny from 192.101.205

-      Deny from cyberthugs.com moreidiots.com

-      Deny from ke
-    
-
-    Using Order will let you
-    be sure that you are actually restricting things to the group that you want
-    to let in, by combining a Deny and an Allow directive:
-
-    
-      Order deny,allow

-      Deny from all

-      Allow from dev.example.com
-    
-
-    Listing just the Allow
-    directive would not do what you want, because it will let folks from that
-    host in, in addition to letting everyone in. What you want is to let
-    only those folks in.
-

-
 More information
     You should also read the documentation for
     mod_auth_basic and mod_authz_host which
     contain some more information about how this all works.
     mod_authn_alias can also help in simplifying certain
     authentication configurations.
+
+    And you may want to look at the Access
+    Control howto, which discusses a number of related topics.
+

Available Languages: en | Modified: httpd/httpd/trunk/docs/manual/howto/auth.xml URL: http://svn.apache.org/viewcvs/httpd/httpd/trunk/docs/manual/howto/auth.xml?rev=355768&r1=355767&r2=355768&view=diff ============================================================================== --- httpd/httpd/trunk/docs/manual/howto/auth.xml (original) +++ httpd/httpd/trunk/docs/manual/howto/auth.xml Sat Dec 10 11:39:24 2005 @@ -81,6 +81,10 @@ of the request, but is not part of the authentication provider system.

You probably also want to take a look at the Access Control howto, which discusses the + various ways to control access to your server.

Introduction @@ -91,6 +95,11 @@

This article covers the "standard" way of protecting parts of your web site that most of you are going to use.

+ + Note: +

If your data really needs to be secure, consider using + mod_ssl in addition to any authentication.

The Prerequisites @@ -128,7 +137,12 @@

Here's the basics of password protecting a directory on your server.

You'll need to create a password file. This file should be +

+ +

To create the file, use the htpasswd utility that came with Apache. This will be located in the bin directory - of wherever you installed Apache. To create the file, type:

+ of wherever you installed Apache. If you have installed Apache from + a third-party package, it may be in your execution path.

+ +

To create the file, type:

htpasswd -c /usr/local/apache/passwd/passwords rbowen @@ -155,8 +172,8 @@

If htpasswd is not in your path, of course you'll have to type the full path to the file to get it to run. - On my server, it's located at - /usr/local/apache/bin/htpasswd

+ With a default installation, it's located at + /usr/local/apache2/bin/htpasswd

Next, you'll need to configure the server to request a password and tell the server which users are allowed access. @@ -172,6 +189,8 @@ AuthType Basic
AuthName "Restricted Files"
+ # (Following line optional)
+ AuthBasicProvider file
AuthUserFile /usr/local/apache/passwd/passwords
Require user rbowen @@ -183,10 +202,11 @@ implemented by mod_auth_basic. It is important to be aware, however, that Basic authentication sends the password from the client to the server unencrypted. This method should therefore not be used for - highly sensitive data. Apache supports one other authentication method: + highly sensitive data, unless accompanied by mod_ssl. + Apache supports one other authentication method: AuthType Digest. This method is implemented by mod_auth_digest and is much more secure. Only the most recent - versions of clients are known to support Digest authentication.

+ >mod_auth_digest and is much more secure. Most recent + browsers support Digest authentication.

The AuthName directive sets the Realm to be used in the authentication. The realm serves @@ -205,6 +225,13 @@ will always need to ask again for the password whenever the hostname of the server changes.

The AuthBasicProvider is, + in this case, optional, since file is the default value + for this directive. You'll need to use this directive if you are + choosing a different source for authentication, such as + mod_authn_dbm or mod_auth_dbd.

The AuthUserFile directive sets the path to the password file that we just created with htpasswd. If you have a large number @@ -314,81 +341,16 @@ different authentication method at that time.

What other neat stuff can I -do? -

Authentication by username and password is only part of the - story. Frequently you want to let people in based on something - other than who they are. Something such as where they are - coming from.

- -

The Allow and - Deny directives let - you allow and deny access based on the host name, or host - address, of the machine requesting a document. The - Order directive goes - hand-in-hand with these two, and tells Apache in which order to - apply the filters.

- -

The usage of these directives is:

- - - Allow from address - - -

where address is an IP address (or a partial IP - address) or a fully qualified domain name (or a partial domain - name); you may provide multiple addresses or domain names, if - desired.

- -

For example, if you have someone spamming your message - board, and you want to keep them out, you could do the - following:

- - - Deny from 205.252.46.165 - - -

Visitors coming from that address will not be able to see - the content covered by this directive. If, instead, you have a - machine name, rather than an IP address, you can use that.

- - - Deny from host.example.com - - -

And, if you'd like to block access from an entire domain, - you can specify just part of an address or domain name:

- - - Deny from 192.101.205
- Deny from cyberthugs.com moreidiots.com
- Deny from ke - - -

Using Order will let you - be sure that you are actually restricting things to the group that you want - to let in, by combining a Deny and an Allow directive:

- - - Order deny,allow
- Deny from all
- Allow from dev.example.com - - -

Listing just the Allow - directive would not do what you want, because it will let folks from that - host in, in addition to letting everyone in. What you want is to let - only those folks in.

More information

You should also read the documentation for mod_auth_basic and mod_authz_host which contain some more information about how this all works. mod_authn_alias can also help in simplifying certain authentication configurations.

+ +

And you may want to look at the Access + Control howto, which discusses a number of related topics.

Modified: httpd/httpd/trunk/docs/manual/howto/index.xml URL: http://svn.apache.org/viewcvs/httpd/httpd/trunk/docs/manual/howto/index.xml?rev=355768&r1=355767&r2=355768&view=diff ============================================================================== --- httpd/httpd/trunk/docs/manual/howto/index.xml (original) +++ httpd/httpd/trunk/docs/manual/howto/index.xml Sat Dec 10 11:39:24 2005 @@ -1,4 +1,15 @@ + + + access + /howto/ + .. + + + en + + + @@ -30,18 +41,30 @@ How-To / Tutorials

Authentication

Authentication and Authorization

Authentication is any process by which you verify that someone is who they claim they are. Authorization is any process by which someone is allowed to be where they want to go, or to have information that they want to have.

See: Authentication, Authorization, and Access Control

See: Authentication, Authorization

Access Control

Access control refers to the process of restricting, or + granting access to a resource based on arbitrary criteria. There + are a variety of different ways that this can be + accomplished.

+ +

See: Access Control

+ +

Dynamic Content with CGI: The CGI (Common Gateway Interface) defines a way for a web