# httpd-users mailing list archives

##### Site index · List index
Message view
Top
From "David" <amdaw...@starhub.net.sg>
Subject RE: [users@httpd] htpasswd with Apache 2.0 - extra characters at the end of the password
Date Tue, 09 Sep 2003 18:55:32 GMT

Hi !!

"Safety is a relative thing... but in this case, outside htdocs could
mean
something like making a new folder, "\Apache Group\Apache2\private", and
access only by the user that the web server runs as)."

Does this mean that: When I restrict access to that folder only the
physical user on my computer which my webserver is running on will eb
able to access these files, in my case, the password file.

I am under the impression that any document is OUTSIDE the root document
folder( in my case is htdocs folder) will not be accessible by ANY
visitors of my website. So, putting the password OUTSIDE the htdocs
folder is safe.

I apologise for the confusion.

My next enquiry.
"I'm not sure if there's a way to allow only specific files.  There was
a
the
restricted files into the same folder, and put an .htaccess there.  Like
"\Apache Group\Apache2\htdocs\protected\" which has your .htaccess."

I am not too familiar with the .htaccess issue. Is it a file ? or a
directive? Many thanks for your time and attention.

Regards
David

-----Original Message-----
From: Leif W [mailto:warp-9.9@usa.net]
Sent: Thursday, September 11, 2003 2:44 AM
To: users@httpd.apache.org
Subject: Re: [users@httpd] htpasswd with Apache 2.0 - extra characters
at the end of the password

----- Original Message -----
From: "David" <amdawong@starhub.net.sg>
To: <users@httpd.apache.org>
Sent: Tuesday, September 09, 2003 2:23 PM
Subject: RE: [users@httpd] htpasswd with Apache 2.0 - extra characters
at

> Dear Leif,
>
> Many thanks for your mail. I followed your instructions and the
> authentication works like wonder! Now I have a basic authentication
> service for my webserver!
>
> However, I have a few queries pertaining to the security of my
> file and its integrity.
>
> 1. You mentioned that my password file should be " outside your web or
> DocumentRoot folders". My webfolder is the standard default folder
that
> comes along with apache webserver (i.e. in the \Apache
> Group\Apache2\htdocs).
> I placed my password file OUTSIDE that folder. Is it safe enough ?

Safety is a relative thing... but in this case, outside htdocs could
mean
something like making a new folder, "\Apache Group\Apache2\private", and
access only by the user that the web server runs as).

> 2. I am now able to put an authentication system on my entire
webserver.
>
> I do not need to protect my entire website with password. I only need
to
> authentication. How can I do it ?

I'm not sure if there's a way to allow only specific files.  There was a
the
restricted files into the same folder, and put an .htaccess there.  Like
"\Apache Group\Apache2\htdocs\protected\" which has your .htaccess.

Also note, with the basic authentication mechanism, the username and
password are sent in clear-text over the internet, so if you're using
this
for anything other than on your LAN, you'll likely want to look into
something more secure, like setting up Apache with SSL.  Not sure how to
do
this on windows, because the standard Apache binary .msi have no SSL
builtin
(probably due to export restrictions), so you'd have to find a copy that
someone builds (and be sure that it's safe to use), or compile Apache
from
source (trivial in Linux/FreeBSD standard installs, non-trivial in
Windows
standard installs).  This was also in the archives, someone maybe posted
a
URL to some precompiled win32 binaries with SSL.

Leif

> Many thanks once again.
>
> Warmest Regards
> David
>
> -----Original Message-----
> From: Leif W [mailto:warp-9.9@usa.net]
> Sent: Thursday, September 11, 2003 1:34 AM
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] htpasswd with Apache 2.0 - extra characters
> at the end of the password
>
> Hello,
>
> Check out mod_auth docs.
> http://httpd.apache.org/docs-2.0/mod/mod_auth.html
> and the core docs for AuthType and Require directives.
>
> Use the htpasswd program to generate usernames and password in an
> .htpasswd
> file.  Type htpasswd with no args to see usage.  Make sure your PATH
has
> the
> "C:\Program Files\Apache Group\Apache2\bin" folder.
>
> Create a new .htpasswd file:
>
> htpasswd -c \path\to\.htpasswd user1
>
> Add a new user to existing file:
>
> htpasswd \path\to\.htpasswd user2
>
> .htpasswd file looks like this:
> user1:$apr1$4r0.....$UhfqMbRX/Hm/zIapnQnes. > user2:$apr1$ar0.....$KVQb4b../XWSGjV2nPSOJ/
>
> Put it in a safe place outside your web or DocumentRoot folders.
>
> Choose if you're going to put your Auth stuff in a Directory block, or
> use
> AllowOveride AuthConfig, and put in an .htaccess into the folder to
> protect.
>
> Directory or .htaccess Directives used (very simple):
>
> AuthUserFile "\path\to\.htpasswd"
> AuthName "protected server"
> AuthType Basic
> Require valid-user
>
>
>
>
> ----- Original Message -----
> From: "David" <amdawong@starhub.net.sg>
> To: <users@httpd.apache.org>
> Sent: Tuesday, September 09, 2003 1:01 PM
> Subject: RE: [users@httpd] htpasswd with Apache 2.0 - extra characters
> at
> the end of the password
>
>
> Hello Brian!!
>
> I would like to implement a basic authentication system usingmy
apache.
> You mentioned that you managed to get the security to
>
> "work via .htaccess, as well as just using <Directory> access via the
> httpd.conf file".
>
> Can elaborate a little more?? I would like to do the same. I am using
> Windows XP.
>
> Regards,
> David
>
> -----Original Message-----
> From: Brian Gulizia [mailto:brian.gulizia@complexlit.com]
> Sent: Thursday, September 11, 2003 12:07 AM
> To: users@httpd.apache.org
> Subject: [users@httpd] htpasswd with Apache 2.0 - extra characters at
> the end of the password
>
> Hello,
> I have a server that is running Redhat 9.0, and the Apache web server
> that came with it. I am currently working on the security for a
website
> using basic authentication. I have been able to successfully get the
> security to work via .htaccess, as well as just using <Directory>
access
> via the httpd.conf file.
> However in testing I've found that, while you will only gain access to
> the protected directory by entering the password, you can also put a
> bunch of extra characters after the password and it will still allow
> access.
> I've searched the web, as well as the documentation, and couldn't find
> anything mentioning this caveat. Is this normal, or is there something
> that perhaps I've missed in my setup that could be causing this?
> Thanks,
> Brian Gulizia
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
Project.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.