In this article I will show you step by step guide where in you apache server you can create protected directoties which can be accessed only by respectvie users with proper access.

I would assume you have http package installed on your setup, if not you can manually install them
If you do not have an active online yum repository then you can create an offline yum repository

next install httpd and all it’s dependency packages

# yum -y install httpd

I have a directory under “/var/www/html/secret/” which must be only accessed by user “deepak”
So let us first create this directory

# mkdir /var/www/html/secret/

I will create a dummy index.html file inside /var/www/html/secret/ for deepak

# cat /var/www/html/secret/index.html
###########
## This is a secret file for Deepak only
###########

Before starting with our httpd configuration, we should create passwd file for user “deepak”.

NOTE: Here deepak will not use the system’s passwd file, instead we will have to create a new one which will be used by Apache for the authentication which will be created by htpasswd

  • htpasswd is used to create and update the flat-files used to store usernames and password for basic authentication of HTTP users.
  • Resources available from the Apache HTTP server can be restricted to just the users listed in the files created by htpasswd.
  • htpasswd encrypts passwords using either bcrypt, a version of MD5 modified for Apache, SHA1, or the system’s crypt() routine.
  • Files managed by htpasswd may contain a mixture of different encoding types of passwords; some user records may have bcrypt or MD5-encrypted passwords while others in the same file may have passwords encrypted with crypt().

 

Use the below command syntax to create password for user “deepak”
# htpasswd -c /etc/httpd/.htpasswd deepak
New password:
Re-type new password:
Adding password for user deepak

NOTE: You can give any other secure path for the .htpasswd file. For me I am using /etc/httpd

If you see the content of this .htpasswd file

# cat /etc/httpd/.htpasswd
deepak:$apr1$2D7PPz82$cSP2lNCNmzE80dXrXakAI/

Here

-c Create the passwdfile. If passwdfile already exists, it is rewritten and truncated. This option cannot be combined with the -n option.

Next, you’ll need to configure the server to request a password and tell the server which users are allowed access.
You can do this either by editing the httpd.conf file or using an .htaccess file.

For example, if you wish to protect the directory /var/www/html/secret/, you can use the following directives, either placed in the file /var/www/html/secret/.htaccess, or placed in /etc/httpd/conf/httpd.conf inside a <Directory “/var/www/html/secret”> section.

Method 1: Using .htaccess file

If you plan to use .htaccess files, you will need to have a server configuration that permits putting authentication directives in these files. This is done with the AllowOverride directive, which specifies which directives, if any, may be put in per-directory configuration files.

Since we’re talking here about authentication, you will need an AllowOverride directive like the following

AllowOverride AuthConfig

So let me append this in my /etc/httpd/conf/httpd.conf

NOTE: Comment all other Directory variable in your httpd.conf pointing to /var/www or /var/www/html or similar path. Or you must add AllowOverride AuthConfig to all those Directory variables for .htaccess to work since our secret directory lies under /var/www/html

Alias /web “/var/www/html/secret/”

<Directory “/var/www/html/secret”>
AllowOverride AuthConfig
</Directory>

NOTE: I have used an alias here which is optional.

Next create a .htaccess file with below content at /var/www/html/secret/.htaccess

AuthType Basic
AuthName “Secret Files”
AuthUserFile /etc/httpd/.htpasswd
Require user deepak

We are all set up to start out httpd server

# systemctl restart httpd

# systemctl is-active httpd
active

Now you can try to access your page with an alias /web as we have used, it must prompt for username and password

Method 2: Using Directory in httpd.conf

Add below content at then end of “/etc/httpd/conf/httpd.conf”.

NOTE: Here VirtualHosting is not needed mandatory, I have just added to add a custom error log and DocumentRoot which can come handy

Alias /web “/var/www/html/secret/”

<VirtualHost 192.168.1.6:80>
ServerAdmin root@server.golinuxhub.com
ServerName golinuxhub-server
DocumentRoot /var/www/html/secret
ErrorLog logs/error_log

<Directory “/var/www/html/secret”>
AuthType Basic
AuthName “Secret Files”
AuthUserFile /etc/httpd/.htpasswd
Require user deepak
</Directory>
</VirtualHost>

The AuthType directive selects that method that is used to authenticate the user. The most common method is Basic. It is important to be aware, however, that Basic authentication sends the password from the client to the server unencrypted. This method should therefore not be used for highly sensitive data, unless accompanied by mod_ssl.

Save and exit the file followed by a service restart

# systemctl restart httpd

# systemctl is-active httpd
active

Now you can try to access your page with an alias /web as we have used, it must prompt for username and password.

How to provide authentication to multiple users?

The steps are similar and again can be done using both the methods as explained earlier. For the sake of this example I will use <Directory> method to give an example

Assign password to all other users using below command and the same password file as used earlier

# htpasswd  /etc/httpd/.htpasswd ankit
New password:
Re-type new password:
Adding password for user ankit

# htpasswd  /etc/httpd/.htpasswd amit
New password:
Re-type new password:
Adding password for user amit

Now if we check we have three entries for three difference users

# cat /etc/httpd/.htpasswd
amit:$apr1$//0qsYXA$b/YBtjYWNVnAq.ktus1yD.
deepak:$apr1$eAmlseNr$F8TRQZvqoxGn5TDmdrT311
ankit:$apr1$bEXxG.Wh$Ejavy56OHpFVBHs8ETah41

Next we will need to create a group file that associates group names with a list of users in that group. The contents of the file will look like this:

NOTE: You can create the group with any name and can be at any location, for me I am using below path.

# cat /etc/httpd/.groups
GroupName: deepak amit ankit

Here I have added three users to my group for which I will pass authentication using httpd.conf

Next update your httpd.conf with below content

Alias /web “/var/www/html/secret/”

<Directory “/var/www/html/secret”>
AuthType Basic
AuthName “Secret Files”
AuthUserFile “/etc/httpd/.htpasswd”
AuthGroupFile “/etc/httpd/.groups”
Require group GroupName
</Directory>

IMPORTANT NOTE: 
You can use the same content under “/var/www/html/secret/.htaccess” if you wish to use Method 1 from this article.i.e with htaccess

Here we are using “Require group” instead of “Require user” and added a new argument “AuthGroupFile” to point to the group file we have created

Next save and exit the file and restart the httpd service to activate our change

# systemctl restart httpd

# systemctl is-active httpd
active

So all looks good, give your change a trial to see if the browser prompts you for authentication

Source: https://www.golinuxhub.com/2018/04/how-to-set-up-password-authentication-htpasswd-htaccess-centos.html

Leave a Reply

Your email address will not be published. Required fields are marked *