HTAccess for Apache 2

HTAccess for Apache can be a very handy feature that allows for simple or complex access control on directories. It is build into Apache HTTP by default. In its most simplest form, when a web browser gets directed to a web page that is protected by HTAccess, the web server asks for authentication, usually a username and password. These details are then checked against the assigned privileges for that user and the web server will then serve the web page or not.

To get this feature up and running you only need a few steps, there can be some messy bits if the default configuration file has been modified (httpd.conf) so keep and eye out for it.

1. Install the software

If you are running a Linux server then Apache 2 is usually installed by default and the tools to generate the passwords hashes are as well. The same goes for Mac. On Windows you will need to get the software from http://httpd.apache.org/. Installation should be pretty straight forward. If your using Vista or Server 2008, User Account Control might give you a little trouble (I usually turn that off as soon as I install the OS )

2. Configuring Apache

By default Apache has the correct settings in the httpd.conf file so that you can just simply go to the directory and place your .htaccess and .htpasswd files in the directory you want to protect. If for example you are using virtual hosts on Apache, make sure that you specify “AllowOverride all” in the directory definition. This allows for extending the configurations in the directory where the .htaccess file ie: ensure that usernames and passwords have access to it. (You do not have to allow “all” but I find this to be the easiest way to configure it).

3. HTAccess File

So first thing, make sure you can access the directory over the web (Kind of an obvious one but you be surprise when people don’t check). Next in directory make a file called “.htaccess”. Inside it put this:

1. AuthUserFile “/var/www/html/.htpasswd”
2. AuthType Basic
3. AuthName “Restricted Folder”
4. Require valid-user

So line by line

1. Is the full length path to the file where the usernames and passwords are stored. The usernames are stored in plaintext but the passwords are hashed using any number of hashing algorithms (I tend to use SHA-1 because it is much harder to crack than MD5).

2. Specifies the Authentication Mechanism, basic = username and password.

3. This is simply the name that will appear on the dialogue box that the web browser prompts you when you have to type in your username or password.

4. This specifies who has access to this folder. Here using “valid-user” means anyone specified in the .htpasswd file that we will create in a minute. Otherwise you can place individual users in here separated by a single space one after another.

Many more options for this file can be found in the Apache docs, these are well worth a quick check to see if there is any other configuration that you want. They can be found on your Apache server in http://yourservername/manual or http://httpd.apache.org/docs/2.2/

4. HTPasswd File Generation

Step 3 defines the .htaccess file, in the first line we specified where the .htpasswd file will be. So go to that directory but don’t create the file .htpasswd (I use .htpasswd and .htacccess as these are the defaults of Apache and does not require any changes to the httpd.conf file. Also note that any file with . before it will not be served by Apache)

If you are on Linux or Mac (not sure about Windows) you can run the command “htpasswd -cs .htpasswd bob”. This will create (c switch) the file for you. Bob represents the username for the user. The s switch will specify to use SHA-1 as the hashing algorithm rather than MD5. If you want to add more users then run “htpasswd -s .htpasswd mary”. This will append the user to the end of the list. Make sure you do not user -c after you have created the file or it will overwrite the old file and create a new one. (This has happend to be before and is a right pain).

5. Test it

So that’s it really, as long as the .htaccess file is contained in the directory that you want to protect, Apache will ask for a valid username and password for every access of it. Your web browser will keep this information cached till it is closed down. If you go to the directory and you cannot log in, there may be 2 reasons for this. 1. The address of the .htpasswd file in the .htaccess file is incorrect, or 2. The privileges on the files are incorrect, the apache web server must have access to the files so set the file privileges accordingly.

And that’s it…..

One thing to note is that this only stops people from accessing the directroy, it’s really only a simple means of protection. By this I mean, because the username and password are sent to the web server in cleartext and eavesdropper could simply capture the packets and log themselves in as you. SSL/TLS as well would help to ensure that this does not happen.