apache Password Protected Directory

In this section, we'll create a specially protected directory with tools available on the system.

Configure Password Protected Directory Top of Page

This section addresses httpd security in the form of a password-protected directory. There are several ways to approach this configuration, so we'll stick with the simplest of approaches. Further refinements are left to the student as needed.[22]

Figure 6.22. Password Protected Directory Image #1

Password Protected Directory Image #1

The first task is to change to the appropriate directory ('/etc/http/conf.d')[23]. Next we are going to create a dedicated config file for the directory that we want to protect. Create and edit the file as specified.[24]

Figure 6.23. Password Protected Directory Image #2

Password Protected Directory Image #2

Once the file is created, enter the content as shown above. Then save and exit the file.

[Important] The Protected Directory Must Exist

The directory that is being protected must exist. If you create the config file, and reload or restart the service when the directory does not exist, an error will be thrown. Most likely, you'll have to create the directory manually. However, in some instances, you may simply need to secure a directory that already exists. All other steps remain the same, except for the directory creation. We will create this directory in the section called "Create Content for apache Protected Directory"

Create User for apache Protected Directory Top of Page

Next we need to create the user that will access the protected content. This does not have to be a regular system user. As shown in the screen shot below, we are going to create two users. apache provides a special utility for creating these users called htpasswd.

Figure 6.24. Password Protected Directory Image #3

Password Protected Directory Image #3

The series of commands above have the following context.

  1. First change to the directory where the file will be kept. It's easily contained if it's with the other apache config files.
  2. The command `htpasswd -cm /etc/http/.htpasswd secure-user1`creates the password file as well as adds the indicated user to that file. The location is arbitrary, and can be somewhere else if desired. Note that the command automatically prompts to enter the user's password.
  3. When the command is run for the second time, the '-c' flag isn't necessary. However, the '-m' (modify) flag is important. Once again, prompts for the new user's password are issued.
  4. Finally, after the file has been created, the contents contain the hashed passwords that were entered.
[Warning] httpd Basic Authentication Sends Passwords In Clear Text

Although the passwords as they exist on disk are encrypted, they are not encrypted when entered in the browser as shown below. This is the default behavior of Basic authentication. A person using a packet sniffer on the wired or wireless network can capture the passwords of httpd Basic authentication. Use of Digest authentication changes this behavior, but the configuration is more complex.

Create Content for apache Protected Directory Top of Page

Now we need to create the directory and content that will be protected. Follow the steps below to complete this task.

Figure 6.25. Password Protected Directory Image #4

Password Protected Directory Image #4

The image above shows the next two steps in this process. First, we have created the directory that is to be protected: '/var/www/html/secure'. Next, we have created a simple index.html file in that directory. When a call is made through a browser to access this directory, the request will not be serviced until a valid username and password are entered.

Figure 6.26. httpd Reload

Reload the httpd service.

Since we've modified the apache configuration file, a server restart is necessary.[25]

Access the apache Protected Directory Top of Page

Figure 6.27. Password Protected Directory Image #6

Password Protected Directory Image #6

This is the password dialog that is presented by the browser when attempting to access the secure area. Note that where "The Site Says:" section corresponds to the AuthName directive in the stanza of the config file that configures this directory. See Figure 6.23, "Password Protected Directory Image #2" for details.

Figure 6.28. Virtual Host Configuration Image #6

Virtual Host Configuration Image #6

Finally, after entering a valid username and password, we are granted access to the secure area.

[22] Additional concepts regarding this method are a) digest authentication, b) group authorization, c) use of '.htaccess' files, and more. See Apache 2.4 Webserver Documentation , then click on Authentication and Authorization in the upper right corner, for more details.

[23] Any time there is a directory that ends in '.d' it's called a dump directory. Typically, what this means is that by dumping files in this directory, they are considered to be, and are read as, additional configuration files. Most of the time they must have a certain extension, for apache the extension is .conf. This keeps configuration modular and manageable for many services.

[24] In essence, it won't matter what you name the config file. By naming the file as it is, it's easy to tell just by looking in the directory what the file is and does.

[25] While the word necessary is true, it's true only to a certain extent. It's possible to also issue the command `systemctl reload httpd` - as shown in the image. This will reread the config file and not stop the server. This is a graceful way to restart the server, thereby not disconnecting existing traffic.