Recipe 22.13. Password-Protecting Individual Directories

22.13.1 Problem

You don't want to restrict access to an entire domain, just some pages in a particular directory. For example, you may have a UserDir-type web page (see Recipe Recipe 22.8) that you wish to protect, because it contains certain work documents that don't need to be available to any old nosy coworker. You want to restrict access to you only, or perhaps to select other persons how do you do this?

22.13.2 Solution

Apache comes with some simple user authentication methods that operate on directories: Basic and Digest. These are strictly lightweight security; don't use them for pages containing very sensitive information, or for any kind of web site where money or customer data are involved. Basic and Digest are fine for use on a LAN, where all you want to do is keep coworkers out of stuff that doesn't concern them.

Basic sends passwords in cleartext, which are trivially easy to snoop, so this recipe uses Digest, which employs an MD5 hash.

Setting up user authentication on directories has two parts: creating a <Directory> section in httpd.conf, and creating a password file with htpasswd.

Let's say you keep your calendars, contact lists, and important documents on http://oreilly.net/~michael. The real directory path is /var/www/users/michael. First, create your <Directory> entry in httpd.conf:

<Directory /var/www/users/michael>  AuthType Digest  AuthName "Michael's Protected Files"  AuthUserFile /etc/httpd/htpasswd/passwords  Require user michael  </Directory>

Now create your password file, which is already named above:

$ htpasswd -c /etc/httpd/htpasswd/passwords michael New password: Re-type new password: Adding password for user michael

The -c flag creates a new file. Now only Michael, or anyone with Michael's password, can access http://oreilly.net/~michael.

To allow other users in, create logins with htpasswd, omitting the -c flag:

$ htpasswd /etc/httpd/htpasswd/passwords maria

and change the "Require user" directive to:

 Require valid-user

This will authorize any user in your password file.

22.13.3 Discussion

Pay special attention to the AuthName directive. All directories with the same AuthName won't need to reauthenticate you after you log in the first time. This is a time-saver but it's also a security hole, so be sure to pay attention to your AuthNames.

What if you do not have access to httpd.conf, and you don't want to continually pester your hardworking Apache admin for changes and updates? Have your kindly, benevolent Apache admin set you up to use .htaccess, and then you can control access yourself. .htaccess is for setting configurations on directories, rather than domains.

The benevolent admin needs to make this entry in httpd.conf. This example enables all users in /var/www/users to use .htaccess files:

<Directory /var/www/users>     AllowOverride AuthConfig </Directory>

Make sure there is no AllowOverride None directive, which disables .htaccess. Remember to restart Apache after making changes to httpd.conf.

This particular configuration has the benefit of speeding up server performance by restricting .htaccess to the /var/www/users directory. If .htaccess is enabled globally in httpd.conf, like this:

 AllowOverride AuthConfig

Apache will search all of its directories for .htaccess files, which can incur a significant performance hit.

Once the admin has made the above changes, Michael can create an .htaccess file containing the exact same directives as in the recipe above. He will put this file in his top-level directory; in this example, /var/www/users/michael.

Using Digest authentication comes with an additional benefit: it gives you another reason to get rid of Internet Explorer, which does not support it for URLs that use querystring. These are URLs with question marks, like this:

http://catsearch.atomz.com/search/catsearch/?sp-a=sp1000a5a9&sp-f=ISO-8859-1&sp-t=cat_search&sp-q=apache&search=Go

That's the URL you get when you go to http://linux.oreilly.com and do a search for "apache." A plain ole static URL (such as http://linux.oreilly.com) usually works in IE, so it's not an issue for simple, static web pages. Even so, IE is a huge security hazard, and a notorious non-supporter of web standards if you needed another reason to ditch it, here you go.

If you wish to standardize on a single web browser, the Mozilla browser supports Digest authentication just fine, and it runs on many different platforms. It adheres to W3C standards and comes with all sorts of nice user features that IE does not, such as tabbed browsing and meaningful cookie, pop-up, and password management.

Other excellent web browsers that are standards-compliant, are much more secure than IE, and have rafts of superior user features are Firefox, Amaya, Galeon, Konqueror, Opera, and Netscape. Amaya is designed to be an easy-to-use editor as well as a browser. Firefox, Amaya, Opera, and Netscape are cross-platform, available for Linux/Unix, Mac OS X, and Windows.

If you wish to use Basic authentication, which sends passwords in cleartext and works in all browsers, see the "Authentication, Authorization and Access Control" page in the Apache manual.

For serious heavy-duty security, you need SSL. This is rather complex to learn and set up. To learn how to set up an Apache server using SSL for secure transactions, start at the Apache SSL/TLS Encryption section of the Apache manual at http://localhost/manual/ssl/. Then see Web Security, Privacy & Commerce, by Simson Garfinkel (O'Reilly).

22.13.4 See Also

• Authentication, Authorization and Access Control (http://localhost/manual/howto/auth.html)

• Apache SSL/TLS Encryption (http://localhost/manual/ssl)

• W3C home page (http://www.w3.org)

• Web Security, Privacy & Commerce