.htaccess tutorial

htaccess Elite


Basic authentication example

Security in htaccess: htpasswd, 401 Authentication

Basic authentication example

Postby produke » 27 Sep 2006 07:23

Put this in your htaccess file in the directory that you want to password protect.
NOTE: all subdirectories and files will also be password protected.



Code: Select all
AuthName "Development"
AuthUserFile /.htpasswd
AuthType basic
Require valid-user
User avatar
produke
 
Posts: 242
Joined: 25 Sep 2006 04:48

Postby mod_rewrite » 08 Nov 2006 22:31

Password protect a directory using basic authentication

In this How-To guide, we will show you how to set up a password protected directory using basic authentication.

Authentication directives in Apache can be used in the following contexts - directory and htaccess. For directory context this means in <Directory>, <Location>, and <Files> blocks in your httpd.conf or your distro's main Apache config file or virtual host config file. Additionally, for Apache 2.2, <Proxy> blocks are also included in the directory context. The htaccess context is self explanatory. This means you can use authentication directives in htaccess files. In this tutorial, we will show recipes for both contexts.

The first thing in this example we need to do is to create a directory to password protect in our document root. Let's say our document root is /var/www/html. We'll create a directory called protected in the document
Code: Select all
root - /var/www/html/protected.


The next thing to do is to create a password file with users. We will use the htpasswd utility provided in the core Apache package. The password file can be stored anywhere on your hard drive. In our example we will create our htpasswd file in /etc/htpasswd.

Note that the location of the htpasswd file can be anywhere you want on your local drive. You just need to specify the full path to the htpasswd file with the AuthUserFile directive. Choose whatever you deem to be a sane location for your password files.

Code: Select all
/path/to/htpasswd -c /etc/htpasswd/.htpasswd user1
/path/to/htpasswd /etc/htpasswd/.htpasswd user2


/path/to/ is the full path to the htpasswd utility. The full path to the htpasswd utility is necessary if htpasswd is in a nonstandard location. After running the htpasswd command, you will be prompted to enter the user's password. Notice the difference between both commands. The first command uses the -c flag. This flag is used when creating a new htpasswd file. After that, the -c flag is not used for subsequent users you wish to add. Also, you need to make sure Apache has read access to this file, so make sure your permissions are correct.


This is the recipe to use for setting up a password protected directory in the directory context:

Code: Select all
<Directory "/var/www/html/protected">
  AuthType Basic
  AuthName "Authentication Required"
  AuthUserFile "/etc/htpasswd/.htpasswd"
  Require valid-user

  Order allow,deny
  Allow from all
</Directory>


The lines to focus on are AuthType, AuthName, AuthUserFile, and Require.

  1. AuthType tells Apache what type of authentication to use. In our case, basic authentication.
  2. AuthName is what will be displayed on the password prompt from the browser.
  3. AuthUserFile is the location of your htpasswd file.
  4. Require tells Apache which authenticated users will be granted access to a resource. In our case, any authenticated user will be granted access.


The following below is the recipe to use for setting up a password protected directory in the htaccess context:

First we will create a .htaccess file in our protected directory, /var/www/html/protected and set the contents of the file to be:

Code: Select all
AuthType Basic
AuthName "Authentication Required"
AuthUserFile "/etc/htpasswd/.htpasswd"
Require valid-user


Now we need to create a <Directory> block in httpd.conf or your distro's main apache config file or your virtual host config file in order to have Apache process this htaccess file.

Code: Select all
<Directory "/var/www/html/protected">
  AllowOverride AuthConfig
  Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
  Order allow,deny
  Allow from all
</Directory>


Notice the AllowOverride line. It tells Apache to process the htaccess file and to allow htaccess to set the authentication for that directory.


Remember to restart Apache after making any changes to httpd.conf or your distro's main Apache config file or your virtual host config file.

Using either recipe, you can now go to [WWW] http://localhost/protected and be prompted by the browser to enter your credentials. If you enter correct credentials you will be granted access to protected. If you don't enter correct credentials, you will be continually prompted to enter credentials until you enter correct credentials or click the Cancel button.
mod_rewrite
 
Posts: 102
Joined: 30 Oct 2006 19:55

Postby mod_rewrite » 08 Nov 2006 22:32

Bypass Authentication Or Authorization Requirements

With satisfy you can instruct your Apache Server to bypass either authentication or authorization requirements that are currently configured.
Or to ensure that all criteria are met satisfactorily before allowing the connection any further.

Satisfy comes with two options:

Satisfy Any will allow Apache to bypass one of the requirements.



For the rest of this recipie lets set an example scenario.

Code: Select all
<Directory /home/www/site1/private>
  AuthUserFile /home/www/site1-passwd
  AuthType Basic
  AuthName MySite
  Require valid-user
</Directory>


With this configuration, your users will be required to authenicate as normal.

But lets say for example you want people from your LAN to have full access, without being prompted for a password. In this scenario we could use:
Code: Select all
<Directory /home/www/site1/private>
  AuthUserFile /home/www/site1-passwd
  AuthType Basic
  AuthName MySite
  Require valid-user
  Allow from 172.17.10
  Satisfy Any
</Directory>


This will basically force everyone from the outside to authenticate, but those coming from the LAN IP range would not be required to do so.
Apache will let them access the directory, with authenticating.

This will also work with a subdirectory in your protected directory. Let's say, you have a subdirectory in private called noprotect that you want to allow everyone access without being prompted for a credentials. You could do this:
Code: Select all
<Directory /home/www/site1/private/noprotect>
  Order allow,deny
  Allow from all
  Satisfy any
</Directory>
mod_rewrite
 
Posts: 102
Joined: 30 Oct 2006 19:55

PAM LDAP only authentication.

Postby 5mi11er » 24 May 2007 21:19

I cam across this site in search of an answer to an issue I discovered on our sites. I'd found my /var/log/messages being filled with lots of messages stating:
Code: Select all
   httpd(pam_unix)[24404]: authentication failure; logname= uid=48 euid=48 tty= ruser= rhost=  user=someuser

even though access was being granted.

We primarily use PAM enabled LDAP for authentication, so, the hints about making sure apache could read the /etc/shadow file were backward for me; the authentication info wouldn't be found in /etc/shadow.

But, according to the /etc/pam.d/httpd config, it was simply pointing to system_auth, and thus unix authentication was also being tried on every web page access, and since apache didn't have access to /etc/shadow, that attempt would always fail, and a log message generated.

So, I created a /etc/pam.d/system_auth_ldap file with the following:

Code: Select all
#%PAM-1.0
auth        required      /lib/security/pam_env.so
#auth        sufficient    /lib/security/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/pam_ldap.so
auth        required      /lib/security/pam_deny.so

#account     required      /lib/security/pam_unix.so
account     required       /lib/security/pam_ldap.so

password    required      /lib/security/pam_cracklib.so retry=3 type=
#password    sufficient    /lib/security/pam_unix.so nullok use_authtok md5 shadow
password    sufficient    /lib/security/pam_ldap.so use_authtok
password    required      /lib/security/pam_deny.so

session     required      /lib/security/pam_limits.so
#session     required      /lib/security/pam_unix.so
session     optional      /lib/security/pam_ldap.so


And modified the /etc/pam.d/httpd config file to this:

Code: Select all
#%PAM-1.0
auth       required        /lib/security/pam_stack.so service=system-auth-ldap
account    required    /lib/security/pam_stack.so service=system-auth-ldap
account    required    /lib/security/pam_permit.so service=system-auth-ldap


I hope this helps someone else out there.

-Scott
5mi11er
 
Posts: 1
Joined: 24 May 2007 21:10

Postby htaccess » 14 Aug 2007 02:07

htaccess
 
Posts: 50
Joined: 28 Feb 2007 17:16

.htaccess redirect according to .htaccess username (or group

Postby jancek » 25 Aug 2007 18:25

Can .htaccess protect a directory (example.com/protected/) for two users (user1 and user2) and redirect them after login (user1 to example.com/protected/dir1/, and user2 to example.com/protected/dir2/)?
jancek
 
Posts: 4
Joined: 25 Aug 2007 18:20

Re: .htaccess redirect according to .htaccess username (or g

Postby mod_rewrite » 25 Aug 2007 18:42

jancek wrote:Can .htaccess protect a directory (example.com/protected/) for two users (user1 and user2) and redirect them after login (user1 to example.com/protected/dir1/, and user2 to example.com/protected/dir2/)?



Absolutely!!

Read
Tricks for controlling htaccess Basic Authentication with PHP and mod_rewrite | Bypassing htaccess Login prompt

Try:
Code: Select all
<Directory /protected>
AuthUserFile /home/www/site1-passwd
AuthType Basic
AuthName MySite
Require user user1 user2
</Directory>


Then you can use some advanced code, (php would be easier)

Code: Select all
RewriteRule .* - [E=REMOTE_USER:%{HTTP:Authorization}]

RewriteCond %{HTTP:Authorization} !^$
RewriteCond %{QUERY_STRING} ^$
RewriteRule ^login\.php$ login.php_%{HTTP:Authorization}
RewriteRule ^([^_]*)_([^B|b]*)Basic.?([A-Za-z0-9]*) /login.php?g=$3 [L,QSA,R,NC]


RewriteCond %{ENV:REDIRECT_STATUS} 200
RewriteRule ^.*$ - [L]


AuthName "Produke"
AuthUserFile /home/askapache.com/.htpasswd
AuthType basic
Require valid-user
mod_rewrite
 
Posts: 102
Joined: 30 Oct 2006 19:55

so

Postby jancek » 25 Aug 2007 19:39

Hi, so now my htaccess looks like this

Code: Select all
AuthUserFile /home/html/domain.tld/public_html/.htpasswd
AuthType Basic
AuthName MySite
Require valid-user

RewriteRule .* - [E=REMOTE_USER:%{HTTP:Authorization}]

RewriteCond %{HTTP:Authorization} !^$
RewriteCond %{QUERY_STRING} ^$
RewriteRule ^index\.php$ index.php_%{HTTP:Authorization}
RewriteRule ^([^_]*)_([^B|b]*)Basic.?([A-Za-z0-9]*) /index.php?g=$3 [L,QSA,R,NC]

RewriteCond %{ENV:REDIRECT_STATUS} 200
RewriteRule ^.*$ - [L]


Authentification works, browser asks for username and password, but afterwards it is not redirecting, only shows index.php. I need to redirect to index.php?id=username. Can you help me with this?
jancek
 
Posts: 4
Joined: 25 Aug 2007 18:20

Re: so

Postby mod_rewrite » 25 Aug 2007 19:41

jancek wrote:Authentification works, browser asks for username and password, but afterwards it is not redirecting, only shows index.php. I need to redirect to index.php?id=username. Can you help me with this?


Is your RewriteEngine turned On? Is that your full .htaccess?
mod_rewrite
 
Posts: 102
Joined: 30 Oct 2006 19:55

hmm

Postby jancek » 25 Aug 2007 19:47

I guess mod_rewrite is turned on, because in other htaccess file I am redirecting and rewriting URLs without problems. Yes that is my whole htaccess file.
jancek
 
Posts: 4
Joined: 25 Aug 2007 18:20

Postby mod_rewrite » 25 Aug 2007 20:52

Is this .htaccess code in your document root? More info??
mod_rewrite
 
Posts: 102
Joined: 30 Oct 2006 19:55

No

Postby jancek » 25 Aug 2007 21:01

No, this .htaccess file is in subfolder.
jancek
 
Posts: 4
Joined: 25 Aug 2007 18:20

Re: Basic authentication example

Postby satya » 29 Aug 2008 08:29

Thanks Dear,

Basic auth works well, but can we use system password file or SSH password file to check username and password (on linux fedora), instead of creating out own .htpasswd file.

Is it possible, if yes can anyone help me.

Thanks in advance.

Satya
satya
 
Posts: 1
Joined: 29 Aug 2008 07:06


Return to Security and Authentication



cron