Passwording a file using Apache

Sensitive information that only certain people need to have web access to must be secured.

Sensitive information that only certain people need to have web access to must be secured.

If sensitive or proprietary information is located on your web site and you do not want public access to this information, you must password it. An obscure file name with no links to it anywhere on the site will not keep the information secure. Security through obscurity does not work.

To password a file, a series of files or a directory in Apache, the httpd.conf file must be edited. Then, a database of usernames and passwords must be created.

  <Location /secret.*>
        AuthType Basic
        AuthName "Secret"
        AuthUserFile /usr/local/apache/users
        require valid-user
  </Location>

In this example, all files that begin with secret. will require authentication. If only one file needed to be password protected, the example could be changed to:

  <Location /secret.txt>

Similarly, if a directory needed to be password protected, the example could be changed to this:

  <Location /secret/>

Now back to the original example, the authentication type is basic, meaning it is just a text file, not a true database. When someone tries to go to one of the pages that is protected, the box that asks for a username and password will be titled Secret. The text file with the usernames and passwords will be called users and be located in the /etc/httpd/conf directory. According to the require field, any user in the users file is allowed access.

To set up the text file with usernames and passwords, the program htpasswd must be used. It is located in the bin directory when you install apache. The syntax is very simple for this program. The first time htpasswd is run for the users file, it should be called like this:

  root# /usr/bin/htpasswd -m -c filename username

In our example, it would look something like this:

  root# /usr/bin/htpasswd -m /etc/httpd/conf/users canisab

For more information about this and similar things, go to Welcome to The Apache Software Foundation!. Also, there are great books such as Apache: The Definitive Guide by Ben and Peter Laurie.