Apache User Authentication
Apache also includes several ways in which you can authenticate customers using your web server such as LDAP, SecureID, and basic .htaccess, to name a few examples. To use authentication mechanisms beyond basic .htaccess, you must compile additional functionality when you’re building Apache. Like access control, authentication mechanisms are specified as part of the directive.
The two steps to enabling basic .htaccess user authentication are:
- Creating an htpasswd file to store user credentials.
- Adding a directive to the httpd.conf file to protect a directory structure.
This is different than adding a login form on a web page and creating your own authentication. Let’s use an example to demonstrate how easy it can be to add authentication. In our example, we will secure a directory called /securedir and permit only customers Homer and Marge access to the files in that directory.
First, let’s create an htpasswd file somewhere not in the web server document root by issuing the following command:
htpasswd -c /usr/local/apache/passwdfile homer
New password: *****
Re-type new password: *****
Adding password for user homer
Next, we’ll add Marge to the list as well. This time we don’t need to use the -c argument, since our htpasswd file already exists:
htpasswd /usr/local/apache/passwdfile marge
New password: *****
Re-type new password: *****
Adding password for user marge
Now that we’ve established our customer accounts, we’ll finish by adding a directive to the httpd.conf file to protect the /securedir directory as follows:
<Directory /usr/local/apache/htdocs/secure>
AuthType Basic
AuthName “Access for authenticated customers only”
AuthUserfile /usr/local/apache/passwdfile
require user marge homer
</Directory>
Now, when anyone attempts to access the /securedir directory, they’ll be prompted for a username and password. Because we specifically require only Marge and Homer, only they will be permitted to use the directory structure, if they authenticate properly.
You can also restrict access based on a domain or IP address. The following directive will do this:
Order deny, allow
Deny from all
Allow from allowable-domain.com
Allow from XXX.XXX.XXX
Deny from evil-domain.com
You can specify the first three (or one or two) octets of an IP address defining the allowable domain.
Although this example involves modifying the httpd.conf file to control directory access, there is another way. You can create an .htaccess and .htpasswd file in the directory to which you want to control access. The .htaccess file should contain the same directive we described above. The .htpasswd file must be created using htpasswd. In the above example, to add access for Homer and Marge, we would first create (or clobber if it already exists) the password file /securedir/.htpasswd:
htpasswd -c .htpasswd homer
Now that we have created .htpasswd, we can add user marge to the existing password file (which contains one user, homer):
htpasswd .htpasswd marge
Within the directive is a subdirective called Options that controls functionality for the directory structures specified in the directive. The available options are listed below:
| Option | Functionality |
|---|---|
| All | Default setting; includes all options except MultiViews |
| ExecCGI | Permits CGI script execution through mod_cgi |
| FollowSymLinks | Allows Apache to follow OS file system symlinks |
| Includes | Permits SSI through mod_include |
| IncludesNOExEC | Permits SSI but denies exec and exec cgi |
| Indexes | Allows autoindexing using mod_autoindex if no configured index file is present |
| MultiViews | Permits content negotiation using mod_negotiation |
| SimLinksIfOwnerMatch | Allows Apache to follow OS file system symlinks but only if the link and target file have the same owner |
Many of the listed options are not relevant to our installation, since we disabled Includes and CGI during compile time. Regardless, a good default directive disabling most options is shown here:
<Directory “/usr/local/apache/htdocs”>
Order, allow, deny
Allow from all
Options -FollowSysLinks -ExecCGI -Includes -Indexes \
-MultiViews
AllowOverride None
</Directory>
At this point, your Apache server should be relatively secure. In the next article, we will discuss some Apache logging directives so that we can better monitor our server.
External Links:
Authentication and Authorization at the official Apache website
Apache Web Login Authentication at yolinux.com
The post Apache Server Hardening: Part Five appeared first on pfSense Setup HQ.