.htaccess

14 09 2008

So after I made my music available in my web root, I felt it necessary to password protect it. I don’t want anyone to download my music or stream it or anything like that. No one except me, that is. No illegal activity should be coming from my server I figured. So I thought of the most basic way to do it which was htaccess.

Basically, you create a file called .htaccess with certain parameters. Here’s mine:

AuthType Basic
AuthName "Music"
AuthUserFile /var/.htpasswd
require valid-user

I’m not exactly sure what

AuthType

is, but

AuthName

is whatever you wanna call the folder you’re protecting. It doesn’t change the folder name, this is just what shows up in the little login window that pops up when you navigate to this folder.

AuthUserFile

is where the .htpasswd file is stored. The .htpasswd file specifies which user and password combinations are allowed to access this folder.

require valid-user

just lets it know that any valid user specified within the .htpasswd file is required for access.

In .htpasswd, each individual user should have his own line, and username and password should be seperated by a colon. i.e.

username:password
username:password

Finally, in your apache settings, specifically if you’re using Ubuntu the file will be located at /etc/apache2/sites-available/default. Find the line

AllowOverride None

and change it to

AllowOverride All

About these ads

Actions

Information

9 responses

19 09 2008
Bob

You should never use .htaccess files unless you don’t own the server and don’t have access to the main server configuration file (httpd.conf).

See the Apache documentation article When (not) to use .htaccess files: http://httpd.apache.org/docs/2.2/howto/htaccess.html#when

Basically, httpd.conf would, in your case, look something like:

AuthType Basic
AuthName “SECRET SQUIRREL RESTRICTED ACCESS AREA”
AuthUserFile /etc/apache2/passwd/passwords
Require valid-user

The /var/www/music is the directory you want to password.
AuthType Basic is basic HTTP authentication, as opposed to AuthType Digest which uses MD5 authentication.
AuthName is simply the text that will be displayed in the password request box.
AuthUserFile is where the passwords are stored, which you create using the htpasswd command.
And finally, Require valid-user means that anyone in the password file can get in. Or, you can specify a particular name, such as Require Willem.

See Apache access control for more info: http://httpd.apache.org/docs/2.2/howto/auth.html#gettingitworking

Bob

19 09 2008
Bob

Oops, the html tags were stripped out of the last post. The httpd.conf file should have been like this:

(Directory /var/www/brett)
AuthType Basic
AuthName “SECRET SQUIRREL RESTRICTED ACCESS AREA”
AuthUserFile /etc/apache2/passwd/passwords
Require user brett
(/Directory)

Note: substitute for ( or ) above.

19 09 2008
Bob

Hmmm, that’s weird, I don’t know where that ‘brett’ came from. It should be:

(Directory /var/www/music)
AuthType Basic
AuthName “SECRET SQUIRREL RESTRICTED ACCESS AREA”
AuthUserFile /etc/apache2/passwd/passwords
Require valid-user
(/Directory)

Third time’s a charm! ;)

19 09 2008
baudday

Thank you for that. I was not aware of this. That sounds like a good alternative, looks like I’ll be using your method :)

20 09 2008
Bob

But wait! There’s an even better way!

AuthType Basic sends the password in clear text, so it’s fairly unsecure. AuthType Digest uses a little bit of encryption with an MD5 checksum and a once-used number and does not send the password in clear text, so it’s more secure.

And, since AuthType Digest is really no harder to use than AuthType Basic, you might as well get the enhanced security. The only real drawback that I see with AuthType Digest is that really old browsers don’t support it. But unless you’re using a browser from 2004, that’s not much of a problem :)

Anyway, AuthType Digest is really similar to AuthType Basic except that the way you create a password is slightly different and the httpd.conf entry refers to ‘Digest’, rather than ‘Basic’.

For example, to use AuthType Digest to password-protect the ‘private’ realm and directory /var/www/music and only let in user Joe. First, create a password for joe:

htdigest -c /etc/apache2/passwordfile private joe
(note: location of password file is just an example and doesn’t have to be at that location or use that file name)

Then edit httpd.conf file to require password to access /var/www/music:

(Directory /var/www/music)
AuthType Digest
AuthName “private”
AuthDigestDomain /music/
AuthUserFile /etc/apache2/passwordfile
Require user joe
(</Directory)
(Note: replace ( and ) with in the real httpd.conf file. I just used parentheses here so the HTML wouldn’t be stripped out by the blog software).

See here for more techie details: http://httpd.apache.org/docs/2.2/mod/mod_auth_digest.html

Good luck, and enjoy your Ubuntu server! I sure enjoy mine! :)

Bob

20 09 2008
Bob

One more thing on Digest. It is an Apache mod-file, which Ubuntu does not have enabled by default.

If you look in /etc/apache2/mods-available, you will see it: auth_digest.load

But, if you look in /etc/apache2/mods-enabled, it isn’t there by default in Ubuntu server.

But enabling it is easy. If you notice that in /etc/apache2/mods-enabled there aren’t actually any files, just symbolic links to the /etc/apache2/mods-available directory (do an ls -l). So, to enable the auth_digest.load, all you have to do is create a symbolic link like so:

cd /etc/apache2/mods-enabled
sudo ln -s ../mods-available/auth_digest.load auth_digest.load

Then restart Apache:
sudo /etc/init.d/apache2 restart

Have fun! :)

Bob

20 09 2008
baudday

Thank you for this. I hope you don’t mind if I publish it.

20 09 2008
Bob

No sweat, I hope I helped.
Linux servers can do amazing things (for free!), and the more people who know that the better :)

By the way, when you installed Ubuntu server, did you also install SSH so that you could do all of this admin stuff remotely, or are you just using webmin?

The reason I ask about SSH is that not only can you use it as a secure logon connection, but from another linux computer you can mount the server securely and access it like just another folder. This might be useful in you case as you can access files like they were on your own computer and copy and move and delete them and such, which you can’t do when you access them through a web browser interface.

By the way, if you need a free domain name, try dyndns: http://www.dyndns.com/services/dns/dyndns/

20 09 2008
baudday

Ah yes, I am using SSH. It’s great

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




Follow

Get every new post delivered to your Inbox.

%d bloggers like this: