A better way!

20 09 2008

Well, I was told by a reader that .htaccess is not a very secure way to block off parts of your website. Since I am busy learning everything for the first time, I was willing to take his advice and was able to use httpd.conf to restrict access. Also, he showed me a way that sends passwords encrypted, rather than in plain text. Anyway, I’d like to thank Bob for this advice, and here is a much better way to block off parts of your site…
(Please note the following is directly quoted from Bob’s comments as to not take credit for this myself.)

You should never use .htaccess files unless you don’t own the server and don’t have access to the main server configuration file (httpd.conf).

See the Apache documentation article When (not) to use .htaccess files: http://httpd.apache.org/docs/2.2/howto/htaccess.html#when

Basically, httpd.conf would, in your case, look something like:


AuthType Basic
AuthUserFile /etc/apache2/passwd/passwords
Require valid-user


The /var/www/music is the directory you want to password.
AuthType Basic is basic HTTP authentication, as opposed to AuthType Digest which uses MD5 authentication.
AuthName is simply the text that will be displayed in the password request box.
AuthUserFile is where the passwords are stored, which you create using the htpasswd command.
And finally, Require valid-user means that anyone in the password file can get in. Or, you can specify a particular name, such as Require Willem.

See Apache access control for more info: http://httpd.apache.org/docs/2.2/howto/auth.html#gettingitworking


But wait! There’s an even better way!

AuthType Basic sends the password in clear text, so it’s fairly unsecure. AuthType Digest uses a little bit of encryption with an MD5 checksum and a once-used number and does not send the password in clear text, so it’s more secure.

And, since AuthType Digest is really no harder to use than AuthType Basic, you might as well get the enhanced security. The only real drawback that I see with AuthType Digest is that really old browsers don’t support it. But unless you’re using a browser from 2004, that’s not much of a problem )

Anyway, AuthType Digest is really similar to AuthType Basic except that the way you create a password is slightly different and the httpd.conf entry refers to ‘Digest’, rather than ‘Basic’.

For example, to use AuthType Digest to password-protect the ‘private’ realm and directory /var/www/music and only let in user Joe. First, create a password for joe:

htdigest -c /etc/apache2/passwordfile private joe
(note: location of password file is just an example and doesn’t have to be at that location or use that file name)

Then edit httpd.conf file to require password to access /var/www/music:

<Directory /var/www/music>
AuthType Digest
AuthName “private”
AuthDigestDomain /music/
AuthUserFile /etc/apache2/passwordfile
Require user joe
(Note: replace ( and ) with in the real httpd.conf file. I just used parentheses here so the HTML wouldn’t be stripped out by the blog software).

See here for more techie details: http://httpd.apache.org/docs/2.2/mod/mod_auth_digest.html

Good luck, and enjoy your Ubuntu server! I sure enjoy mine! )


One more thing on Digest. It is an Apache mod-file, which Ubuntu does not have enabled by default.

If you look in /etc/apache2/mods-available, you will see it: auth_digest.load

But, if you look in /etc/apache2/mods-enabled, it isn’t there by default in Ubuntu server.

But enabling it is easy. If you notice that in /etc/apache2/mods-enabled there aren’t actually any files, just symbolic links to the /etc/apache2/mods-available directory (do an ls -l). So, to enable the auth_digest.load, all you have to do is create a symbolic link like so:

cd /etc/apache2/mods-enabled
sudo ln -s ../mods-available/auth_digest.load auth_digest.load

Then restart Apache:
sudo /etc/init.d/apache2 restart

Have fun! )


I can verify that this did indeed work, and once again, thanks to Bob for showing me a better way.


14 09 2008

So after I made my music available in my web root, I felt it necessary to password protect it. I don’t want anyone to download my music or stream it or anything like that. No one except me, that is. No illegal activity should be coming from my server I figured. So I thought of the most basic way to do it which was htaccess.

Basically, you create a file called .htaccess with certain parameters. Here’s mine:

AuthType Basic
AuthName "Music"
AuthUserFile /var/.htpasswd
require valid-user

I’m not exactly sure what


is, but


is whatever you wanna call the folder you’re protecting. It doesn’t change the folder name, this is just what shows up in the little login window that pops up when you navigate to this folder.


is where the .htpasswd file is stored. The .htpasswd file specifies which user and password combinations are allowed to access this folder.

require valid-user

just lets it know that any valid user specified within the .htpasswd file is required for access.

In .htpasswd, each individual user should have his own line, and username and password should be seperated by a colon. i.e.


Finally, in your apache settings, specifically if you’re using Ubuntu the file will be located at /etc/apache2/sites-available/default. Find the line

AllowOverride None

and change it to

AllowOverride All