A better way!

20 09 2008

Well, I was told by a reader that .htaccess is not a very secure way to block off parts of your website. Since I am busy learning everything for the first time, I was willing to take his advice and was able to use httpd.conf to restrict access. Also, he showed me a way that sends passwords encrypted, rather than in plain text. Anyway, I’d like to thank Bob for this advice, and here is a much better way to block off parts of your site…
(Please note the following is directly quoted from Bob’s comments as to not take credit for this myself.)

You should never use .htaccess files unless you don’t own the server and don’t have access to the main server configuration file (httpd.conf).

See the Apache documentation article When (not) to use .htaccess files: http://httpd.apache.org/docs/2.2/howto/htaccess.html#when

Basically, httpd.conf would, in your case, look something like:


AuthType Basic
AuthUserFile /etc/apache2/passwd/passwords
Require valid-user


The /var/www/music is the directory you want to password.
AuthType Basic is basic HTTP authentication, as opposed to AuthType Digest which uses MD5 authentication.
AuthName is simply the text that will be displayed in the password request box.
AuthUserFile is where the passwords are stored, which you create using the htpasswd command.
And finally, Require valid-user means that anyone in the password file can get in. Or, you can specify a particular name, such as Require Willem.

See Apache access control for more info: http://httpd.apache.org/docs/2.2/howto/auth.html#gettingitworking


But wait! There’s an even better way!

AuthType Basic sends the password in clear text, so it’s fairly unsecure. AuthType Digest uses a little bit of encryption with an MD5 checksum and a once-used number and does not send the password in clear text, so it’s more secure.

And, since AuthType Digest is really no harder to use than AuthType Basic, you might as well get the enhanced security. The only real drawback that I see with AuthType Digest is that really old browsers don’t support it. But unless you’re using a browser from 2004, that’s not much of a problem )

Anyway, AuthType Digest is really similar to AuthType Basic except that the way you create a password is slightly different and the httpd.conf entry refers to ‘Digest’, rather than ‘Basic’.

For example, to use AuthType Digest to password-protect the ‘private’ realm and directory /var/www/music and only let in user Joe. First, create a password for joe:

htdigest -c /etc/apache2/passwordfile private joe
(note: location of password file is just an example and doesn’t have to be at that location or use that file name)

Then edit httpd.conf file to require password to access /var/www/music:

<Directory /var/www/music>
AuthType Digest
AuthName “private”
AuthDigestDomain /music/
AuthUserFile /etc/apache2/passwordfile
Require user joe
(Note: replace ( and ) with in the real httpd.conf file. I just used parentheses here so the HTML wouldn’t be stripped out by the blog software).

See here for more techie details: http://httpd.apache.org/docs/2.2/mod/mod_auth_digest.html

Good luck, and enjoy your Ubuntu server! I sure enjoy mine! )


One more thing on Digest. It is an Apache mod-file, which Ubuntu does not have enabled by default.

If you look in /etc/apache2/mods-available, you will see it: auth_digest.load

But, if you look in /etc/apache2/mods-enabled, it isn’t there by default in Ubuntu server.

But enabling it is easy. If you notice that in /etc/apache2/mods-enabled there aren’t actually any files, just symbolic links to the /etc/apache2/mods-available directory (do an ls -l). So, to enable the auth_digest.load, all you have to do is create a symbolic link like so:

cd /etc/apache2/mods-enabled
sudo ln -s ../mods-available/auth_digest.load auth_digest.load

Then restart Apache:
sudo /etc/init.d/apache2 restart

Have fun! )


I can verify that this did indeed work, and once again, thanks to Bob for showing me a better way.