Excuse me everyone, I am a Web Server Administrator, yet I never had a chance to setup Member restricted page on WEB. Will someone give me an idea, what kind of aspects should I consider and implement? I am sorry this posting is somehow vague topic.
For a very basic password protected setup try htpasswd - Manage user files for basic authentication - Apache HTTP Server Version 2.4
which tells how to use .htaccess and htpaswd. It’s not all that secure, but it’s a starting point.
1 Like
Thanks, scottro, I just started looking at and reading the link about htpasswd. It may take a little time, because I need to test it to see. Thanks again.
Dear scottro, I am right now learning about .htaccess file, how to write and where to place etc. Let me try .htaccess file way at first. I am not sure whether .htaccess file and htpasswd both are required to setup(configure). Let me try and error.
Dear Scott, Hi ! I made a little progress on making a .htpasswd file at certain location in my WEB Server. Since you showed me the command " htpasswd ", I created the file ,htpasswd with the 1st user’s ID and password. Followed by the three User ID with Passwords. All four member’s ID and Password are successfully registered. Thanks. ALL WORKING.
Now, here is the question. I placed .htaccess file at certain location in my WEB
so-and-so-path /kanazawa_class
In this folder I placed my hand written .htpaccess file by gedit. It didn’t take a effect.
The concent I worte is,
AuthType Basic
AuthName “Authentication Kanazawa Class”
AuthUserFile /home/mkido/www/.htpasswd
What is the wrong step I made? How to create a .htaccess file ? Is there any command line way to make the .htaccess file?
Hi @mkido one thing you might need to do is the /path/to/kanazawa_class is have an option in the apache config something like:
<Directory /path/to/kanazawa>
AllowOverride all
</Directory>
it could well be that the .htaccess won’t work until overrides are set to allow it. I believe the AllowOverride can also be restricted to allow certain items. I generally prefer not to allow .htaccess at all, and then that means setting everything in the stanzas in Apache config - basically, everything you put in .htaccess would go int the Directory stanza. For example:
<Directory /path/to/kanazawa>
AuthType Basic
AuthName “Authentication Kanazawa Class”
AuthUserFile /home/mkido/www/.htpasswd
</Directory>
in such a case you don’t need the override.
Correct me if I’m wrong, but the config is used by the Apache, the httpd process which runs as user apache, and has in its own SELinux context. Does that user and context have access to a home directory?
The SELinux seems to label the file as httpd_user_content_t:
# semanage fcontext -l | grep home.*httpd
/home/[^/]+/((www)|(web)|(public_html))(/.*)?/\.htaccess regular file unconfined_u:object_r:httpd_user_htaccess_t:s0
/home/[^/]+/((www)|(web)|(public_html))(/.*)?/logs(/.*)? all files unconfined_u:object_r:httpd_user_ra_content_t:s0
/home/[^/]+/((www)|(web)|(public_html))(/.+)? all files unconfined_u:object_r:httpd_user_content_t:s0
/home/[^/]+/((www)|(web)|(public_html))/cgi-bin(/.+)? all files unconfined_u:object_r:httpd_user_script_exec_t:s0
But default POSIX attributes for /home/mkido are 0700, which should deny apache from going “down there”?
Hi ! iwalker, Community Team member.
Thank you very much. It is a great pleasure. I appreciate your help . I have read more than a couple of documentation-or-blog, which recommends Apache config - where is it? Is that httpd.conf? Or else? And something-something way. O.K. I will try to follow your suggestion. I will forward all of your comments to my senior Server Administrator, ISP (Internet Service Provider) then I and he will configure together to follow your way. Let me see. Thanks again.
The above mentioned Something-Something meant as below. The HTML code didn’t appear at the above posting. I didn’t know who to write HTML code in this blog manner.
<Directory /path/to/kanazawa>
AllowOverride all
</Directory>
AND
<Directory /path/to/Kanazawa>
AuthType Basic
...
...
</Directory>
Look into /etc/httpd/conf.d/
That is where you can add a file that has your config.
Hello, @jlehtone . I don’t have good enough knowledge to respond to your comment. As for my WEB Server, SELinux is currently disabled. This optional decision was made by my senior Server Administrator, ISP, so I just accepted SELinux disabled. Firewall is, of course, working. So, semanage command may not work in my WEB Server. I will check it up later and get back to you.
Thanks, Mitsuru
If SELinux is disabled, then you can ignore what I wrote about it.
That still leaves the permissions. Each file a directory has “owner” (uid), “group” (gid), and permissions.
Each process has effective uid and gid. The permissions and uid/gid determine whether process can
access (at least read) the file. (The SELinux can add restrictions on top of that.)
I was also thinking it was an SELinux issue. But, as @jlehtone said, if SELinux is disabled, that isn’t the issue.
I’ve only set it up for my wife. My default html directory is /usr/share/nginx/html, because I sometimes use nginx and this way it and apache can share. Then, I have a subdirectory for my wife’s stuff. I put both the .htaccess file and .htpasswd file in there.
My .htaccess file reads
AuthName nao
AuthType Basic
AuthUserFile /usr/share/nginx/html/naoko/.htpasswd
Require valid-user
Then if she goes the site, she sees a prompt for user name and password.
Using that method, I don’t do anything to httpd.conf.
https://help.dreamhost.com/hc/en-us/articles/216363187-Password-protecting-your-site-with-an-htaccess-file gives a nice beginner tutorial.
1 Like
Are you absolutely sure you want to use Apache for this? If you are adding and removing “members” it seems a database and simple cookie based access would make your life way easier.
Hi ! jlehtone. Just to make sure that I and my senior WEB Server Administrator have been edited
/etc/httpd/conf/httpd.conf This file. Is this what you mean? The folder location is slightly different where you suggest. So I am double checking. Thanks !
Hi ! Everyone, the thing has worked out. The key is that I consulted my senior WEB Server Administrator. He was able to figure it out quickly. According to him, I place .htpasswd file at /home/mkido/www/.htpasswd like that, then he noticed www folder has the 700 permission and Apache can’t get into there. So he moved .htpasswd file to /var/www/.htpasswd like that. And he made one change at /etc/httpd/conf/httpd.conf . The change he made was,
<Directory "/var/www/html">
---------
## AllowOverride None
AllowOveride All
------
</Directory>
Well, I am a junior WEB Server Administrator, so I don't completely understand the meaning of this change. But it is working now, and I am passing the his edited work as a reference here. Thanks so much everyone, Many Comments, I so much appreciated. Thanks again.
Just make sure that nobody can download the .htpasswd file especially if the DocumentRoot is /var/www/html. A better location would be to put the .htpasswd file under /etc/httpd since Apache will have access to this directory and then it’s completely out of the /var/www/html directory or anywhere which gets served with web content. You can still place .htaccess in /var/www/html now and it will work based on the Directory Stanza above.
The /etc/httpd/conf/httpd.conf is a configuration file that is installed from package httpd-core (in el9).
At the end of that file is:
# Supplemental configuration
#
# Load config files in the "/etc/httpd/conf.d" directory, if any.
IncludeOptional conf.d/*.conf
That is, everything in /etc/httpd/conf.d/*.conf is part of the configuration.
The /etc/httpd/conf.d/README says:
This directory holds configuration files for the Apache HTTP Server; any files in this directory which have the “
.conf” extension will be processed as httpd configuration files. The directory is used in
addition to the directory/etc/httpd/conf.modules.d/, which contains configuration files necessary to load modules.Files are processed in sorted order. See
httpd.conf(5)for more information.
Why add a file, rather than edit the file that comes with the package?
You have edited the /etc/httpd/conf/httpd.conf. What if package update provides a new, changed httpd.conf? What options are there?
- If your modified file is kept, then the changes from update are not used. You would have to insert them yourself
- If your modified file is replaced, then your modifications are not used. You would have to re-insert them
Furthermore, how do you remember what modifications you have done? You do know, but how about three years from now? It is much easier to remember when they are in a separate file (that will not be touched by the package management).
This approach of configuration is used by many services/packages.
The only question is precedence. If the /etc/httpd/conf/httpd.conf contains the default:
<Directory "/var/www/html">
AllowOverride None
</Directory>
and you have /etc/httpd/conf.d/mkido.conf with:
<Directory "/var/www/html">
AllowOverride All
</Directory>
Will the latter override the former, or does the first occurrence win?
That is described somewhere in the Apache documentation.
Did you read the file /etc/httpd/conf/httpd.conf? Isn’t there a comment:
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
# Options FileInfo AuthConfig Limit
The documentation of Apache is more verbose: core - Apache HTTP Server Version 2.4
Thanks, Scott. I got you. Anyway, right now, everything is working with .htpasswd and .htaccess.
Thanks, iwalker. Good Security suggestion. Thanks.