Apache – Password – Protect (Basic & LDAP)

Apache – Password – Protect

RedHat :

In order to create apache password protected directories you need:

  • Password file
  • And Directory name which you would like to password protect (/var/www/html)

Apache is configuration to use .htaccess file

You need to have AllowOverride AuthConfig directive in httpd.conf file in order for these directives to have any effect. Look for DocumentRoot Directory entry.

<Directory /var/www/html>
Options Indexes Includes FollowSymLinks MultiViews
AllowOverride AuthConfig
Order allow,deny
Allow from all
</Directory>

Now we will use the htpasswd command to generate username and password for our protected directory. This command is used to manage user files for basic authentication.

The general syntax of the command is:

# htpasswd -c filename username

The -c option specifies the file that will keep the encrypted password and username specifies the user for the authentication.

#htpasswd -c /var/www/html/.htpass vrk

At this point our new user and password are ready. Now we need to tell Apache to request password when accessing our targeted directory. For that purpose, create file called .htaccess in /var/www/html:

# vi /var/www/html/.htaccess

Add the following code in it:

AuthType Basic
AuthName "Restricted Access"
AuthUserFile /var/www/html/.htpass
Require user vrk

Save the file and restart Apache:

# service httpd restart

Enable LDAP Authentication :

Just place below lines in .htaccess and check for mod_authnz_ldap module enables or not

AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthLDAPUrl ldap://ldap.example.com/ou=admins,o=LDAPROOT?adminUser
Example line
AuthLDAPURL ldap://host1.sysadminslab.com/dc=sysadmins,dc=lab?uid?sub?(objectClass=*)
Require ldap-filter objectClass=posixAccount

Ubuntu:

In order to create the file that will store the passwords needed to access our restricted content, we will use a utility called htpasswd. This is found in the apache2-utils package within the Ubuntu repositories.

Update the local package cache and install the package by typing this command. We will take this opportunity to also grab the Apache2 server in case it is not yet installed on the server:

  • #apt-get update
  • #apt-get install apache2 apache2-utils

Create the Password File:

We now have access to the htpasswd command. We can use this to create a password file that Apache can use to authenticate users. We will create a hidden file for this purpose called .htpasswd within our/etc/apache2 configuration directory.

The first time we use this utility, we need to add the -c option to create the specified file. We specify a username (vrk in this example) at the end of the command to create a new entry within the file:

·         #htpasswd -c /etc/apache2/.htpasswd vrk

You will be asked to supply and confirm a password for the user. Leave out the -c argument for any additional users you wish to add:

·         #htpasswd /etc/apache2/.htpasswd another_user

If we view the contents of the file, we can see the username and the encrypted password for each record:

·         #cat /etc/apache2/.htpasswdOutput

vrk: $6$k7uM1XzN$oftYSRkgtm6.H4eVXi/zQqX8Zh5h0uG.
pavan:$6$k7uM1XzN$oftYSRkgtm6.H4eVXi/zQqX8Zh5h0uG.

Configuring Access Control within the Virtual Host Definition

Begin by opening up the virtual host file that you wish to add a restriction to. For our example, we’ll be using the 000-default.conf file that holds the default virtual host installed through Ubuntu’s apache package:

·         #vi /etc/apache2/sites-enabled/000-default.conf

Inside, with the comments stripped, the file should look similar to this:

/etc/apache2/sites-enabled/000-default.conf

<VirtualHost *:80>    
ServerAdmin webmaster@localhost    
DocumentRoot /var/www/html    
ErrorLog ${APACHE_LOG_DIR}/error.log    
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

Authentication is done on a per-directory basis. To set up authentication, you will need to target the directory you wish to restrict with a <Directory ___> block. In our example, we’ll restrict the entire document root, but you can modify this listing to only target a specific directory within the web space:

/etc/apache2/sites-enabled/000-default.conf

<VirtualHost *:80>

ServerAdmin webmaster@localhost

DocumentRoot /var/www/html

ErrorLog ${APACHE_LOG_DIR}/error.log

CustomLog ${APACHE_LOG_DIR}/access.log combined

<Directory “/var/www/html”>    

</Directory></VirtualHost>

Within this directory block, specify that we wish to set up Basic authentication. For the AuthName, choose a realm name that will be displayed to the user when prompting for credentials. Use the AuthUserFile directive to point Apache to the password file we created. Finally, we will require a valid-user to access this resource, which means anyone who can verify their identity with a password will be allowed in:

/etc/apache2/sites-enabled/000-default.conf

<VirtualHost *:80>
    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/html
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    <Directory "/var/www/html">
        AuthType Basic
        AuthName "Restricted Content"
        AuthUserFile /etc/apache2/.htpasswd
        Require valid-user
    </Directory>
</VirtualHost>

Save and close the file when you are finished. Restart Apache to implement your password policy:

·         #service apache2 restart

The directory you specified should now be password protected.

Configuring Access Control with .htaccess Files

If you wish to set up password protection using .htaccess files instead, you should begin by editing the main Apache configuration file to allow .htaccess files:

·         #vi /etc/apache2/apache2.conf

Find the <Directory> block for the /var/www/html directory that holds the document root. Turn on.htaccess processing by changing the AllowOverride directive within that block from “None” to “All”:

/etc/apache2/apache2.conf

. . . <Directory /var/www/html>    
Options Indexes FollowSymLinks    
AllowOverride All    
Require all granted
</Directory> . . .

Save and close the file when you are finished.

Next, we need to add an .htaccess file to the directory we wish to restrict. In our demonstration, we’ll restrict the entire document root (the entire website) which is based at /var/www/html, but you can place this file in any directory you wish to restrict access to:

·         #vi /var/www/html/.htaccess

Within this file, specify that we wish to set up Basic authentication. For the AuthName, choose a realm name that will be displayed to the user when prompting for credentials. Use the AuthUserFile directive to point Apache to the password file we created. Finally, we will require a valid-user to access this resource, which means anyone who can verify their identity with a password will be allowed in:

/var/www/html/.htaccess
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user

Save and close the file. Restart the web server to password protect all content in or below the directory with the .htaccess file:

  • #service apache2 restart

Enable LDAP Authentication

cd /etc/apache2/mods-enabled
ln -s ../mods-available/ldap.load ldap.load
ln -s ../mods-available/authnz_ldap.load authnz_ldap.load
apache2ctl graceful

.htaccess

You should now be able to implement the following wherever desired:
Example .htaccess file

Order deny,allow
Deny from All
AuthName "Restricted Page - login with LDAP credentials"
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthLDAPUrl ldap://ldap.example.com/ou=admins,o=LDAPROOT?adminUser
AuthLDAPGroupAttribute memberUid
AuthLDAPGroupAttributeIsDN off
Require valid-user
Satisfy any
<Files .htaccess>
order allow,deny
deny from all
</Files>

Note that ‘?adminUser’ on the end of the AuthLDAPUrl line is whatever object you use in your configuration.

Apache Config

/etc/apache2/sites-available/default
Make sure the following is set (the default is AllowOverride AuthConfig)

AllowOverride All