Ssiigghh....

This should be a simple thing, but as anything in *nix, it's complex and non-intuitive.

All I want to do in CentOS is password protect a directory under the webroot.

I have already done the following, please read this carefully:

- setup the account I want to use using ADDUSER
- added the account to the appropriate groups
- created the directory and CHMOD'd it with the correct groups and owner
- ran HTPASSWD to create the apache account file, and placed it where I wanted it
- I AM NOT USING .HTACCESS, I am using a directory entry in HTTPD.CONF
- Added the following entry in my HTTPD.CONF file:

<Directory "/homework">
Options +Indexes -Includes -FollowSymLinks
-SymLinksifOwnerMatch -ExecCGI -MultiViews
AuthType Basic
AuthName "[name]"
AuthBasicProvider file
AuthUserFile /[path]/.htpasswd
Require group wheel
AllowOverride None
Order allow,deny
Allow from all
</Directory>

...even after all this, and restarting apache, it STILL will not work.

What I need is a step-by-step-by-step procedure for password protecting an Apache webfolder on CentOS, NOT using a .htaccess file. I'm going to start all over again from scratch.

Thanx in advance for any replies,

CentOSnewbie

please.

Using a .htpasswd containing users and their encrypted passwords must be followed by either one of the following
In your config above you try to use a group to authenticate your user(s). In this case you need to define a wheel group and a group file (Note: here wheel group not the same as the system wheel group):
Where the file /[path]/apache-group contains:

@Habitual:

ls -ld /homework

drwxr-xr-x 2 Pudnik adm 4096 Dec 28 01:28 homework

To my knowledge, I think bathory touched on a very important point
System users and visitors of a website are not the same thing. If you want password protection of web pages so visitors are required to provide credentials, you configure apache and there is no need to create system users.

OK, I tried moving the .htpasswd file out of the root folder, thinking that permissions is the problem. Then I changed the directory block in the /etc/httpd/conf/httpd.conf file to look like this:

<Directory "/homework">
Options +Indexes -Includes -FollowSymLinks -SymLinksifOwnerMatch -ExecCGI -MultiViews
AuthType Basic
AuthName "[name]"
AuthBasicProvider file
AuthUserFile /var/www/.htpasswd
Require user [user]
AllowOverride None
Order allow,deny
Allow from all
</Directory>

Then I tried changing the same block to look like this:

<Directory "/homework">
Options +Indexes -Includes -FollowSymLinks -SymLinksifOwnerMatch -ExecCGI -MultiViews
AuthType Basic
AuthName "[name]"
AuthBasicProvider file
AuthUserFile /var/www/.htpasswd
Require user [user]
AllowOverride None
Order allow,deny
Allow from all
</Directory>

no luck.

Basicly, you have no security enforcable. As soon as you allow users to put CGI scripts in the directory they can do anything they want to any directory on the system. Recent CentOS systems have some control - SELinux does compartmentalize apache separating it from the rest of the system, it can't separate apache from itself.

You don't list what errors you got, and that makes guessing what is wrong difficult.

It could be that you haven't enabled Apache with the SELinux boolean values you want. It could be that the files you want accessed are not accessable to apache - either through the usual Linux access permissions and/or SELinux labels (which may be invalid). It could be the password is incorrect.

It could even be that apache doesn't have access to the .htaccess file.

Note Wim's comment in post #5. System users and Apache users are entirely separate. do not create system users in this case.

The htpasswd file should not be under the document root (eg /var/www/...) but somewhere the apache program can reach eg /etc/httpd or similar eg the same dir as the httpd.conf.

@chrism01: I tried that, no luck. But thanx for everyone's help so far, it is appreciated
@jpollard: Thanx for your input. I'm going to start all over.

OK...suppose I have a clean Apache HTTPD.CONF file.

I then run the following command in the document root:

> md test

...What would be the best-practice, step-by-step procedure for password-protecting this TEST directory with digest authentication, assuming that the appropriate apache module entry has been added to httpd.conf?

Thanx in advance everyone your help is appreciated

Pudnik

Like this https://httpd.apache.org/docs/2.2/howto/auth.html

As previously mentioned:
1. no system user needs to be created
2. best practice / more secure is to use in the relevant <Directory> ... </Directory> stanza, rather than a .htaccess file.

...By default, Apache apparently DOES NOT recognize paths relative to the docroot. When I changed this:

/homework

to this:

/var/www/html/homework


it worked. Now to figure out how to do digest authentication...

Although this isn't directly related to what you are trying to do it is an applicable solution and wanted to throw it out there.

You can use MySQL based authentication to protect directories in apache via mod_auth_mysql. Here is a good overview/walkthrough on it if you want to take a look:

http://www.howtoforge.com/mod_auth_mysql_apache2_debian

Note: the link provided is for debian, however since it relates to apache it is almost exactly the same as in redhat/centos. Just replace the paths such as /etc/apache2/ with /etc/httpd/ and /etc/apache2/mods-enabled/ is not the same. You would just add the LoadModule line to your /etc/httpd/conf/httpd.conf or in a seperate config file in /etc/httpd/conf.d/ if you have any questions on this let me know.

You do realize this is not "a directory under the webroot"...

Apache only provided relative evaluation to queries from the user, not a definition within the configuration file.

And if you wanted to tie the long path to a name under the webroot you have to use an alias definition.