Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
This should be a simple thing, but as anything in *nix, it's complex and non-intuitive.
All I want to do in CentOS is password protect a directory under the webroot.
I have already done the following, please read this carefully:
- setup the account I want to use using ADDUSER
- added the account to the appropriate groups
- created the directory and CHMOD'd it with the correct groups and owner
- ran HTPASSWD to create the apache account file, and placed it where I wanted it
- I AM NOT USING .HTACCESS, I am using a directory entry in HTTPD.CONF
- Added the following entry in my HTTPD.CONF file:
<Directory "/homework">
Options +Indexes -Includes -FollowSymLinks
-SymLinksifOwnerMatch -ExecCGI -MultiViews
AuthType Basic
AuthName "[name]"
AuthBasicProvider file
AuthUserFile /[path]/.htpasswd
Require group wheel
AllowOverride None
Order allow,deny
Allow from all
</Directory>
...even after all this, and restarting apache, it STILL will not work.
What I need is a step-by-step-by-step procedure for password protecting an Apache webfolder on CentOS, NOT using a .htaccess file. I'm going to start all over again from scratch.
<-snip->
AuthUserFile /[path]/.htpasswd
Require group wheel
<-snip->
Using a .htpasswd containing users and their encrypted passwords must be followed by either one of the following
Code:
Require valid-user
Require user user1
In your config above you try to use a group to authenticate your user(s). In this case you need to define a wheel group and a group file (Note: here wheel group not the same as the system wheel group):
Code:
<-snip->
AuthUserFile /[path]/.htpasswd
AuthGroupFile /[path]/apache-group
Require group wheel
<-snip->
To my knowledge, I think bathory touched on a very important point
Quote:
(Note: here wheel group not the same as the system wheel group)
System users and visitors of a website are not the same thing. If you want password protection of web pages so visitors are required to provide credentials, you configure apache and there is no need to create system users.
OK, I tried moving the .htpasswd file out of the root folder, thinking that permissions is the problem. Then I changed the directory block in the /etc/httpd/conf/httpd.conf file to look like this:
<Directory "/homework">
Options +Indexes -Includes -FollowSymLinks -SymLinksifOwnerMatch -ExecCGI -MultiViews
AuthType Basic
AuthName "[name]"
AuthBasicProvider file
AuthUserFile /var/www/.htpasswd
Require user [user]
AllowOverride None
Order allow,deny
Allow from all
</Directory>
Then I tried changing the same block to look like this:
<Directory "/homework">
Options +Indexes -Includes -FollowSymLinks -SymLinksifOwnerMatch -ExecCGI -MultiViews
AuthType Basic
AuthName "[name]"
AuthBasicProvider file
AuthUserFile /var/www/.htpasswd
Require user [user]
AllowOverride None
Order allow,deny
Allow from all
</Directory>
Basicly, you have no security enforcable. As soon as you allow users to put CGI scripts in the directory they can do anything they want to any directory on the system. Recent CentOS systems have some control - SELinux does compartmentalize apache separating it from the rest of the system, it can't separate apache from itself.
You don't list what errors you got, and that makes guessing what is wrong difficult.
It could be that you haven't enabled Apache with the SELinux boolean values you want. It could be that the files you want accessed are not accessable to apache - either through the usual Linux access permissions and/or SELinux labels (which may be invalid). It could be the password is incorrect.
It could even be that apache doesn't have access to the .htaccess file.
Note Wim's comment in post #5. System users and Apache users are entirely separate. do not create system users in this case.
The htpasswd file should not be under the document root (eg /var/www/...) but somewhere the apache program can reach eg /etc/httpd or similar eg the same dir as the httpd.conf.
@chrism01: I tried that, no luck. But thanx for everyone's help so far, it is appreciated
@jpollard: Thanx for your input. I'm going to start all over.
OK...suppose I have a clean Apache HTTPD.CONF file.
I then run the following command in the document root:
> md test
...What would be the best-practice, step-by-step procedure for password-protecting this TEST directory with digest authentication, assuming that the appropriate apache module entry has been added to httpd.conf?
Thanx in advance everyone your help is appreciated
As previously mentioned:
1. no system user needs to be created
2. best practice / more secure is to use in the relevant <Directory> ... </Directory> stanza, rather than a .htaccess file.
Although this isn't directly related to what you are trying to do it is an applicable solution and wanted to throw it out there.
You can use MySQL based authentication to protect directories in apache via mod_auth_mysql. Here is a good overview/walkthrough on it if you want to take a look:
Note: the link provided is for debian, however since it relates to apache it is almost exactly the same as in redhat/centos. Just replace the paths such as /etc/apache2/ with /etc/httpd/ and /etc/apache2/mods-enabled/ is not the same. You would just add the LoadModule line to your /etc/httpd/conf/httpd.conf or in a seperate config file in /etc/httpd/conf.d/ if you have any questions on this let me know.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.