LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 12-28-2012, 03:21 AM   #1
Pudnik
LQ Newbie
 
Registered: Feb 2009
Location: USA
Distribution: fedora 10
Posts: 6

Rep: Reputation: 0
Question Password Protecting an Apache Webfolder


Ssiigghh....

This should be a simple thing, but as anything in *nix, it's complex and non-intuitive.

All I want to do in CentOS is password protect a directory under the webroot.

I have already done the following, please read this carefully:

- setup the account I want to use using ADDUSER
- added the account to the appropriate groups
- created the directory and CHMOD'd it with the correct groups and owner
- ran HTPASSWD to create the apache account file, and placed it where I wanted it
- I AM NOT USING .HTACCESS, I am using a directory entry in HTTPD.CONF
- Added the following entry in my HTTPD.CONF file:

<Directory "/homework">
Options +Indexes -Includes -FollowSymLinks
-SymLinksifOwnerMatch -ExecCGI -MultiViews
AuthType Basic
AuthName "[name]"
AuthBasicProvider file
AuthUserFile /[path]/.htpasswd
Require group wheel
AllowOverride None
Order allow,deny
Allow from all
</Directory>

...even after all this, and restarting apache, it STILL will not work.

What I need is a step-by-step-by-step procedure for password protecting an Apache webfolder on CentOS, NOT using a .htaccess file. I'm going to start all over again from scratch.

Thanx in advance for any replies,

CentOSnewbie
 
Old 12-28-2012, 06:56 AM   #2
Habitual
LQ Addict
 
Registered: Jan 2011
Posts: 8,265
Blog Entries: 11

Rep: Reputation: 2292Reputation: 2292Reputation: 2292Reputation: 2292Reputation: 2292Reputation: 2292Reputation: 2292Reputation: 2292Reputation: 2292Reputation: 2292Reputation: 2292
Code:
ls -ld /homework
please.
 
Old 12-28-2012, 08:34 AM   #3
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 11,738

Rep: Reputation: 1586Reputation: 1586Reputation: 1586Reputation: 1586Reputation: 1586Reputation: 1586Reputation: 1586Reputation: 1586Reputation: 1586Reputation: 1586Reputation: 1586
Quote:
<-snip->
AuthUserFile /[path]/.htpasswd
Require group wheel
<-snip->
Using a .htpasswd containing users and their encrypted passwords must be followed by either one of the following
Code:
Require valid-user 
Require user user1
In your config above you try to use a group to authenticate your user(s). In this case you need to define a wheel group and a group file (Note: here wheel group not the same as the system wheel group):
Code:
<-snip->
AuthUserFile /[path]/.htpasswd
AuthGroupFile /[path]/apache-group
Require group wheel
<-snip->
Where the file /[path]/apache-group contains:
Code:
wheel user1 user2 user2
 
Old 12-30-2012, 08:15 PM   #4
Pudnik
LQ Newbie
 
Registered: Feb 2009
Location: USA
Distribution: fedora 10
Posts: 6

Original Poster
Rep: Reputation: 0
@Habitual:

ls -ld /homework

drwxr-xr-x 2 Pudnik adm 4096 Dec 28 01:28 homework
 
Old 12-30-2012, 11:50 PM   #5
Wim Sturkenboom
Senior Member
 
Registered: Jan 2005
Location: Roodepoort, South Africa
Distribution: Slackware 10.1/10.2/12, Ubuntu 12.04, Crunchbang Statler
Posts: 3,786

Rep: Reputation: 282Reputation: 282Reputation: 282
To my knowledge, I think bathory touched on a very important point
Quote:
(Note: here wheel group not the same as the system wheel group)
System users and visitors of a website are not the same thing. If you want password protection of web pages so visitors are required to provide credentials, you configure apache and there is no need to create system users.
 
Old 12-31-2012, 01:21 PM   #6
Pudnik
LQ Newbie
 
Registered: Feb 2009
Location: USA
Distribution: fedora 10
Posts: 6

Original Poster
Rep: Reputation: 0
OK, I tried moving the .htpasswd file out of the root folder, thinking that permissions is the problem. Then I changed the directory block in the /etc/httpd/conf/httpd.conf file to look like this:

<Directory "/homework">
Options +Indexes -Includes -FollowSymLinks -SymLinksifOwnerMatch -ExecCGI -MultiViews
AuthType Basic
AuthName "[name]"
AuthBasicProvider file
AuthUserFile /var/www/.htpasswd
Require user [user]
AllowOverride None
Order allow,deny
Allow from all
</Directory>

Then I tried changing the same block to look like this:

<Directory "/homework">
Options +Indexes -Includes -FollowSymLinks -SymLinksifOwnerMatch -ExecCGI -MultiViews
AuthType Basic
AuthName "[name]"
AuthBasicProvider file
AuthUserFile /var/www/.htpasswd
Require user [user]
AllowOverride None
Order allow,deny
Allow from all
</Directory>

no luck.
 
Old 01-01-2013, 07:18 AM   #7
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,688

Rep: Reputation: 1259Reputation: 1259Reputation: 1259Reputation: 1259Reputation: 1259Reputation: 1259Reputation: 1259Reputation: 1259Reputation: 1259
Basicly, you have no security enforcable. As soon as you allow users to put CGI scripts in the directory they can do anything they want to any directory on the system. Recent CentOS systems have some control - SELinux does compartmentalize apache separating it from the rest of the system, it can't separate apache from itself.

You don't list what errors you got, and that makes guessing what is wrong difficult.

It could be that you haven't enabled Apache with the SELinux boolean values you want. It could be that the files you want accessed are not accessable to apache - either through the usual Linux access permissions and/or SELinux labels (which may be invalid). It could be the password is incorrect.

It could even be that apache doesn't have access to the .htaccess file.
 
Old 01-01-2013, 07:33 PM   #8
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.9, Centos 7.3
Posts: 17,357

Rep: Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367
Note Wim's comment in post #5. System users and Apache users are entirely separate. do not create system users in this case.

The htpasswd file should not be under the document root (eg /var/www/...) but somewhere the apache program can reach eg /etc/httpd or similar eg the same dir as the httpd.conf.
 
Old 01-06-2013, 12:19 AM   #9
Pudnik
LQ Newbie
 
Registered: Feb 2009
Location: USA
Distribution: fedora 10
Posts: 6

Original Poster
Rep: Reputation: 0
@chrism01: I tried that, no luck. But thanx for everyone's help so far, it is appreciated
@jpollard: Thanx for your input. I'm going to start all over.

OK...suppose I have a clean Apache HTTPD.CONF file.

I then run the following command in the document root:

> md test

...What would be the best-practice, step-by-step procedure for password-protecting this TEST directory with digest authentication, assuming that the appropriate apache module entry has been added to httpd.conf?

Thanx in advance everyone your help is appreciated

Pudnik
 
Old 01-06-2013, 07:04 PM   #10
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.9, Centos 7.3
Posts: 17,357

Rep: Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367
Like this https://httpd.apache.org/docs/2.2/howto/auth.html

As previously mentioned:
1. no system user needs to be created
2. best practice / more secure is to use in the relevant <Directory> ... </Directory> stanza, rather than a .htaccess file.
 
Old 01-11-2013, 03:15 PM   #11
Pudnik
LQ Newbie
 
Registered: Feb 2009
Location: USA
Distribution: fedora 10
Posts: 6

Original Poster
Rep: Reputation: 0
Thumbs up Password Protecting an Apache Webfolder - SOLVED

...By default, Apache apparently DOES NOT recognize paths relative to the docroot. When I changed this:

/homework

to this:

/var/www/html/homework


it worked. Now to figure out how to do digest authentication...
 
Old 01-11-2013, 03:42 PM   #12
Kustom42
Senior Member
 
Registered: Mar 2012
Distribution: Red Hat
Posts: 1,604

Rep: Reputation: 415Reputation: 415Reputation: 415Reputation: 415Reputation: 415
Although this isn't directly related to what you are trying to do it is an applicable solution and wanted to throw it out there.

You can use MySQL based authentication to protect directories in apache via mod_auth_mysql. Here is a good overview/walkthrough on it if you want to take a look:

http://www.howtoforge.com/mod_auth_mysql_apache2_debian
 
Old 01-11-2013, 03:44 PM   #13
Kustom42
Senior Member
 
Registered: Mar 2012
Distribution: Red Hat
Posts: 1,604

Rep: Reputation: 415Reputation: 415Reputation: 415Reputation: 415Reputation: 415
Note: the link provided is for debian, however since it relates to apache it is almost exactly the same as in redhat/centos. Just replace the paths such as /etc/apache2/ with /etc/httpd/ and /etc/apache2/mods-enabled/ is not the same. You would just add the LoadModule line to your /etc/httpd/conf/httpd.conf or in a seperate config file in /etc/httpd/conf.d/ if you have any questions on this let me know.
 
Old 01-11-2013, 05:08 PM   #14
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,688

Rep: Reputation: 1259Reputation: 1259Reputation: 1259Reputation: 1259Reputation: 1259Reputation: 1259Reputation: 1259Reputation: 1259Reputation: 1259
Quote:
Originally Posted by Pudnik View Post
...By default, Apache apparently DOES NOT recognize paths relative to the docroot. When I changed this:

/homework

to this:

/var/www/html/homework


it worked. Now to figure out how to do digest authentication...
You do realize this is not "a directory under the webroot"...

Apache only provided relative evaluation to queries from the user, not a definition within the configuration file.

And if you wanted to tie the long path to a name under the webroot you have to use an alias definition.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
password protecting a folder ankit_mcgill Linux - General 4 04-14-2006 03:46 AM
Password protecting directories in apache niverson Linux - Security 6 03-02-2004 10:40 PM
Password Protecting Folders with Apache wyndman Linux - Newbie 0 06-27-2003 01:11 PM
HTML password protecting darin3200 General 19 06-03-2003 03:13 AM
password protecting two files to two different databases on Apache? RKris Linux - Software 0 02-24-2003 06:04 AM


All times are GMT -5. The time now is 04:29 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration