Securing sites with passwords
In the directory whose contents you want to password-protect, create a file
AuthName "restricted area name"
AuthName entry specifies the name of the protected area that will be displayed to accessing clients when they request the password
(the multi-word string must be enclosed in quotes). The entry
AuthUserFile refers to the file where all allowed access names and passwords are defined. For the sake of illustration, suppose that
.htaccess with the following content is located in the directory
Then it is specified that access to files in the subtree
AuthName "Libri prohibiti"
security (the URL thus starts with https://www.fi.muni.cz/~xnovak99/security) is only authorized after a valid username and password have been entered according to the information in the aforementioned file
The file referenced via
AuthUserFile has the following text form:
Set the contents of the
.htpasswd file using the command
$ htpasswd /home/xnovak99/public_html/.htpasswd login1
Re-type new password:
Adding password for user login1
The password file must be accessible to the WWW server, i.e. readable by the user
apachefi. In your case, it can therefore be implemented with the permission
r for others and must be located in a directory that is already accessible from the root (
/) with the permission
x for others. A more secure way is to use the ACL:
setfacl -m u:apachefi:r .htaccess. Of course, the same applies to files in the password protected area - they must be accessible in the file system, just like the unsecured pages. So it's obvious that this type of protection only applies against people who don't have a Unix account on FI. If you want to secure something against these users as well, you can use the aforementioned ACL or other more sophisticated methods.
GSSAPI/Kerberos is a system used on faculty machines or on Fadmin to authenticate users. There is nothing stopping you from using it to authenticate your site users as well. The only restriction is that they must have a valid login. A faculty password will be used.Example configuration
AuthName "My secret documents"
Require user login1 login2
Require valid-user would successfully authenticate anyone with a valid FI login. See also the description of the
mod_auth_gssapi module configuration options. However, the module is already preconfigured to work with faculty authentication.
On classroom faculty machines, we try to ensure that browsers can take advantage of existing graphical session authentication via Kerbera - so you may find that you can get protected pages to work without logging in. In that case, it helps to discard Kerbera tickets by calling
kdestroyin the terminal.
Kerberos + LDAP
If you want to make the site available to members of certain faculty groups (there must be a Unix group, see
aisa$ getent group), you must use LDAP authorization (authentication remains Kerberos). The configuration for Kerberos looks the same as in the previous example.
Access to groups or individual users can be added using a combination of
Require ldap-user and
Require ldap-group. The web server is already preconfigured to look up the users and groups entered in this way in the faculty LDAP. For example:
Require ldap-group cn=GROUP_NAME,ou=Group,dc=fi,dc=muni,dc=cz
Require ldap-group cn=OTHER_GROUP_NAME,ou=Group,dc=fi,dc=muni,dc=cz
Require ldap-user USER_LOGIN
Control access to pages by client address/name.
In the directory you want to treat this way, create a file
.htaccess and add the following lines:
Require ip IP1 IP2 …
Require host hostname1 hostname2 …
Only clients explicitly identified by
Require …will be able to access this subtree of the site. There can be any number of parameters (separated by a space). A parameter can be
- IP address:
- Address prefix:
10.0.0(same meaning as
- IP address with mask:
- CIDR syntax address:
- IPv6 address:
- IPv6 address with mask:
- IP address:
- Domain name or its suffix:
fi.muni.cz(thus corresponds to clients "
node2.fi.muni.cz", but does not correspond to "
fifi.muni.cz" - an imaginary dot is always considered before the specified suffix, unless it is explicitly stated there)
- Domain name or its suffix:
If, on the other hand, you need to allow access to all but some selected machines/domains, the directive
<RequireAll> is available. Denying access from the
nekde.cz domain would look like this:
Require not host somewhere.org
Require all granted
See the Apache 2.4 documentation for more details.