Securing pages with a password
In the directory to which you want to protect your password with password, create a file
.htaccess
. Include the following:
First, we force the encrypted connection so that the password is not transmitted as plain text. We will achieve that by a directive
SSLRequireSSL
:
SSLRequireSSLThe second option is to redirect unencrypted encrypted requests:
RewriteEngine On RewriteBase / RewriteCond %{HTTPS} !=on RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [R,L]The next file content will be:
AuthName " jmeno oblasti" AuthType Basic AuthUserFile /cesta/k/souboru/s/hesly require valid-userItem
AuthName
Specifies the name of the protected area that will be displayed to the accessing clients when the password is
queried (the
multiword string must be quoted ). Item
AuthUserFile
refers to a file where all allowed usernames and passwords are defined. For illustration, let's assume that
.htaccess
with the following content is located in the directory
/home/xnovak99/public_html/censored
:
AuthName "Libri prohibiti" AuthType Basic AuthUserFile /home/xnovak99/public_html/.htpasswd require valid-userIt then specifies that access to files in the subtree
security
(URL begins https://www.fi.muni.cz/~xnovak99/security) is authorized only after entering a valid username and password according to the information in the file
.htpasswd
.
The file should go through
AuthUserFile
has the following text shape:
jmeno1: zakodovane_heslo1 jmeno2: zakodovane_heslo2 ...Passwords for each valid logon name must be encoded by the classic Unix cipher
crypt
; to generate it can be used, for example, Pearl or C function
crypt()
or utility
htpasswd
. An example of a password file:
bond:Xy9KgHmOmCESc trubka:qWKFFmkF7LPjQTherefore, if a candidate for a protected area called "bond" and a "James" or a "trumpet" and the "dcs.48" are reported, he will be given access.
The password file must be accessible to the Web server, so readable for the user
apachefi
. In your case, then, you can make permissions
r
for others and must be in a directory that is already from the root (
/
) through permissions
x
for others. A more secure way is to use ACL:
setfacl -m u:apachefi:r .htaccess
. The same is true of files in the password-protected area - they must be accessible in the file system as well as non-secure pages. It is clear, therefore, that this type of protection applies only to people who do not have a UN Unix account. You can also use these ACLs or other sophisticated methods if you want to keep them safe from these users.
Kerberos
One of them is the use of Kerber. This system is used on faculty machines or on Fadmin to authenticate users. Nothing prevents you from using it to authenticate users of your site. The only limitation is that you must have a valid login. The password is used by faculty.
Example .htaccess configuration example:AuthType Kerberos AuthName "Kerberos Login" KrbAuthRealm FI.MUNI.CZ KrbMethodNegotiate off KrbVerifyKDC on Krb5Keytab /etc/httpd/kerberos/httpd.keytab require user login1@FI.MUNI.CZ login2@FI.MUNI.CZUse
require valid-user
would successfully authenticate anyone with a valid FI login.
Kerberos + LDAP
If you want to make the page available to members of some faculty groups (there must be a Unix group, see
aisa$ getent group
), LDAP authentication must be used (Kerberos authentication remains).
Configuration for Kerberos looks the same as in the previous example, just add this line:
KrbLocalUserMapping on
Configuring authorization with LDAP:
AuthLDAPUrl "ldaps://ldap.fi.muni.cz ldap1.fi.muni.cz/ou=People,dc=fi,dc=muni,dc=cz?uid" AuthLDAPGroupAttribute memberUid AuthLDAPGroupAttributeIsDN off
Access groups or individual users can then be added using a combination
RequireAny
,
Require ldap-user
and
Require ldap-group
, for example
<RequireAny> Require ldap-group cn= JMENO_SKUPINY,ou=Group,dc=fi,dc=muni,dc=cz Require ldap-group cn= JMENO_JINE_SKUPINY,ou=Group,dc=fi,dc=muni,dc=cz Require ldap-user LOGIN_UZIVATELE </RequireAny>
Managing access to pages by address / client name
In the directory that you want to handle, create a file
.htaccess
and add the following lines to it:
Require ip IP1 IP2 … Require host hostname1 hostname2 …
Only clients explicitly assigned using
Require …
they will have access to the given subtree. Parameters can be any number (separated by a space). The parameter may be
- For
Require ip
- IP address:
10.0.0.240
- address prefix:
10.0.0
(same meaning as10.0.0.0/24
) - IP address with mask:
10.0.0.0/255.0.0.0
- syntax address CIDR:
10.0.0.0/8
- IPv6 address:
2001:718:801:235::b
- IPv6 address with mask:
2001:718:801:230::/64
- IP address:
- For
Require host
- domain name or suffix:
fi.muni.cz
(thus responding to clients'fi.muni.cz
","node2.fi.muni.cz
"but does not respond"fifi.muni.cz
"- an imaginary dot is always considered before the specified suffix, unless explicitly stated there)
- domain name or suffix:
If you need to allow access to all but some of the selected machines / domains, there is a directive available
<RequireAll>
. Avoiding Domain Access
nekde.cz
would look like this:
<RequireAll> Require not host nekde.cz Require all granted </RequireAll>
For more detailed information, Apache documentation 2.4 .