Apache-Website Security

Posted February 27, 2004 by lvance in Linux security

Simple clear Security for Websites running on Apache. This can be on any flavor of Unix


In the httpd.conf file edit this line:
Directory /
Options FollowSymLinks
AllowOverride None
/Directory

To read:
Directory /
Options FollowSymLinks
AllowOverride AuthConfig
/Directory

**note** -the above lines have <> on each side of the Directory statement. This form would not accept the brackets. **end Note**

go to serverroot/bin and run the command:
htpasswd -c /password example test
-this creates the password file. It will prompt for new password expample. testpassword

*****Remember****** must make password file executable. You can find it in / .

then create a file named .htaccess that reads:
AuthType Basic
AuthName “Restricted Files”
AuthUserFile /password
Require user test

Now when you hit the website or the files in the directory you want to secure it will prompt you for the test username and the password that you created. This is clear text so be careful. More than one name can be used by using the htpasswd command without the -c option. It will just add more named below it. I usually use this on webservers that are internal that I want to restrict certain users to. More info at apache.org documentation

The Conversation

Follow the reactions below and share your own thoughts.