• VMware

    Learn about VMware virtualization for its products like vsphere ESX and ESXi, vCenter Server, VMware View, VMware P2V and many more

  • Linux

    Step by step configuration tutorials for many of the Linux services like DNS, DHCP, FTP, Samba4 etc including many tips and tricks in Red Hat Linux.

  • Database

    Learn installation and configuration of databases like Oracle, My SQL, Postgresql, etc including many other related tutorials in Linux.

  • How to set up password authentication in apache (httpd) with htpasswd and .htaccess on RHEL / CentOS 7

    In this article I will show you step by step guide where in you apache server you can create protected directoties which can be accessed only by respectvie users with proper access.

    I would assume you have http package installed on your setup, if not you can manually install them
    If you do not have an active online yum repository then you can create an offline yum repository


    next install httpd and all it's dependency packages
    # yum -y install httpd

    I have a directory under "/var/www/html/secret/" which must be only accessed by user "deepak"
    So let us first create this directory

    # mkdir /var/www/html/secret/

    I will create a dummy index.html file inside /var/www/html/secret/ for deepak
    # cat /var/www/html/secret/index.html
    ###########
    ## This is a secret file for Deepak only
    ###########

    Before starting with our httpd configuration, we should create passwd file for user "deepak".

    NOTE: Here deepak will not use the system's passwd file, instead we will have to create a new one which will be used by Apache for the authentication which will be created by htpasswd
    • htpasswd is used to create and update the flat-files used to store usernames and password for basic authentication of HTTP users.
    • Resources available from the Apache HTTP server can be restricted to just the users listed in the files created by htpasswd.
    • htpasswd encrypts passwords using either bcrypt, a version of MD5 modified for Apache, SHA1, or the system's crypt() routine.
    • Files managed by htpasswd may contain a mixture of different encoding types of passwords; some user records may have bcrypt or MD5-encrypted passwords while others in the same file may have passwords encrypted with crypt().

    Use the below command syntax to create password for user "deepak"
    # htpasswd -c /etc/httpd/.htpasswd deepak
    New password:
    Re-type new password:
    Adding password for user deepak

    NOTE: You can give any other secure path for the .htpasswd file. For me I am using /etc/httpd





    If you see the content of this .htpasswd file
    # cat /etc/httpd/.htpasswd
    deepak:$apr1$2D7PPz82$cSP2lNCNmzE80dXrXakAI/

    Here
    -c Create the passwdfile. If passwdfile already exists, it is rewritten and truncated. This option cannot be combined with the -n option.

    Next, you'll need to configure the server to request a password and tell the server which users are allowed access.
    You can do this either by editing the httpd.conf file or using an .htaccess file.

    For example, if you wish to protect the directory /var/www/html/secret/, you can use the following directives, either placed in the file /var/www/html/secret/.htaccess, or placed in /etc/httpd/conf/httpd.conf inside a <Directory "/var/www/html/secret"> section.


    Method 1: Using .htaccess file

    If you plan to use .htaccess files, you will need to have a server configuration that permits putting authentication directives in these files. This is done with the AllowOverride directive, which specifies which directives, if any, may be put in per-directory configuration files.

    Since we're talking here about authentication, you will need an AllowOverride directive like the following
    AllowOverride AuthConfig

    So let me append this in my /etc/httpd/conf/httpd.conf

    NOTE: Comment all other Directory variable in your httpd.conf pointing to /var/www or /var/www/html or similar path. Or you must add AllowOverride AuthConfig to all those Directory variables for .htaccess to work since our secret directory lies under /var/www/html
    Alias /web "/var/www/html/secret/"

    <Directory "/var/www/html/secret">
    AllowOverride AuthConfig
    </Directory>
    NOTE: I have used an alias here which is optional.

    Next create a .htaccess file with below content at /var/www/html/secret/.htaccess
    AuthType Basic
    AuthName "Secret Files"
    AuthUserFile /etc/httpd/.htpasswd
    Require user deepak

    We are all set up to start out httpd server
    # systemctl restart httpd

    # systemctl is-active httpd
    active

    Now you can try to access your page with an alias /web as we have used, it must prompt for username and password


    Method 2: Using Directory in httpd.conf

    Add below content at then end of "/etc/httpd/conf/httpd.conf".

    NOTE: Here VirtualHosting is not needed mandatory, I have just added to add a custom error log and DocumentRoot which can come handy

    Alias /web "/var/www/html/secret/"

    <VirtualHost 192.168.1.6:80>
        ServerAdmin root@server.golinuxhub.com
        ServerName golinuxhub-server
        DocumentRoot /var/www/html/secret
        ErrorLog logs/error_log

    <Directory "/var/www/html/secret">
    AuthType Basic
    AuthName "Secret Files"
    AuthUserFile /etc/httpd/.htpasswd
    Require user deepak
    </Directory>
    </VirtualHost>

    The AuthType directive selects that method that is used to authenticate the user. The most common method is Basic. It is important to be aware, however, that Basic authentication sends the password from the client to the server unencrypted. This method should therefore not be used for highly sensitive data, unless accompanied by mod_ssl.
    Save and exit the file followed by a service restart
    # systemctl restart httpd

    # systemctl is-active httpd
    active

    Now you can try to access your page with an alias /web as we have used, it must prompt for username and password.


    How to provide authentication to multiple users?

    The steps are similar and again can be done using both the methods as explained earlier. For the sake of this example I will use <Directory> method to give an example

    Assign password to all other users using below command and the same password file as used earlier
    # htpasswd  /etc/httpd/.htpasswd ankit
    New password:
    Re-type new password:
    Adding password for user ankit

    # htpasswd  /etc/httpd/.htpasswd amit
    New password:
    Re-type new password:
    Adding password for user amit

    Now if we check we have three entries for three difference users
    # cat /etc/httpd/.htpasswd
    amit:$apr1$//0qsYXA$b/YBtjYWNVnAq.ktus1yD.
    deepak:$apr1$eAmlseNr$F8TRQZvqoxGn5TDmdrT311
    ankit:$apr1$bEXxG.Wh$Ejavy56OHpFVBHs8ETah41

    Next we will need to create a group file that associates group names with a list of users in that group. The contents of the file will look like this:

    NOTE: You can create the group with any name and can be at any location, for me I am using below path.
    # cat /etc/httpd/.groups
    GroupName: deepak amit ankit
    Here I have added three users to my group for which I will pass authentication using httpd.conf

    Next update your httpd.conf with below content
    Alias /web "/var/www/html/secret/"

    <Directory "/var/www/html/secret">
            AuthType Basic
            AuthName "Secret Files"
            AuthUserFile "/etc/httpd/.htpasswd"
            AuthGroupFile "/etc/httpd/.groups"
            Require group GroupName
    </Directory>

    IMPORTANT NOTE: 
    You can use the same content under "/var/www/html/secret/.htaccess" if you wish to use Method 1 from this article.i.e with htaccess
    Here we are using "Require group" instead of "Require user" and added a new argument "AuthGroupFile" to point to the group file we have created

    Next save and exit the file and restart the httpd service to activate our change
    # systemctl restart httpd

    # systemctl is-active httpd
    active

    So all looks good, give your change a trial to see if the browser prompts you for authentication

    I hope the article was useful.

    Deepak Prasad

    Deepak Prasad is a techie and an author who is still trying to survive in this IT generation with very little knowledge he has on Linux/Unix, VMware, SAN Storage, Automation, networking etc

    You can follow him on Facebook or Google+

    Do you also have something to share here?

    Become an author and be a part of our GoLinuxHub Team, Click here for more information
    How to set up password authentication in apache (httpd) with htpasswd and .htaccess on RHEL / CentOS 7 How to set up password authentication in apache (httpd) with htpasswd and .htaccess on RHEL / CentOS 7 Reviewed by Deepak Prasad on Sunday, April 15, 2018 Rating: 5

    No comments:

    Powered by Blogger.