Web Design / Linux - Apache2 - Security with Passwords for Users and Groups using .htaccess and config files

APACHE2 MAKING SECURE FOLDER
############################

NOTE TO SELF - BUT MIGHT BE USEFUL TO YOU

auth can go in main config or per directory with .htaccess (.htaccess files go in to directories and set options in the direcotry)

THE WHOLE TIME IM ROOT
#######################

I want to make /var/www/secure HOW?
2 ways:
.htaccess in /var/www/secure
Or:
put in config file /var/www configs are in /etc/apache2/sites-available/default, so I put in between the virtual host lines

If your going the .htaccess way, you need to allow those files, by going to your //etc/apache2/sites-available/default
<Directory /var/www/>
...                
AllowOverride All  # this cant be set to none
...            
</Directory>
Dont worry about the <Directory /> ALlowOverride None, although it sounds dangerous, we override that setting with the /var/www directory directives(what I was just talking about above) and thats why we dont worry about it.
In otherwords:
/ -- this says no .htaccess because of AllowOverride None (which applies to all of its subfolders)
/var/www -- this says yes .htaccess because of the AllowOverride Yes (which appliues to all of its subfolders) Thus it works out for /var/www/secure
/var/www/secure/.htaccess - thus this file is read because its within the /var/www directive (sure its within the /, but again that gets overridden by /var/www)
IF the above paragraph didnt make sense, there will be more explanations below with full on configs

To get there we need to make a password file with users, and if you want a group you need to make a group file, and in the config file .htaccess or default file you will need to say the right things to point at the password and group file

So there is the config examples below for single user, groups, or all users (that are in the password file, so multiple users and no need for group file)

FOR ONE USER
==============

This makes the password file:
htpasswd -c /etc/apache2/passes bobby
PW: monster

Create the file from scrach:
vim /var/www/secure/.htaccess

AuthType Basic
AuthName "Restricted Files"
# (Following line optional)
AuthBasicProvider file
AuthUserFile /etc/apache2/passes
Require user bobby

OR LIKE WISE INSTEAD OF /var/www/secure/.htaccess PUT IN THE APPROPRIATE CONFIG FILE
IN THIS CASE: /etc/apache2/sites-available/default - IGNORE WHERE SAYS 50000, usually thats 80
<VirtualHost *:50000>
...So put config inbetween the virtual host lines - below here ...
<Directory /var/www/secure>
AuthType Basic
AuthName "Restricted Files"
# (Following line optional)
AuthBasicProvider file
AuthUserFile /etc/apache2/passes
Require user bobby
</Directory>
...put config above here...

</VirtualHost>


FOR GROUP
==========

Add user support to the password file:
htpasswd /etc/apache2/passes marketing
htpasswd /etc/apache2/passes eng

PW for marketing: woworld
PW for eng: password2

Make a file for groups bringing the users together, just a simple test file of the form:
vim /etc/apache2/groups
fredinc: marketing bobby eng

Edit the .htaccess file:
vim /var/www/secure/.htaccess

AuthType Basic
AuthName "For marketing and eng only:"
# Optional line:
AuthBasicProvider file
AuthUserFile /etc/apache2/passes
AuthGroupFile /etc/apache2/groups
Require group fredinc

OR LIKE WISE INSTEAD OF /var/www/secure/.htaccess PUT IN THE APPROPRIATE CONFIG FILE
IN THIS CASE: /etc/apache2/sites-available/default - IGNORE WHERE SAYS 50000, usually thats 80
<VirtualHost *:50000>
...So put config inbetween the virtual host lines - below here ...
<Directory /var/www/secure>
AuthType Basic
AuthName "For marketing and eng only:"
# Optional line:
AuthBasicProvider file
AuthUserFile /etc/apache2/passes
AuthGroupFile /etc/apache2/groups
Require group fredinc
</Directory>
...put config above here...
</VirtualHost>

HOW PW FILE LOOKS LIKE IN THE END
==================================

The PW for single user config looks the same, but only has the first line, not the last 2 lines. Although it could have the last 2 lines and it wouldnt hurt it as we are only allowing "bobby" in from the config.

# cat /etc/apache2/passes
bobby:$apr1$W6D7mDCi$00MnJVobwo75ZjrHW0tqV1
eng:$apr1$LoQgejsd$MIgjLKIDDm2EHlVcuJLF00
marketing:$apr1$3u/j5WFx$8lXQMb6A/0RoMc.nEUATg.

ANOTHER WAY TO LET MULTIPLE PPL IN THAT WOULD OF WORKED HERE:
==============================================================

There's another way to let multiple users in that is less specific. Rather than creating a group file, you can just use the following directive:

Require valid-user

Using that rather than the "Require user bobby" line will allow anyone in that is listed in the password file, and who correctly enters their password.

DOWNLOAD WITH PASSWORD WITH WGET If you need to later get a file out
#####################################################################

wget --user=bobby --password='monster' http://www.server.com/secure/file.txt

IF .htaccess WAS NOT WORKING BUT /etc/apache2/.../default WAS WORKING
######################################################################

It because the AllowOverride was set to none, it needs to be set to all, as this says:

By the way this is problem #4, the other problems are make sure the file .htaccess is all lowercase and the spelling is correct and that there are not syntax errors in the file. Or maybe its being overriden by another .htaccess file as the settings do merge... to see which .htaccess files you have: "find /path/to/website/root -iname .htaccess -print"

Htaccess Problem #4: Htaccess Disabled by AllowOverride Setting

On some servers, Apache is configured to ignore some or all directives in .htaccess files. This is for security reasons. The AllowOverride directive controls which features will be allowed in .htaccess files. For example AllowOverride None can turn off htaccess files for a folder and its subfolders.

Check your Apache configuration file for which AllowOverride directive is applied to the directory containing your problem htaccess file.

If you’re not sure which configuration file to look in, start with the main Apache configuration file httpd.conf or apache2.conf. If your website is configured in a file included by httpd.conf (e.g. a virtual hosts configuration file), you will need to look in that file. See Location of httpd.conf on CentOS, Ubuntu, Mac and others to locate your httpd.conf.

To enable using a .htaccess file, change AllowOverride None to AllowOverride All.

For example, for a CentOS 5.3 server, I needed to change the AllowOverride setting in the file /etc/httpd/conf.d/virtualhosts.conf.

httpd.conf before:

Options FollowSymLinks
AllowOverride None
httpd.conf after:

Options FollowSymLinks
AllowOverride All
Be aware that enabling htaccess files has security implications, as htaccess files override your Apache configuration. For example, if your site provides uploads, a hacker could potentially upload a .htaccess file to your server and use it to gain access to your server. There are options to AllowOverride that restrict the directives that will be used from a .htaccess file. See the documentation for AllowOverride.

HOW .htaccess IS APPLIED
##########################

How directives are applied

The configuration directives found in a .htaccess file are applied to the directory in which the .htaccess file is found, and to all subdirectories thereof. However, it is important to also remember that there may have been .htaccess files in directories higher up. Directives are applied in the order that they are found. Therefore, a .htaccess file in a particular directory may override directives found in .htaccess files found higher up in the directory tree. And those, in turn, may have overridden directives found yet higher up, or in the main server configuration file itself.

---NOTE IN MY CASE FOR .htaccess TO WORK, I HAD TO CHANGE IT IN ONE PLACE:---
vim /etc/apache2/sites-available/default


ORIGINAL CONFIG DIDNT ALLOW .htaccess FILES
##########################################

# cat  /etc/apache2/sites-available/default
<VirtualHost *:50000>
ServerAdmin webmaster@localhost

DocumentRoot /var/www
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>

ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>

ErrorLog ${APACHE_LOG_DIR}/error.log

# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn

CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>


CONFIG WHEN HAD /var/www/secure SET FROM SERVER, AND .htaccess FILES WERE DISABLED
###################################################################################

* this way there is no need for .htaccess file anywhere, for copies of the groups and passes file they are above and below

# cat  /etc/apache2/sites-available/default
<VirtualHost *:50000>
        ServerAdmin webmaster@localhost

        DocumentRoot /var/www
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        <Directory /var/www/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride None # <---- this is what disabled the .htaccess files
                Order allow,deny
                allow from all
        </Directory>

        <Directory /var/www/secure> # <---- this section allows security for group fredinc
                AuthType Basic
                AuthName "For marketing and eng only:"
                # Optional line:
                AuthBasicProvider file
                AuthUserFile /etc/apache2/passes
                AuthGroupFile /etc/apache2/groups
                Require group fredinc
        </Directory>



        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        <Directory "/usr/lib/cgi-bin">
                AllowOverride None
                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order allow,deny
                Allow from all
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel debug

        CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

FINAL CONFIG ALLOWED .htaccess FILES
####################################

# cat  /etc/apache2/sites-available/default
<VirtualHost *:50000>
        ServerAdmin webmaster@localhost

        DocumentRoot /var/www
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        <Directory /var/www/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride All
                Order allow,deny
                allow from all
        </Directory>

        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        <Directory "/usr/lib/cgi-bin">
                AllowOverride None
                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order allow,deny
                Allow from all
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel debug

        CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

# cat /var/www/secure/.htaccess
AuthType Basic
AuthName "For marketing and eng only:"
AuthBasicProvider file
AuthUserFile /etc/apache2/passes
AuthGroupFile /etc/apache2/groups
Require group fredinc

* This one is made manually
# cat /etc/apache2/groups
fredinc: marketing bobby eng

* this one is made with htpasswd command as I mention above
# cat /etc/apache2/passes
bobby:$apr1$W6D7mDCi$00MnJVobwo75ZjrHW0tqV1
eng:$apr1$LoQgejsd$MIgjLKIDDm2EHlVcuJLF00
marketing:$apr1$3u/j5WFx$8lXQMb6A/0RoMc.nEUATg.

Comments