Apache authentication

leighr · 20th December 2007, 5:38 PM

I've got a linux web server running apache2 that's been serving up pages for a few months, no problems there.

Now, I've got a request to secure a number of the folders/files scattered around the site. There will probably be around 100 users who will have access to these pages. And while it's not a requirement at the moment, it may need to extend to allowing only specific users access to specific pages.

I am, to put it bluntly, an apache noob. And I have no idea where to start on this one.

Any suggestions?

Thanks,

Leigh.

Iroquois · 20th December 2007, 7:19 PM

You'll want to look at something called .htaccess

Found this guide which is quite well written:

http://www.reallylinux.com/docs/htaccess.shtml

That should at least get you going.

checkers · 20th December 2007, 7:32 PM

The simple solution is mod_auth. This lets you implement basic http authentication. If you want more complicated authentication that is integrated into a site, you will need to do it with PHP or whatever HTML pre-processor you use.

memnoch · 21st December 2007, 12:51 PM

+1 to mod_auth or some other mod_foo module

You can use a number or back ends databases for your user accounts.
ldap (windows AD), user accounts, mysql, postgresql, htaccess users, pam accounts plus a few others.

http://httpd.apache.org/docs/2.0/mod/mod_auth.html
http://httpd.apache.org/docs/2.0/mod/mod_auth_ldap.html
http://httpd.apache.org/docs/2.0/mod...th_digest.html
http://httpd.apache.org/docs/2.0/mod/mod_auth_dbm.html
http://httpd.apache.org/docs/2.0/mod/mod_access.html

stalin · 21st December 2007, 3:21 PM

If you have an existing directory service that has your users in, use mod_something

have it authenticate to LDAP or Active Directory, it reduces confusion and massively reduces ongoing administrative costs.

I would recommend AGAINST .htaccess simply because you have full access to the server. If you have access to the config files, the access controls should be done from within http.conf etc, as its more secure than in .htaccess files.
.htaccess are only used in hosting environments because they dont want to give rw users access to the main apache config file.

20th December 2007, 5:38 PM	#1
leighr Member Join Date: Feb 2002 Location: Mitcham, Melbourne Posts: 413	Apache authentication I've got a linux web server running apache2 that's been serving up pages for a few months, no problems there. Now, I've got a request to secure a number of the folders/files scattered around the site. There will probably be around 100 users who will have access to these pages. And while it's not a requirement at the moment, it may need to extend to allowing only specific users access to specific pages. I am, to put it bluntly, an apache noob. And I have no idea where to start on this one. Any suggestions? Thanks, Leigh. __________________ Shameless plug.... Need toys/lego? Check out http://www.peedeetoys.com.au

20th December 2007, 7:32 PM	#3
checkers Member Join Date: Jan 2007 Location: Perth Posts: 613	The simple solution is mod_auth. This lets you implement basic http authentication. If you want more complicated authentication that is integrated into a site, you will need to do it with PHP or whatever HTML pre-processor you use. __________________ CCCP

20th December 2007, 7:19 PM	#2
Iroquois Member Join Date: Jun 2001 Location: Brisbane Posts: 1,960	You'll want to look at something called .htaccess Found this guide which is quite well written: http://www.reallylinux.com/docs/htaccess.shtml That should at least get you going.

21st December 2007, 12:51 PM	#4
memnoch Member Join Date: Jan 2002 Location: San Francisco, California Posts: 508	+1 to mod_auth or some other mod_foo module You can use a number or back ends databases for your user accounts. ldap (windows AD), user accounts, mysql, postgresql, htaccess users, pam accounts plus a few others. http://httpd.apache.org/docs/2.0/mod/mod_auth.html http://httpd.apache.org/docs/2.0/mod/mod_auth_ldap.html http://httpd.apache.org/docs/2.0/mod...th_digest.html http://httpd.apache.org/docs/2.0/mod/mod_auth_dbm.html http://httpd.apache.org/docs/2.0/mod/mod_access.html

21st December 2007, 3:21 PM	#5
stalin (Taking a Break) Join Date: Jun 2001 Location: On the move Posts: 4,584	If you have an existing directory service that has your users in, use mod_something have it authenticate to LDAP or Active Directory, it reduces confusion and massively reduces ongoing administrative costs. I would recommend AGAINST .htaccess simply because you have full access to the server. If you have access to the config files, the access controls should be done from within http.conf etc, as its more secure than in .htaccess files. .htaccess are only used in hosting environments because they dont want to give rw users access to the main apache config file.