29.13. Password Protecting a Directory
The HTTP protocol has a standard method of indicating that a directory or site requires a username and password to be supplied before it can be accessed. Apache can be configured to force users to log in before being able to view some or all of the pages on your system. Logins are typically checked against a separate password file, instead of the UNIX user list.
Password protection can be useful for securing a directory that only some people should be allowed to access, or for setting up a website that uses CGI programs to display different content to different users. To protect a directory, follow these steps:
1. | On the module's main page, click on the icon for the virtual server under which you want password protection to be enabled. |
2. | Click on the icon for the directory, URL location, or filename that you want to protect. If one does not exist yet, follow the steps in Section 29.6 “Setting Per-Directory Options” earlier in this chapter to create it. |
3. | Click on the Access Control icon, which will bring you to the page shown in Figure 29.8. Figure 29.8. The access control form.
|
4. | |
5. | Change the Authentication type to Basic. The Digest type is more secure, but is not supported by a lot of browsers. |
6. | Change the Restrict access by login field to All valid users. This tells Apache that any of the users in the password file set in Step 7 will be allowed to log in. You can restrict access to only a subset of users by selecting the Only these users option and entering the names of users to allow into the text field next to it. You can also select Only these groups and enter the names of groups whose members you want to allow into its field. These options can be useful if the same authentication files are entered on this page for several directories. |
7. | In the Text file authentication box, enter the full path to the file that you want to use to store usernames and passwords into the text field next to User text file. This authentication file must contain one line per user, each in the username:encrypted-password format. Standard UNIX encryption is used for the passwords, just like in the /etc/shadow file. The file doesn't necessarily have to exist yet, as it will be created when you follow the instructions in later steps to add users. It should not be under your web server's document root directories though, as this might allow an attacker to download it, crack the passwords, and log in to your website. |
8. | If you want to categorize users into groups for further restriction, as explained in Step 6, enter the full path to a group file into the Group text file field. This file must contain one line per group, in the groupname:
username1 username2 etc format. The file does not have to already exist because it will be created when you add groups in later steps. If you just want to set up simple username and password authentication, then this step is unnecessary. |
9. | Click the Save button at the bottom of the page, and you will be returned to the directory options page. |
10. | If the user and group files already exist or if you are planning to edit them manually, you can skip to Step 21. Otherwise, click on the Access Control icon again to redisplay the form. |
11. | |
12. | To create a new user, click on the Add a new user link above or below the list. |
13. | On the user creation form, enter a login name into the Username field. |
14. | In the Password field, select the Plain text option and enter the user's password into the field next to it. |
15. | Click the Save button to have the user added and the list of users redisplayed. You can edit an existing user by clicking on its name in the list, changing its details, and hitting the Save button. To remove a user, click the Delete button on the user editing form instead. |
16. | When you are done creating users, use the Return to access control link to go back to the access control form. |
17. | |
18. | |
19. | Existing groups can be edited and deleted by clicking on their names in the list, just as users can. |
20. | When you are done creating groups, follow the Return to access control link to go back to the access control form. |
21. | Finally, click on the Apply Changes link on any page to activate password protection for the directory. You can test it out by trying to visit the protected page and logging in as one of the users that you created. |
22. |
The instructions in the preceding list explain how to create text files for storing users and groups, but if your website is going to have a very large number of users, text files are not the best way to store them. Because Apache rereads the user file on every request, the larger it gets, the longer it will take for the web server to look up a user and generate a response. When editing or deleting a user, the entire file must be read in and written out again by the program that is changing it, which can take some time if the file is large. This increases the chance of file corruption if more than one process attempts to manipulate the same user file at the same time.
The solution is to use DBM files for storing users and groups instead. These are binary format database files that are indexed by a key (such as the username), and can be safely edited in-place. Their only down side is that they cannot be viewed or changed by UNIX programs that deal with plain text, like cat and vi.
The process of setting up authentication from DBM files is almost identical to the steps in the preceding list. The only difference is that the user and group filenames must be entered into the User DBM file and Group DBM file fields in the DBM file authentication box. The User text file and Group text file fields must be left set to Default. Unfortunately, Webmin does not allow you to edit users or groups in DBM files like you can with text files. Instead, you will need to write a Perl script or use a program like makemap to create them at the command line.
Apache user and password files are totally separate from the system's UNIX user list. This module, however, can be configured to add, update, or remove a user in a password file when a user with the same name is created, edited, or deleted in the Users and Groups module. This is done using that module's synchronization feature, covered in more detail in Chapter 4.
Synchronization can be useful if you want to grant access to a specific web directory to some of the UNIX users on your system and want their usernames and passwords to remain in sync if they are ever changed. To set up synchronization between an Apache text authentication file and UNIX users managed by the Users and Groups module, follow these steps:
1. | On the module's main page, click on the icon for the virtual server under which the protected directory can be found, and then on the icon for the directory. |
2. | |
3. | Below the list of users is a form for setting up synchronization for this users file. The checkboxes labeled Add a user when a UNIX user is added, Change the user when a UNIX user is changed, and Delete the user when a UNIX user is deleted are fairly self-explanatory. You would typically select all three, or maybe just the last two if you want to manually add new users to this file. |
4. | After selecting the options that you want, click the Save button. Any changes made in the Users and Groups module from now on will cause this user list to be updated as well. |
Each Apache users text file has its own separate synchronization options. Because they are associated with the name of the file, the options will be reset to their defaults if it is renamed. Only changes made in Webmin's Users and Groups or Change Passwords modules will be synchronized with the Apache users file. If a user changes his password with the command-line passwd program, his web password will not be changed to match.
If you want to turn off authentication for a directory so that any browser can access it, there is no need to delete the entire Directory Configuration icon. Instead, you can just follow these steps:
1. | On the module's main page, click on the icon for the virtual server under which the protected directory can be found, and then on the icon for the directory. |
2. | |
3. | |
4. | Click the Save button and then the Apply Changes link back on the directory options page. |