Apache, Basic authentication
From Ubuntuwiki.net
Overview
Traditionally, apache has used Basic authentication as a way to implement simple password protection on locations and directories. This is fine so far as it goes, but unfortunately while the .htpasswd file on the other end is encrypted, when a user authenticates the username and password are sent in cleartext. Apache also supports Digest authentication, which works almost identically, but does simple encryption of the transmitted username and password as well as the stored copies on the server.
Before you can use AuthDigest, you'll need to make sure the mod_auth_basic module is loaded in your Apache server. (It will be by default, as of Ubuntu 8.04LTS - in which case you can skip to #Directives below.) If it's not already enabled, you'll need to symlink auth_basic.load from /etc/apache2/mods-available to /etc/apache2/mods-enabled, and restart the server or force it to reload its configuration files.
me@box:~$ sudo ln -s /etc/apache2/mods-available/auth_basic.load /etc/apache2/mods-enabled/ me@box:~$ sudo /etc/init.d/apache2 force-reload * Reloading web server config apache2 [ OK ] me@box:~$
This should go off without a hitch, but you should always check to make sure your sites are actually still loading after you make Apache configuration changes - the [ OK ] from the init.d script only means the process is running, it does not always mean Apache is actually working! Once you've checked your sites, you can continue on.
Directives
Once you've made sure your installation of Apache allows Basic authentication, you'll need to configure it for a Directory or a Location, which can be done in a .htaccess file in the directory to be protected (if AllowOverride Auth is set for that site), or in the Apache configs themselves.
<Location />
AuthName 'Private'
AuthType basic
AuthBasicProvider dbm
AuthDBMType SDBM
AuthDBMUserFile /data/www/sitename.tld/.htpasswd
Require valid-user
</Location>
In this example, an entire website is protected with Basic authentication. Note than unlike Digest authentication, there is no AuthBasicDomain specified - so you cannot mix and match .htpasswd files from separate domains unless the same username will always have the same password on both domains.
Creating .htaccess Files
The other side of Basic authentication is creating the .htaccess file; for that you will use the htpasswd command. In this example, we'll create a .htpasswd file to go along with the Basic directives shown above:
me@box:~$ htpasswd -c /data/www/sitename.tld/.passwd 'username' New password: Re-type new password: me@box:~$ cat /data/www/sitename.tld/.htpasswd username:uP5ktJUIy1qD.
Note that we used single quotes to encapsulate the username in the htpasswd command - that's not strictly necessary, but it's good practice; this allows you to create usernames with spaces in them if desired.
Now that you've got your .htaccess file created and your Auth Basic directives written, you'll need to restart Apache to put them in place (unless you used a .htaccess file to implement them instead of doing it in the Apache conf files).
me@box:~$ sudo /etc/init.d/apache2 force-reload * Reloading web server config apache2 [ OK ] me@box:~$
It looks like everything restarted just fine... but as always when changing Apache configs, be sure to actually browse your sites and check for certain.
