Friday, November 6, 2009

make your web page password protected

simple and fast: inside the dir you wish to protect
make 2 files :

like the following :

AuthType Basic
AuthName "the name you want to see in the small pass popup window"
AuthUserFile /dir_to_file/.htpasswd
require valid-user

.htaccess (or whatever you called it inside the first one)
name:MD5 pass (see below)

to generate the .htaccess file entries:

from a shell type the following:

>htpasswd -m -b -n alex pass4alex

then copy into the file (each entry a single line)

NOTE on security:
you need to prevent users from reading your .ht* files. the easiest way to hinder this is to put the .htpasswd file someplace that's not web-accessible (such as your home dir, out of ~/public_html).

the next step, as an admin of a server, is to prevent apache from serving these pages from the web. there is no (i repeat NO) reason that a web client should ever need to see these pages, they are for server side configuration only.

so, we can easily accomplish this using the <Files> directive, and a niftylittle regular expression:

<Files ~ "^\.ht"> Order allow,deny Deny from all </Files>

this particular example (taken from apache's httpd.conf, now thankfully included in default distributions to keep lame admins from unknowingly putting themselves at risk) prevents the server from serving any files that begin with .ht. thus, .htaccess and .htpasswd are both protected.

the final step from here is to ensure that the files are protected on the server – meaning file permissions. the ideal situation is to have suEXEC for apache running, and to have the files accessible only by the httpd (but still owned by you). that way, you can chmod the files when you need to edit them, but cgi exploits will not allow users to read the files.

No comments:

Post a Comment