Sinan Yüce - HOW TO

Say you want to restrict your visitors by user authentication mechanism in your Apache web server. There are several ways of doing this, but I found the followings are the most simple and easiest way of doing this.

In this case, we want to give access to our web server for those that supply the correct user name and password. First of all, we need to create the file that usernames and passwords will be restored.

Before, going into the details of how we can do that, there are a few points about this file. We should save it to the folder that are not accessible through our web folders (e.g. it should not be located in the C:\Apache\htdocs folder). The good place for that is the root directory of the Apache server (e.g. C:\Apache). Even if someone gets that file anyhow, since the passwords in that file is encrypted by MD5 algorithm (default in Windows system), he will not be able to get exact user name and password combination.

With these in mind, we have to run the utility that makes the files for user lists. This program is named htpassword and should be located in the bin directory under the installed Apache root (e.g. c:\Apache\bin\). By using console, we write the followings:

htpasswd -c ../users can

Here, "-c" is used for the first time in order to create the user file. and the "../users" describes the name of the file "users" and the location of it (by relative path, it means C:\Apache\ since right now we are in C:\Apache\bin\). "can" is the name of the user we specify.

Then the console prompts for the password for that user. We verify this password in the next step. If everything goes well, you will get "Adding password for user can" indicating that the operation is finished.

At the second part, we have to declare to Apache that we need basic authentication in accessing the web server. To do this, we open the Apache configuration file (located in C:\Apache\conf\httpd.conf). We find the lines that includes . If you don't change it before, after a few lines of comment there should be lines similar to this one:

Order allow,deny
Allow from all

Just after that, we include the following lines:

AuthName "restricted stuff"
AuthType Basic
AuthUserFile users
require user can

AuthName will appear at the top when the user name and password screen in web browser appears. And the AuthType is the method we use in this example. AuthUserFile is the file that user name and password is stored (here it is relative to the path C:\Apache\). Finally require user is used for the users that we want to give access to our web servers.

Here, there are a few remarks that might help you:

• You can give access for different directories to different users by using the directory directive.
  
• Notice that, you can add same description in your .htaccess files provided that the usage of the .htacces files allowed in your Apache configuration file (is given by the directive AllowOverride).
• If your server is not accessible outside your computer, check for your firewall settings. If you use Windows Firewall, you should give Apache the required access (This can be done by adding Apache to the programs listed in Special Cases in the Windows Firewall configuration file).

After restarting Apache server, you should be able to see effects of these changes when you access your web pages with your web browser. The password and user name screen should appear. After giving the correct combination, you should access your web pages. If this is not the case or there are some errors, the very first thing you should look is the Apache's error log file (located in C:\Apache\logs). Reviewing this will give you best clues of what went wrong. Please feel free to ask me questions by using comments in this blog.

One of the things that sometimes become nasty is that Apache by default lists all the files in the same directory if that directory does not contains the default index page (e.g. index.html, index.htm).

To disable Apache's directory content listing feature, you should configure the Apache Configuration file (httpd.conf that is located in the "conf" directory of the Apache installation directory).

Find the line that includes "Options Indexes" that is couples of lines after the line "" than replace it with "Options -Indexes". After saving the file, restart the Apache Server.

To illustrate, the following codes:

...
#
# This may also be "None", "All", or any combination of "Indexes",
# "Includes", "FollowSymLinks", "ExecCGI", or "MultiViews".
#
# Note that "MultiViews" must be named *explicitly* --- "Options All"
# doesn't give it to you.
#
Options Indexes FollowSymLinks MultiViews
...

is replaced with:

...
#
# This may also be "None", "All", or any combination of "Indexes",
# "Includes", "FollowSymLinks", "ExecCGI", or "MultiViews".
#
# Note that "MultiViews" must be named *explicitly* --- "Options All"
# doesn't give it to you.
#
Options -Indexes FollowSymLinks MultiViews
...

When any directory is called from Apache web server, the web server checks whether the directory has index.html file. If it is not, it will show all the files that are in that directory. If someone wants to change the default index file or add more files, he should modify the Apache httpd.conf Configuration File.

htttpd.conf file is located under the "conf" directory of apache installation directory (for instance C:\Apache\conf). After opening it with notepad or other text editor, find the tag named "directory". By default, it has only one file named "index.html". By separating with comma, you can add other files such as index.php, default.php, index.htm.

An example of the same line is as follows:

DirectoryIndex index.html index.php