HTTPD configuration of user-based access control

When we place more private information in certain directories of the website and only want to provide access to the designated users that we trust, we need to use HTTPD's user-based access control, which can help you realize that only authenticated users are allowed access to specific resources, which greatly improves the security of the website.

I. Introduction to HTTPD user-based access control

    user-based access control includes authentication and authorization two procedures:
         Authentication (authentication) is the process of identifying a user's identity
         Authorization (Authorization) is the process of allowing specific users to access specific areas of information.

    apache certification includes both Basic and digest certifications (Digest) in two ways
         Basic authentication is the basic function of Apache, the use of Base64 encrypted plaintext to send
         Digest authentication needs to be pre-configured in the process of compiling httpd "-- Enable-auth-digest ", some browsers do not support

     experience Two stages when a user accesses a user-based authentication page:
         question:
          www-authenticate: The server rejects the client request with 401 status, indicating that the user is required to provide a user name and password; popup dialog;
        authentication:
            Authorization: The client user fills in the account password, sends the request to the server again, the authentication passes, then requests the authorization;

Second, Basic Authentication-based configuration
    1, creating a directory that requires authentication

[Email protected] html]# mkdir/vhost/www/html/net [[email protected] html]# echo "
2. Create a virtual user
2.1. Create virtual users and files
 The HTPASSWD command is required to create the virtual account, the parameters are as follows:      The HTPASSWD command is used to maintain user authentication files             htpasswd [  -c ] [ -m ] [ -D ] passwdfile username                           -c:  create this file when you add a first user;                          -m:  Encrypt the user password in MD5 format store;                          -s:  Encrypt the user password in SHA format store;                           -D: Delete the specified user 

[Email protected] html]# mkdir/etc/httpd/users[[email protected] html]# htpasswd-m-c/etc/httpd/users/.htpasswd Sina The first time you need to create a file with-C new password://Enter the password for authentication re-type new password:adding password for user Sina[[email protected] HT ml]# htpasswd-m/etc/httpd/users/.htpasswd Baidu//Create a second virtual user new Password:re-type new password:adding password for us ER baidu[[email protected] html]# htpasswd-m/etc/httpd/users/.htpasswd ifengnew password:re-type new password:adding p Assword for user Ifeng[[email protected] html]#
2.2, in order to ensure the authentication user's account password security, usually to its files for permission modification
[Email protected] html]# ls-l/etc/httpd/users/.htpasswd-rw-r--r--. 1 root root 131 Mar 04:58/etc/httpd/users/.htpasswd[[email protected] html]# chmod 600/etc/httpd/users/.htpasswd[[ema Il protected] html]# ls-l/ETC/HTTPD/USERS/.HTPASSWD-RW-------. 1 root root 131 Mar 04:58/etc/httpd/users/.htpasswd[[email protected] html]#

3, modify the/etc/httpd/conf/httpd.conf
<directory "/vhost/www/html/net" > Options none allowoverride none authtype basic//Based on basic certification Auth     Name "Please input user and password to login"//Login Prompt welcome information AUTHUSERFILE/ETC/HTTPD/USERS/.HTPASSWD//authentication User password file Require user Sina Ifeng Baidu//Specify specific users in the. htpasswd file to log in </Directory>
AuthName: Defines the protected realm name, which is displayed in the Authentication Login dialog box that pops up.
AuthType: Set the type of authentication, basic is the base certification
AuthUserFile: Set the authentication file path for saving user account and password.
Require Valid-user: Authorization to all valid users in the authentication file
Require User user1 User2 ...: Allow only user1,user2 users who are defined in AuthUserFile files to log in; spaces between users
AuthGroupFile User Group files
Require Group GRP1 GRP2 ... After the modification is complete,

Reload config file # service httpd Reload

Third, access control verification based on user access
1, when accessing the net directory that we want to protect, prompt to enter the user name password authentication complete to access, as
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/6C/2B/wKiom1VBAoeDu7x9AAHrUvKPjwo496.jpg "title=" 2.jpg " alt= "Wkiom1vbaoedu7x9aahruvkpjwo496.jpg"/>
2. Enter the authentication username and password, then click OK
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/6C/27/wKioL1VBBUfisPwkAAHzx5cFbLk626.jpg "style=" float: none; "title=" 3.jpg "alt=" Wkiol1vbbufispwkaahzx5cfblk626.jpg "/>
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/6C/2B/wKiom1VBA9-jSP4pAAEvuusM0MU819.jpg "style=" float: none; "title=" 4.jpg "alt=" Wkiom1vba9-jsp4paaevuusm0mu819.jpg "/>
OK httpd based on user authentication to this configuration is complete

Four, user group-based access control
When the site has a directory that requires authentication, and each directory needs to authenticate the user group is different, then you need to use the user group-based access control.
4.1. Create certified protected directories and store users ' files, ibid. 2.2
[[email protected] ~]# mkdir /vhost/www/html/{news,blog}[[email protected] ~]#  ls /vhost/www/html/al  blog  in.html  net  news[[email  protected] ~]# echo  "
4.2. Create a user group file
Group file Format:
Each row defines a group, the format
Grp_name:user1 User2.
[Email protected] html]# vim/etc/httpd/users/.htgroup[[email protected] html]# cat/etc/httpd/users/.htgroupnews: Ifeng 126 sinablog:51cto sina.blog[[email protected] html]#
4.3. Edit/etc/httpd/conf/httpd.conf
#news <directory "/vhost/www/html/news" >options noneallowoverride noneauthtype basicauthname "Please input user and password "Authuserfile/etc/httpd/users/.htpasswdauthgroupfile/etc/httpd/users/.htgroup Require Group news</ directory># blog<directory "/vhost/www/html/blog" >options noneallowoverride NoneAuthType BasicAuthName "   Please input blog ' s user and password "Authuserfile/etc/httpd/users/.htpasswdauthgroupfile/etc/httpd/users/.htpgroup Require Group blog</directory>
4.4. Overloaded configuration file
[Email protected] ~]# service httpd reloadreloading httpd: [[email protected] ~]#

4.5, access to http://192.168.65.80/news/directory discovery requires us to enter a user name password for authentication, when we enter the. htgroup file in the news group to the user to be authenticated, not this group of users cannot log on
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/6C/2B/wKiom1VBDUHChIXBAAJ7kZdzR_M235.jpg "title=" Group authentication New.jpg "alt=" Wkiom1vbduhchixbaaj7kzdzr_m235.jpg "/>
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/6C/27/wKioL1VBDk2TTe4WAAGzFX9FiLk626.jpg "style=" float: none; "Title=" Group certified new 1261.jpg "alt=" Wkiol1vbdk2tte4waagzfx9filk626.jpg "/>

4.5. We visit the http://192.168.65.80/blog/directory:
When we enter user 126 in a non-blog group, we are always prompted to enter the user name password, and cannot pass the verification
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/6C/27/wKioL1VBEGKCtUOFAAJ8ff05p3I475.jpg "title=" blog 1. JPG "alt=" wkiol1vbegkctuofaaj8ff05p3i475.jpg "/>
When we enter 51cto users belonging to the blog group, the following interface appears, that is, the certification ...
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/6C/2B/wKiom1VBD2bzI0zXAAGvCFu4Kt8605.jpg "title=" 51cto Blog.jpg "alt=" Wkiom1vbd2bzi0zxaagvcfu4kt8605.jpg "/>

Ok based on the user's access control basic usage has reached this point, the shortcomings also ask you children shoes correct ...

This article is from the "impermanence" blog, please be sure to keep this source http://1inux.blog.51cto.com/10037358/1640556
HTTPD configuration of user-based access control