User authentication for Apache

1. How to restrict user access:

1. Restricting the client host that accesses the service

2. User name and password required

2. Behavioral user authentication takes two steps:

1. Create a file that contains a user name and password

2. What resources on the server need to be protected and which users can access

3. Create a user database

Many user names and passwords need to be created in a file. For security reasons, this file cannot be placed in the document directory. In this example, the file is created in the/USR/LOCAL/ETC/HTTPD directory, named users.

This file contains many user names and passwords. The user name and password are separated by colons, and each user takes a separate line. But you cannot directly enter the username and password directly in this file, because the password stored in this file is encrypted. The program htpasswd can be used to create the file, add or modify users.

Use HTPASSWD to create the file, add user name ' Snow ', password ' snow ' users to the file (/usr/local/httpd/user)

1 htpasswd-c/usr/local/etc/httpd/users Snow

The-c parameter tells HTPASSWD to create a new users file. When you run the command, you are prompted to enter the user's password and confirm. You can add other users to the file, but you must remove the-c parameter. This name can also be used to modify the password. When you add a user, the/usr/local/etc/httpd/users file looks like this:

1 Snow: $apr 1$vmvjwi7o$dizjyiuihkd8psmb/8/ge0

The first column is the user name, and the second column is the password after encryption.

4. Configure the Service

In order for the server to use the user name and password in this file, you need to configure a realm, In order to restrict access to a directory using the. htaccess file, you first need to modify the Apache configuration file (how to locate the Apache configuration file) so that the directory uses the. htaccess form to restrict access, this is controlled by the Authconfig attribute, if you want to limit/ Var/www Directory Access, you modify the Apache configuration file:

1 <Directory/var/www/>2         Options Indexes followsymlinks3          AllowOverride authconfig4         Require all granted5 </Directory>

Then create a. htaccess file in the/var/www directory with the following contents:

" Restricted Stuff "  /usr/local/etc/httpd/usersrequire valid-user

The first instruction AuthName, configure a realm name for this resource, as long as the user enters a valid user name and password, other resources of the same realm name can be accessed by this user, mainly to create two regions, so that the same user can access both areas.

The second instruction AuthType tells the service which protocol to use for authentication, and for now, only Baisc is available. But there is a digest, and it has been standardized, so long as the browser implements it, it can be used. Digest certification is more secure than basic authentication.

The third instruction AuthUserFile tells the service where the files created by HTPASSWD are.

The fourth instruction require tells the service which users in the file can access the file, and the Valid-user parameter is to tell the service that any user in the file can access the resource, or you can configure a specific user to access the resource. For example:

Require user snow John

Only Snow,john two users can access the resource, and other users will be denied.

If a user is allowed to access different areas, they just need to enter the password once, but if there are different realms in different regions, the user will need to enter his password again.

5. Using Groups

If you want users to have access to a resource, you need to list all the users in the Require, and if you have a lot of users, this is not a good way. One way to solve this problem is to use a group file that you can restrict to a specific group using the Require line. For example, there is a group called a staff that contains all the users who have access to a specific resource.

1 require group staff

Multiple group can also be used, the user can also use,

Require group staff Adminrequire user Adminuser

It allows group staff and admin access to resources and user adminuser access to resources.

The form of the group file:

Staff:martin Jane

Admin:art Adminuser

Staff and admin are groups, Martin and Jane belong to the staff group, art and Adminuser belong to the admin group.

The authgroupfile instruction is to tell the group where the file is. Keep in mind that the maximum length of a row in a group file is 8000 characters (approximately 8K), and if you have more users than the length of the line, you can write another line along with the same group.

User authentication for Apache