Protection of a site with the help .htaccess and .htpasswd

Base autentifikacija

In given clause{article} the most simple and accessible way of protection - base autentifikacija will be considered.

The remark

Autentifikacija - process with which help it is checked, that somebody is that for whom he gives out itself(himself). As a rule, check includes input of a name and the password.

Let's consider, how works base autentifikacija.

At the reference{manipulation} of the visitor in a protected directory, Apache server in reply to search sends heading with a code 401 (401 authentication required header). The browser of the visitor accepts heading with a code 401 and deduces a window with fields for input of a login name and the password. After input of a name and the password these data are sent back server which checks a login name for a presence{finding} in the special list, and the password on correctness. If all is correct, the visitor gets access to a resource. Together with heading the name named a scope is sent a browser special. A browser kehshiruet not only a name and the password to pass them at each search, but also a scope. Due to this, input of a name and the password in a protected directory is carried out only time. Otherwise they would be necessary for entering at each search to a protected directory. Caching of parameters autentifikacii (a name, the password, a scope), usually carries out only within the limits of one session.

The remark

At base autentifikacii the login name and his{its} password are passed in a network in an open kind during all session when the visitor works with the protected directory. The hacker can intercept this information, using the network analyzer of packages. The given kind autentifikacii should not be used there where real protection of the kommerchesko-valuable information is necessary.

The remark

Apache WEB-server supports one more kind of protection - digest-autentifikaciju. At digest-autentifikacii the password is passed not in an open kind, and as a khesh-code, calculated on algorithm MD5. Therefore the password cannot be intercepted at scanning the traffic. But, unfortunately, for use digest-autentifikacii it is necessary to establish on the server the special module - mod_auth_digest. And it is only in the competence of administration of the server. Also, until recently, digest-autentifikacija it was supported not by all kinds of browsers.

Protection of a site is simply

To protect a site, it is necessary to execute the following sequence of actions: to create a file with passwords, to copy it{him} on the server, to create a file .htaccess and too to copy it{him} on the server.

For the organization of protection it is required.

1. A WEB-site and FTP-access to it{him}.

2. Rights on creation of files .htpaccess and the organization of protection with the help of them.

3. The utility of generation of passwords htpasswd.exe

Check of job of a file .htaccess on the server

Whether to check up there are at you rights on the organization of protection with the help of files .htaccess create a text file with a name .htaccess (the first symbol goes a point, expansion is absent).

The remark

It is convenient to create files .htaccess with the help of the built - in editor in Far shells, WindowsCommander, TotalCommander, etc., and also in the editor the Notebook.

The remark

That the notebook did not substitute automatically expansion txt, in dialogue of preservation in the dropping out list " type of a file " it is necessary to choose an option " All files ".

Before saving a file, enter in him{it} the next lines:

Check of job .htaccess

AuthType Basic

AuthName admin

require valid-user

Then, through FTP-access, copy a file .htaccess on a site, in that directory which you want to protect.

The remark

Action of files .htaccess is distributed not only to that directory where the file lays, but also on all poddirektrii, laying a level is lower.

Further through a browser address to this directory. If you protect a directory admin and have copied there a file .htaccess for check you should enter following URL in an address bar of a browser: http://www.mysite.ru/admin/. < =http%3A%2F%2Fwww.mysite.ru%2Fadmin%2F.>

If after that to you the search about input of a login and the password as in figure is lower has opened testing has passed successfully and it is possible to continue protection of a directory.

If all of you have made correctly, but okoshko input of the password has not appeared, it means, that adjustments of the server forbid to you to use files .htaccess for protection of directories. For the decision of the given question you should contact administration of the server, or to use other type of protection.

After it has been found out, that files .htaccess work, it is necessary to remove from a site just the written test file.

The remark

If on what or to the reasons you cannot remove a file .htaccess create an empty file .htaccess and replace with him{it} a file laying on the server.

Creation of a file with passwords .htpasswd

The file with passwords is created by the utility htpasswd.exe. If at you by the machine Apache WEB-server the given utility is in a directory with established Apache-em in subdirectory bin is established.

The remark

If at you it is not established Apache the utility htpasswd.exe can download under the link: http://www.softtime.ru/files/htpasswd.zip. < =http%3A%2F%2Fwww.softtime.ru%2Ffiles%2Fhtpasswd.zip.>

The interface of job htpasswd.exe is necessary for job with the utility with the command line. The interface of job with the command line such programs as Far, WindowsCommander, etc. possess. Here job with the command line with the help of the utility cmd which enters into delivery Windows 2000/XP, etc. will be considered.

Press "Start-up"-> "To execute", enter into a line of input cmd and press OK. To you the window of utility CMD will open.

Further it is necessary to proceed{pass} in a directory where there is a utility htpasswd.exe. We admit{allow}, Apache server is established in a directory s:/Apache2 then enter into the command line the command: cd../../apache2/bin also press input.

You went in a directory s:Apache2 in. Now it is necessary to give the command on creation of a file with the password. Enter into the command line the following:

htpasswd-cm .htpasswd admin

* - cm are keys for the utility. The key with - specifies, that it is necessary to create a new file with passwords. If the file with such name already exists, he will be rewritten. The key m - defines{determines} encryption on algorithm MD5.

*. htpasswd - a name of a file with passwords (can use any name).

* admin - a name of the visitor to which access in the closed area of a site will be resolved{allowed}.

In the answer, should the search about input of the password and his{its} repetition will appear. If all is correct, in end the message will appear: Adding password for user admin. And in a directory c:Apache2 in the file .htpasswd to which there will be a line with a login name and a khesh-code of his{its} password will appear. What in the same file .htpasswd to add one more user it is necessary to clean{remove} a key-c from the command of start of the utility htpasswd.exe

htpasswd-m .htpasswd admin

The remark

If the file with passwords has not been created, it is possible, some keys of the utility are not supported in your operational system. For example, sometimes the key m is not supported. In this case, you need to enter htpasswd-c .htpasswd admin

To see keys and parameters of job of the utility enter htpasswd.exe/? The description of the interface will be given to you.

So, the file with passwords is created. Now it is necessary for you to copy it{him} on the server. Files with passwords are very desirable for putting above root directory of a site - there where there will be no access to visitors.

If it is impossible, files with passwords should be protected necessarily. It can be made with the help of files .htaccess. To protect files with passwords create a file with the lines submitted in the following listing.

Protection of files .htpasswd

deny from all

Also put it{him} in that directory where there is your file with passwords. Now visitors of a site cannot get to it{him} access.

The file with the password is created and protected from the non-authorized access. Now it is necessary to create a file .htaccess which will be used in a protected directory.

Creation of a file .htaccess

For protection of a directory the following directives can be used:

* AuthType - Type used autentifikacii. For base autentifikacii this directive should matter: Basic

* AuthName - the Name of a scope autentifikacii. The text assisting to the visitor to understand where he tries to get access. For example, can be written: " Private zone. Only for administrator! "

* AuthUserFile - a way to a file with passwords (.htpasswd).

* AuthGroupFile - a way to a file of groups if he exists.

* Require - One or several requirements which should be executed for reception of access to the closed area.

Example of a file .htaccess

AuthType Basic

AuthName " Private zone. Only for administrator! "

AuthGroupFile/usr/host/mysite/group

AuthUserFile/usr/host/mysite/.htpasswd

require group admins

It is necessary to describe in more detail AuthUserFile directives and AuthGroupFile. Absolute ways register in them to corresponding files from a root of the server.

Attention!

Relative ways will not work!

From a root of the server, it is possible to learn{find out} a way, having asked administration of the server, or it is possible to try to find out his{its}. For this purpose execute function phpinfo (). On the screen the violet table will be deduced{removed}. Value of an absolute way from a root of the server can be seen in variables: doc_root, open_basedir, DOCUMENT_ROOT.

Require directive defines{determines} to whom access to the closed area is resolved{allowed}. For example,

* require valid-user - access by all past check is resolved{allowed}

* require user admin alex mango - access only is resolved{allowed} to visitors with names admin, alex, mango. Naturally, they should pass autentifikaciju.

* require group admins - access is resolved{allowed} to all users from group admins

Files of groups

If to protected area of a site the big group of people it is convenient to unit people in groups should have access, and to resolve access, defining{determining} an accessory{a belonging} of the visitor to group.

The format of a file of groups is very simple. It is a text file, each line which describes separate group. The first in line should go the name of group with a colon. And then through a blank the visitors who are included in group are listed{transferred}.

Example of a file of groups

Admins: admin alex mango

Users: guest user max23

Group Admins includes visitors with names admin, alex, mango. And group Users visitors with names guest, user, max23 enter.

Examples of files .htaccess

Access to all users past{last} authorization

AuthType Basic

AuthName " Private zone. Only for administrator! "

AuthUserFile/usr/host/mysite/.htpasswd

require valid-user

Access only to users admin and root

AuthType Basic

AuthName " Private zone. Only for administrator! "

AuthUserFile/usr/host/mysite/.htpasswd

require user admin root

Access only users from group admins

AuthType Basic

AuthName " Private zone. Only for administrator! "

AuthUserFile/usr/host/mysite/.htpasswd

AuthGroupFile/usr/host/mysite/group

require group admins

Interdiction of access only to a file private.zip

AuthType Basic

AuthName " Private zone. Only for administrator! "

AuthUserFile/usr/host/mysite/.htpasswd

require valid-user