There are several possibilities to deny global access to files and directories. Only people from a specified domain or with knowledge of a given password can view these documents.
To restrict access, create a file named .htaccess in that directory. Dependent on the desired behavior, the content varies:
To restrict access to persons from a specific domain or a group of
computers, deny global access with deny from all
and allow access
for computers or domains with allow from hostname domain
.
<Limit GET> order deny,allow deny from all allow from lahn.de host.friendly.net </Limit>
A user which can identify himself with his name and a password can view your pages. His name and encrypted password are stored in a speciel file.
<Limit GET> AuthType Basic AuthUserFile /etc/httpd/htpasswd AuthGroupFile /dev/null AuthName "This text prompts for the password" require user ThisOnlyPerson </Limit>
Similar to above each person receives a username and a password. A second file defines groups, to which is granted access.
<Limit GET> AuthType Basic AuthUserFile /etc/httpd/htpasswd AuthGroupFile /etc/httpd/htgroup AuthName "This text prompts for the password" require group ThisGroup </Limit>
The versions from above can be combined: Persons from a specific domain are not asked for a password, else they have to identify themselves with their username and password.
<Limit GET> order deny,allow deny from all allow from lahn.de AuthType Basic AuthGroupFile /etc/httpd/htgroup AuthUserFile /etc/httpd/htpasswd AuthName "This text prompts for the password" require valid-user satisfy any </Limit>
In the previous example every person, who is listed with his password in htpasswd can access the data. By changing require valid-user to require group ThisGroup the person has to be a mebmber of ThisGroup. With require user ThisUser the access is further restricted to the single person ThisUser.
Access restrictions can be further restricted: By removing satisfy any in the last example people have to come from the allowed domain and also have to identify themselves with name and password. If they are from a denied host or can not name themselves, access is denied.
To control access on user level, a file containing the names and passwords
has to be created. This can be done with htpasswd
, which is part
of the Apache server and resides in the support subdirectory. Additional
methods are described here.
The file "htgroup" contains a line for each group with format
ThisGroup: User1 User2 User3
For every named user a password has
to be created in "htpasswd".
Each filename should be fully qualified and the file must not stay in the restricted directory. They also should not be accesseable by normal operations to deny downloading and decryption of passwords.
The tag AuthType Basic
is the only global known method for
authentification, but transmits passwords in plain text. Everybody with the
rigth knowhow can intercept these transmissions and collect passwords.
Another upcomming standard is Digest Authentication (AuthType
Digest
), which uses an encrypted session key, but very few browsers
support this kind of authentication. Using SSL is also possible.
Instead of using a plain text file for passwords and group informations apache provides several modules to use databases. Two very similar modules only differ in the used format:
The module DB is based on the
Berkeley database format. If this module is used, the entries
AuthUserFile
and AuthGroupFile
are substituded
by AuthDBUserFile
and AuthDBGroupFile
.
The module DBM uses a DBM
database based on NDBM or GDBM. AuthUserFile
and
AuthGroupFile
are substituded by AuthDBMUserFile
and AuthDBGroupFile
.
To create these databases use the program dbmmanage
, which is
installed with apache. A tutorial is provided
here.
The documentation of apache server provides all informations to configure apache and setup anything. In particular the modules Digest, Access, Auth and Auth DBM are useful.