Basic Authentication using Flatfile based storage

Here Apache HTTP Server makes use of Basic Authentication using flatfile storage for authentication files. Make sure to read Setting up Authentication and Authorization before proceeding.

Basic Authentication using Flatfile based storage involves the following steps.
1) Managing Apache Users
2) Managing Apache Groups
3) Examples

 

 

1) Managing Apache Users
Apache HTTP Server provides the htpasswd utility for creating and managing authentication files that use Basic HTTP authentication.

Let us create an authentication file .htpasswd in /usr/local/apache2/ with Apache user auser1.
Execute the below command in terminal. We will be asked to type a new password for the user. Type it and press Enter.

# htpasswd -cB /usr/local/apache2/.htpasswd auser1

NOTE: If there is an existing password file, the option -c will only work if the password file was created by or follows the exact format as expected by htpasswd utility. Otherwise the new authentication details will be appended resulting in a corrupt authentication file.

OPTIONS EXPLAINED

-c
Create the passwdfile. If passwdfile already exists, it is rewritten and truncated. This option cannot be combined with the -n option.

-B
Use bcrypt encryption for passwords. This is currently considered to be very secure.

passwdfile
Name of the file to contain the user name and password. If -c is given, this file is created if it does not already exist, or  rewritten and truncated if it does exist.

username
The  username to create or update in passwdfile. If username does not exist in this file, an entry is added. If it does exist, the password is changed.

This will create a new password file .htpasswd in /usr/local/apache2/ with Apache user auser1.


Let us also add three other Apache users auser2, auser3 and auser4 to the authentication file .htpasswd.

# htpasswd -B /usr/local/apache2/.htpasswd auser2
# htpasswd -B /usr/local/apache2/.htpasswd auser3
# htpasswd -B /usr/local/apache2/.htpasswd auser4
OPTIONS EXPLAINED

-B
Use bcrypt encryption for passwords. This is currently considered to be very secure.

passwdfile
Name of the file to contain the user name and password. If -c is given, this file is created if it does not already exist, or  rewritten and truncated if it does exist.

username
The  username to create or update in passwdfile. If username does not exist in this file, an entry is added. If it does exist, the password is changed.



The authentication file .htpasswd is currently owned by root and is world readable. Let us set proper permissions for this file. Change the user and group ownership of .htpasswd file to apache.

# chown apache:apache /usr/local/apache2/.htpasswd


Remove read permissions of others for the .htpasswd file.

# chmod o-r /usr/local/apache2/.htpasswd
OPTIONS EXPLAINED

o-r
Unset read permission for other users who are not members of the file's group

 

Deleting a user
If we have to delete a user named baduser from the authentication file .htpasswd, execute the below command in terminal.

# htpasswd -D /usr/local/apache2/.htpasswd baduser
OPTIONS EXPLAINED

-D
Delete user. If the username exists in the specified htpasswd file, it will be deleted.

passwdfile
Name of the file to contain the user name and password. If -c is given, this file is created if it does not already exist, or  rewritten and truncated if it does exist.

username
The  username to create or update in passwdfile. If username does not exist in this file, an entry is added. If it does exist, the password is changed.

This will delete the user named baduser from .htpasswd. The permissions of .htpasswd file will remain intact.


Verifying the password of a user
If we have to verify the password of user named auser1, execute the below command in terminal.

# htpasswd -v /usr/local/apache2/.htpasswd auser1
OPTIONS EXPLAINED

-v
Verify password. Verify that the given password matches the password of the user stored in the specified htpasswd file.

passwdfile
Name of the file to contain the user name and password. If -c is given, this file is created if it does not already exist, or  rewritten and truncated if it does exist.

This will ask us the password of user auser1 for verification.

 

 

2) Managing Apache Groups
We have four Apache users auser1, auser2, auser3 and auser4. Let us create a group agroup12 consisting of users auser1 and auser2, and another group agroup34 consisting of users auser3 and auser4.
Create a new file named .htgroups in /usr/local/apache2/ directory with the below content.

agroup12: auser1 auser2
agroup34: auser3 auser4


The group file .htgroups is currently owned by root and is world readable. Let us set proper permissions for this file. Change the user and group ownership of .htgroups file to apache.

# chown apache:apache /usr/local/apache2/.htgroups


Remove read permissions of others for the .htgroups file.

# chmod o-r /usr/local/apache2/.htgroups
OPTIONS EXPLAINED

o-r
Unset read permission for other users who are not members of the file's group


Deleting a group
If we want to delete a group from the .htgroups file, we will have to do that manually by opening the file in a text editor and removing the corresponding entry.

 

 

3) Examples
The sample configurations provided in the below examples should be placed inside the <Directory> or <Location> block of Apache HTTP Server‘s configuration files or inside .htaccess files
Make sure to read Setting up Authentication and Authorization before proceeding.

TIP: Read about htaccess directives.
WARNING: The authentication files should never be accessible to the outside world. If possible they should not be placed within the webserver's URI space. Even if they are placed, Access Control must be implemented denying any access to them.

Apache HTTP Server's main configuration file httpd.conf contains the following lines, that denies access to any files having a filename starting with .ht.
    <Files ".ht*">
         Require all denied
    </Files>
Follow the naming of your authentication files according to this configuration.


EXAMPLE 1:
To password protect a directory, with access to only selected users, add the below content to configuration file.

AuthName	"Secure Area"
AuthType	Basic
AuthUserFile	/usr/local/apache2/.htpasswd
Require		user auser1 auser2

This will present the user with a Username & Password prompt when they try to access the specified directory. Only users auser1 and auser2 are authorized to access.

 

EXAMPLE 2: To password protect a directory, with access to all users, add the below content to configuration file.

AuthName	"Secure Area"
AuthType	Basic
AuthUserFile	/usr/local/apache2/.htpasswd
Require		valid-user

This will present the user with a Username & Password prompt when they try to access the specified directory. All users are authorized to access.

 

EXAMPLE 3: To password protect a directory, with access to only selected groups, add the below content to configuration file.

AuthName	"Secure Area"
AuthType	Basic
AuthUserFile	/usr/local/apache2/.htpasswd
AuthGroupFile	/usr/local/apache2/.htgroups
Require		group agroup12

This will present the user with a Username & Password prompt when they try to access the specified directory. Only users in the group agroup12 are authorized to access.

 

EXAMPLE 4: To password protect a file, with access to all users, add the below content to configuration file.

AuthName	"Secure File"
AuthType	Basic
AuthUserFile	/usr/local/apache2/.htpasswd
<Files "file1.jpg">
  Require valid-user
</Files>

This will present the user with a Username & Password prompt when they try to access the specified file file1.jpg. All users are authorized to access.

 

EXAMPLE 5: To password protect multiple files, with access to all users, add the below content to configuration file.

AuthName	"Secure File"
AuthType	Basic
AuthUserFile	/usr/local/apache2/.htpasswd
<FilesMatch "(file1.jpg)|(file2.zip)|(file3)">
  Require valid-user
</FilesMatch>

This will present the user with a Username & Password prompt when they try to access the specified files file1.jpg, file2.zip, file3. All users are authorized to access.

 

EXAMPLE 6: To password protect a filetype, with access to all users, add the below content to configuration file.

AuthName	"Secure File"
AuthType	Basic
AuthUserFile	/usr/local/apache2/.htpasswd
<FilesMatch ".jpg">
  Require valid-user
</FilesMatch>

This will present the user with a Username & Password prompt when they try to access the files with extension .jpg. All users are authorized to access.

 

EXAMPLE 7: To password protect multiple filetypes, with access to all users, add the below content to configuration file.

AuthName	"Secure File"
AuthType	Basic
AuthUserFile	/usr/local/apache2/.htpasswd
<FilesMatch ".(jpg|pdf|zip|rar)$">
  Require valid-user
</FilesMatch>

This will present the user with a Username & Password prompt when they try to access the files with extensions .jpg, .pdf, .zip, .rar. All users are authorized to access.

 

EXAMPLE 8: To password protect multiple files/filetypes, with access to all users, add the below content to configuration file.

AuthName	"Secure File"
AuthType	Basic
AuthUserFile	/usr/local/apache2/.htpasswd
<FilesMatch "file*">
  Require valid-user
</FilesMatch>

This will present the user with a Username & Password prompt when they try to access all files whose filename starts with file. All users are authorized to access.
OR

AuthName	"Secure File"
AuthType	Basic
AuthUserFile	/usr/local/apache2/.htpasswd
<FilesMatch "(file[1-2].jpg)|(file3)">
  Require valid-user
</FilesMatch>

This will present the user with a Username & Password prompt when they try to access the files file1.jpg, file2.jpg and file3. All users are authorized to access.

 

EXAMPLE 9: To password protect everything in a directory, except a single file, with access to all users, add the below content to configuration file.

AuthName	"Secure File"
AuthType	Basic
AuthUserFile	/usr/local/apache2/.htpasswd
Require		valid-user
<Files "file1.jpg">
  Require all granted
</Files>

This will present the user with a Username & Password prompt when they try to access anything in the directory except the file file1.jpg. All users are authorized to access.

 

EXAMPLE 10: To password protect everything in a directory, except multiple files, with access to all users, add the below content to configuration file.

AuthName	"Secure File"
AuthType	Basic
AuthUserFile	/usr/local/apache2/.htpasswd
Require		valid-user
<FilesMatch "(file1.jpg)|(file2.zip)|(file3)">
  Require all granted
</FilesMatch>

This will present the user with a Username & Password prompt when they try to access anything in the directory except the files file1.jpg, file2.zip, file3. All users are authorized to access.

 

EXAMPLE 11: To password protect everything in a directory, except a specific filetype, with access to all users, add the below content to configuration file.

AuthName	"Secure File"
AuthType	Basic
AuthUserFile	/usr/local/apache2/.htpasswd
Require		valid-user
<FilesMatch ".jpg">
  Require all granted
</FilesMatch>

This will present the user with a Username & Password prompt when they try to access anything in the directory except the files with extension .jpg. All users are authorized to access.

 

EXAMPLE 12: To password protect everything in a directory, except multiple filetypes, with access to all users, add the below content to configuration file.

AuthName	"Secure File"
AuthType	Basic
AuthUserFile	/usr/local/apache2/.htpasswd
Require		valid-user
<FilesMatch ".(jpg|pdf|zip|rar)$">
  Require all granted
</FilesMatch>

This will present the user with a Username & Password prompt when they try to access anything in the directory except the files with extensions .jpg, .pdf, .zip and .rar. All users are authorized to access.

 

EXAMPLE 13: To password protect everything in a directory, except multiple files/filetypes, with access to all users, add the below content to configuration file.

AuthName	"Secure File"
AuthType	Basic
AuthUserFile	/usr/local/apache2/.htpasswd
Require		valid-user
<FilesMatch "file*">
  Require all granted
</FilesMatch>

This will present the user with a Username & Password prompt when they try to access anything in the directory except the files whose filename starts with file. All users are authorized to access.
OR

AuthName	"Secure File"
AuthType	Basic
AuthUserFile	/usr/local/apache2/.htpasswd
Require		valid-user
<FilesMatch "(file[1-2].jpg)|(file3)">
  Require all granted
</FilesMatch>

This will present the user with a Username & Password prompt when they try to access anything in the directory except the files file1.jpg, file2.jpg and file3. All users are authorized to access.

 

EXAMPLE 14: If we want to disable password protection for a specific directory, add the below content to configuration file.

Require all granted

This will not present the user with the Username & Password prompt when they try to access that directory.

 

 

 

It is recommended to view the following sections.
Basic Authentication using DBM based storage
Digest Authentication using Flatfile based storage
Digest Authentication using DBM based storage

OR

You may go back to the following section.
Securing Apache HTTP Server