Special Topics
The following discussions involve not only CGI script security, but also Apache and Linux configuration and administration.
Authentication
Your web site may have some restricted content, such as premium pages
for registered customers or administrative functions for web site
maintainers. Use authentication to establish the
identity of the visitor.
Basic authentication
The simplest authentication method in Apache is basic
authentication
.
This requires a password file on the web server and a
require directive in a config file:
<Location /auth_demo_dir> AuthName "My Authorization" AuthType Basic # Note: Keep the password files in their own directory AuthUserFile /usr/local/apache/auth_dir/auth_demo_password " Order deny, allow Require valid-user </Location>
I suggest storing password files in their own directories, outside
the document root. You may use subdirectories to segregate files by
user or virtual host. This is more manageable than
.htaccess files all over the site, and it keeps
Apache running faster.
You can specify any matching user, a list of users, or a list of groups:
require valid-user require useruser1user2... require groupgroup1 group2...
Where are the names and passwords stored? The simplest, specified by
AuthUserFile in the example, is a flat text file
on the server. To create the password file initially, type the
following:
htpasswd -c /usr/local/apache/auth_dir/auth_demo_password
To add entries to the password file:
htpasswd /usr/local/apache/auth_dir/auth_demo_password ...
Get Building Secure Servers with Linux now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
