Home

Security

As it is configured out of the box, your system is open and has no security. Although random people won't know to access your server without a domain name, security based on ignorance is not really a good idea.

It is strongly recommended that you password protect your server. You can add username/passwords for yourself, your friends and even add a guest account with a password that is not obvious that you can - at your disctretion - make available to people on a casual basis (not really a good idea but that is your call).

To add security, you will need to make sure that a couple of lines are not commented out in your httpd.conf file, create an access control file and then create a password file. I have supplied a web based utility to make adding passwords a little easier.

Steps:

httpd.conf

Open the httpd.conf file
Search for "AuthConfig"
You will see a directory (> Directory) )statement below
This defines that path to your web server document root
The actual path to your documentroot will vary by operating and install. Lets assume here it is "apache/htdocs"
A few lines below you will see the following text

#
# This controls which options the .htaccess files in directories can
# override. Can also be "All", or any combination of "Options", "FileInfo", 
# "AuthConfig", and "Limit"
#
#
#    AllowOverride None

This line will vary from installation to installation. But make sure that the AllowOverRide is not comment out and that it says AllowOverride All
The text should look like this:

# This controls which options the .htaccess files in directories can
# override. Can also be "All", or any combination of "Options", "FileInfo", 
# "AuthConfig", and "Limit"
#
#
    AllowOverride All

This allows you to override the defaults in the apache.conf file with a file you will create called .htaccess
Save your changes to the httpd.conf file
Restart Apache to load the changes you made

Create The .htaccess file

We now need to create the .htaccess file and then the password file. I do have a password admin too available, but lets keep things simple for now
Copy from the installation directory .htaccess.win32 or .htaccess.unix depending on your platform in the document root directory (apache/htdocs or whatever). Renaming the file to .htaccess (no extension)
You will need to edit it. Make the following changes:

Change Authname to whatever security description you want. Keep it in quotes
Change the path to the AuthUserFile to a subdirectory below the document root.
If your installation is "c:\apache\htdocs" the location should be in the "C:\Apache" directory. If you are on a Unix system, it would look like /httpdApache/ (or wherever it really is) without the quotes and with leading and trailing slashes
Locating the password file below the document root prevents web access to it. This prevents any external web access to the passwords file
The statement require valid-user means that only people with username/password access can get in

Now you can add passwords. Go to the Apache directory that you specified as the location of the .htaccess file

htpasswd -c .htpasswd henry creates the password file and adds henry
You will be challenged to supply a password for the user
Do Not use the -c switch after the first user! "-c" means create and will overwrite your file!
Add additional users as needed with:

htpasswd .htpasswd bob
htpasswd .htpasswd fred
htpasswd .htpasswd betty
etc...

Note that the location of the .htaccess file in the document root means that all users will be password challenged. This is probably a good idea on a home machine. Corporate machines will obviously have different requirements
Thats it!

There is a password management script available that you can use to add additional passwords. You can install that if you want to add a menu driven password/user console for your system. Don't add this menu until you have verified that your password restrictions have been successfully configured. Keep things simple, do one thing at a time!

[an error occurred while processing this directive]