summaryrefslogtreecommitdiff
path: root/docs/manual/howto/auth.html
diff options
context:
space:
mode:
Diffstat (limited to 'docs/manual/howto/auth.html')
-rw-r--r--docs/manual/howto/auth.html379
1 files changed, 0 insertions, 379 deletions
diff --git a/docs/manual/howto/auth.html b/docs/manual/howto/auth.html
deleted file mode 100644
index 3ea56e4508..0000000000
--- a/docs/manual/howto/auth.html
+++ /dev/null
@@ -1,379 +0,0 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
- "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
-
-<html xmlns="http://www.w3.org/1999/xhtml">
- <head>
- <meta name="generator" content="HTML Tidy, see www.w3.org" />
-
- <title>Authentication</title>
- <link rev="made" href="mailto:rbowen@rcbowen.com" />
- </head>
- <!-- Background white, links blue (unvisited), navy (visited), red (active) -->
-
- <body bgcolor="#FFFFFF" text="#000000" link="#0000FF"
- vlink="#000080" alink="#FF0000">
- <!--#include virtual="header.html" -->
-
- <h1 align="center">Authentication</h1>
- <a id="__index__" name="__index__"></a> <!-- INDEX BEGIN -->
-
-
- <ul>
- <li><a href="#introduction">Introduction</a></li>
-
- <li><a href="#theprerequisites">The prerequisites</a></li>
-
- <li><a href="#gettingitworking">Getting it working</a></li>
-
- <li><a href="#lettingmorethanonepersonin">Letting more
- than one person in</a></li>
-
- <li><a href="#possibleproblems">Possible problems</a></li>
-
- <li><a href="#whatotherneatstuffcanido">What other neat
- stuff can I do?</a></li>
-
- <li><a href="#moreinformation">More information</a></li>
- </ul>
- <!-- INDEX END -->
- <hr />
-
- <table border="1">
- <tr>
- <td valign="top"><strong>Related Modules</strong><br />
- <br />
- <a href="../mod/mod_auth.html">mod_auth</a><br />
- <a href="../mod/mod_access.html">mod_access</a><br />
- </td>
-
- <td valign="top"><strong>Related Directives</strong><br />
- <br />
- <a href="../mod/mod_access.html#allow">Allow</a><br />
- <a
- href="../mod/mod_auth.html#authgroupfile">AuthGroupFile</a><br />
- <a href="../mod/core.html#authname">AuthName</a><br />
- <a href="../mod/core.html#authtype">AuthType</a><br />
- <a
- href="../mod/mod_auth.html#authuserfile">AuthUserFile</a><br />
- <a href="../mod/mod_access.html#deny">Deny</a><br />
- <a href="../mod/core.html#options">Options</a><br />
- <a href="../mod/core.html#require">Require</a><br />
- </td>
- </tr>
- </table>
-
- <h1><a id="authentication"
- name="authentication">Authentication</a></h1>
-
- <p>Authentication is any process by which you verify that
- someone is who they claim they are. Authorization is any
- process by which someone is allowed to be where they want to
- go, or to have information that they want to have.</p>
-
- <h2><a id="introduction"
- name="introduction">Introduction</a></h2>
-
- <p>If you have information on your web site that is sensitive
- or intended for only a small group of people, the techniques in
- this article will help you make sure that the people that see
- those pages are the people that you wanted to see them.</p>
-
- <p>This article covers the "standard" way of protecting parts
- of your web site that most of you are going to use.</p>
-
- <h2><a id="theprerequisites" name="theprerequisites">The
- prerequisites</a></h2>
-
- <p>The directives discussed in this article will need to go
- either in your main server configuration file (typically in a
- &lt;Directory&gt; section), or in per-directory configuration
- files (<code>.htaccess</code> files).</p>
-
- <p>If you plan to use <code>.htaccess</code> files, you will
- need to have a server configuration that permits putting
- authentication directives in these files. This is done with the
- <code><a
- href="../mod/core.html#allowoverride">AllowOverride</a></code>
- directive, which specifies which directives, if any, may be put
- in per-directory configuration files.</p>
-
- <p>Since we're talking here about authentication, you will need
- an <code>AllowOverride</code> directive like the following:</p>
-<pre>
- AllowOverride AuthConfig
-</pre>
-
- <p>Or, if you are just going to put the directives directly in
- your main server configuration file, you will of course need to
- have write permission to that file.</p>
-
- <p>And you'll need to know a little bit about the directory
- structure of your server, in order to know where some files are
- kept. This should not be terribly difficult, and I'll try to
- make this clear when we come to that point.</p>
-
- <h2><a id="gettingitworking"
- name="gettingitworking">Getting it working</a></h2>
-
- <p>Here's the basics of password protecting a directory on your
- server.</p>
-
- <p>You'll need to create a password file. This file should be
- placed somewhere not accessible from the web. This is so that
- folks cannot download the password file. For example, if your
- documents are served out of
- <code>/usr/local/apache/htdocs</code> you might want to put the
- password file(s) in <code>/usr/local/apache/passwd</code>.</p>
-
- <p>To create the file, use the <a
- href="../programs/htpasswd.html">htpasswd</a> utility that came
- with Apache. This be located in the <code>bin</code> directory
- of wherever you installed Apache. To create the file, type:</p>
-<pre>
- htpasswd -c /usr/local/apache/passwd/password rbowen
-</pre>
-
- <p><code>htpasswd</code> will ask you for the password, and
- then ask you to type it again to confirm it:</p>
-<pre>
- # htpasswd -c /usr/local/apache/passwd/passwords rbowen
- New password: mypassword
- Re-type new password: mypassword
- Adding password for user rbowen
-</pre>
-
- <p>If <code>htpasswd</code> is not in your path, of course
- you'll have to type the full path to the file to get it to run.
- On my server, it's located at
- <code>/usr/local/apache/bin/htpasswd</code></p>
-
- <p>Next, you'll need to configure the server to request a
- password and tell the server which users are allowed access.
- You can do this either by editing the <code>httpd.conf</code>
- file or using an <code>.htaccess</code> file. For example, if
- you wish to protect the directory
- <code>/usr/local/apache/htdocs/secret</code>, you can use the
- following directives, either placed in the file
- <code>/usr/local/apache/htdocs/secret/.htaccess</code>, or
- placed in httpd.conf inside a &lt;Directory
- /usr/local/apache/apache/htdocs/secret&gt; section.</p>
-<pre>
- AuthType Basic
- AuthName "Restricted Files"
- AuthUserFile /usr/local/apache/passwd/passwords
- require user rbowen
-</pre>
-
- <p>Let's examine each of those directives individually. The <a
- href="../mod/core.html#authtype">AuthType</a> directive selects
- that method that is used to authenticate the user. The most
- common method is <code>Basic</code>, and this is the method
- implemented by <a href="../mod/mod_auth.html">mod_auth</a>. It
- is important to be aware, however, that Basic authentication
- sends the password from the client to the browser unencrypted.
- This method should therefore not be used for highly sensitive
- data. Apache supports one other authentication method:
- <code>AuthType Digest</code>. This method is implemented by <a
- href="../mod/mod_auth_digest.html">mod_auth_digest</a> and is
- much more secure. Only the most recent versions of clients are
- known to support Digest authentication.</p>
-
- <p>The <a href="../mod/core.html#authname">AuthName</a>
- directive sets the <em>Realm</em> to be used in the
- authentication. The realm serves two major functions. First,
- the client often presents this information to the user as part
- of the password dialog box. Second, it is used by the client to
- determine what password to send for a given authenticated area.
- So, for example, once a client has authenticated in the
- <code>"Restricted Files"</code> area, it will automatically
- retry the same password for any area on the same server that is
- marked with the <code>"Restricted Files"</code> Realm.
- Therefore, you can prevent a user from being prompted more than
- once for a password by letting multiple restricted areas share
- the same realm. Of course, for security reasons, the client
- will always need to ask again for the password whenever the
- hostname of the server changes.</p>
-
- <p>The <a
- href="../mod/mod_auth.html#authuserfile">AuthUserFile</a>
- directive sets the path to the password file that we just
- created with <code>htpasswd</code>. If you have a large number
- of users, it can be quite slow to search through a plain text
- file to authenticate the user on each request. Apache also has
- the ability to store user information in fast database files.
- The <a href="../mod/mod_auth_dbm.html">mod_auth_dbm</a> module
- provides the <a
- href="../mod/mod_auth_dbm.html#authdbmuserfile">AuthDBMUserFile</a>
- directive. These files can be created and
- manipulated with the <a
- href="../programs/dbmmanage.html">dbmmanage</a> program. Many
- other types of authentication options are available from third
- party modules in the <a
- href="http://modules.apache.org/">Apache Modules
- Database</a>.</p>
-
- <p>Finally, the <a href="../mod/core.html#require">require</a>
- directive provides the authorization part of the process by
- setting the user that is allowed to access this region of the
- server. In the next section, we discuss various ways to use the
- <code>require</code> directive.</p>
-
- <h2><a id="lettingmorethanonepersonin"
- name="lettingmorethanonepersonin">Letting more than one
- person in</a></h2>
-
- <p>The directives above only let one person (specifically
- someone with a username of <code>rbowen</code>) into the
- directory. In most cases, you'll want to let more than one
- person in. This is where the <a
- href="../mod/mod_auth.html#authgroupfile">AuthGroupFile</a>
- comes in.</p>
-
- <p>If you want to let more than one person in, you'll need to
- create a group file that associates group names with a list of
- users in that group. The format of this file is pretty simple,
- and you can create it with your favorite editor. The contents
- of the file will look like this:</p>
-<pre>
- GroupName: rbowen dpitts sungo rshersey
-</pre>
-
- <p>That's just a list of the members of the group in a long
- line separated by spaces.</p>
-
- <p>To add a user to your already existing password file,
- type:</p>
-<pre>
- htpasswd /usr/local/apache/passwd/password dpitts
-</pre>
-
- <p>You'll get the same response as before, but it will be
- appended to the existing file, rather than creating a new file.
- (It's the <code>-c</code> that makes it create a new password
- file).</p>
-
- <p>Now, you need to modify your <code>.htaccess</code> file to
- look like the following:</p>
-<pre>
- AuthType Basic
- AuthName "By Invitation Only"
- AuthUserFile /usr/local/apache/passwd/passwords
- AuthGroupFile /usr/local/apache/passwd/groups
- require group GroupName
-</pre>
-
- <p>Now, anyone that is listed in the group
- <code>GroupName</code>, and has an entry in the
- <code>password</code> file, will be let in, if they type the
- correct password.</p>
-
- <p>There's another way to let multiple users in that is less
- specific. Rather than creating a group file, you can just use
- the following directive:</p>
-<pre>
- require valid-user
-</pre>
-
- <p>Using that rather than the <code>require user rbowen</code>
- line will allow anyone in that is listed in the password file,
- and who correctly enters their password. You can even emulate
- the group behavior here, by just keeping a separate password
- file for each group. The advantage of this approach is that
- Apache only has to check one file, rather than two. The
- disadvantage is that you have to maintain a bunch of password
- files, and remember to reference th right one in the
- <code>AuthUserFile</code> directive.</p>
-
- <h2><a id="possibleproblems" name="possibleproblems">Possible
- problems</a></h2>
-
- <p>Because of the way that Basic authentication is specified,
- your username and password must be verified every time you
- request a document from the server. This is even if you're
- reloading the same page, and for every image on the page (if
- they come from a protected directory). As you can imagine, this
- slows things down a little. The amount that it slows things
- down is proportional to the size of the password file, because
- it has to open up that file, and go down the list of users
- until it gets to your name. And it has to do this every time a
- page is loaded.</p>
-
- <p>A consequence of this is that there's a practical limit to
- how many users you can put in one password file. This limit
- will vary depending on the performance of your particular
- server machine, but you can expect to see slowdowns once you
- get above a few hundred entries, and may wish to consider a
- different authentication method at that time.</p>
-
- <h2><a id="whatotherneatstuffcanido"
- name="whatotherneatstuffcanido">What other neat stuff can
- I do?</a></h2>
-
- <p>Authentication by username and password is only part of the
- story. Frequently you want to let people in based on something
- other than who they are. Something such as where they are
- coming from.</p>
-
- <p>The <code>allow</code> and <code>deny</code> directives let
- you allow and deny access based on the host name, or host
- address, of the machine requesting a document. The
- <code>order</code> directive goes hand-in-hand with these two,
- and tells Apache in which order to apply the filters.</p>
-
- <p>The usage of these directives is:</p>
-<pre>
- allow from address
-</pre>
-
- <p>where <em>address</em> is an IP address (or a partial IP
- address) or a fully qualified domain name (or a partial domain
- name); you may provide multiple addresses or domain names, if
- desired.</p>
-
- <p>For example, if you have someone spamming your message
- board, and you want to keep them out, you could do the
- following:</p>
-<pre>
- deny from 205.252.46.165
-</pre>
-
- <p>Visitors coming from that address will not be able to see
- the content covered by this directive. If, instead, you have a
- machine name, rather than an IP address, you can use that.</p>
-<pre>
- deny from host.example.com
-</pre>
-
- <p>And, if you'd like to block access from an entire domain,
- you can specify just part of an address or domain name:</p>
-<pre>
- deny from 192.101.205
- deny from cyberthugs.com moreidiots.com
- deny from ke
-</pre>
-
- <p>Using <code>order</code> will let you be sure that you are
- actually restricting things to the group that you want to let
- in, by combining a <code>deny</code> and an <code>allow</code>
- directive:</p>
-<pre>
- order deny,allow
- deny from all
- allow from dev.example.com
-</pre>
-
- <p>Listing just the <code>allow</code> directive would not do
- what you want, because it will let folks from that host in, in
- addition to letting everyone in. What you want is to let
- <em>only</em> those folks in.</p>
-
- <h2><a id="moreinformation" name="moreinformation">More
- information</a></h2>
-
- <p>You should also read the documentation for <code><a
- href="../mod/mod_auth.html">mod_auth</a></code> and <code><a
- href="../mod/mod_access.html">mod_access</a></code> which
- contain some more information about how this all works.</p>
- </body>
-</html>
-