Proper Integration of Web User Authentication Methods in Apache

Often times, it’s important to password protect and authenticate users who are logging in to view a private or development server environment. When you have non-public resources you want to display on your Apache serve, there are a variety of modules and settings which can enable proper user authentication.  While there are HTML based user login prompts, server-based authentication methods are much more secure since they protect the underlying directories and files.

There are multiple ways to reliably secure Apache servers, including an independent password file, database (mySQL) based authentication, log file authentication and core configuration file updates. Each of these methods has various advantages in terms of security and implementation, so always select the method which is ideal for your own personal use. Keep in mind multiple layers of security beyond a password prompt should be required for sensitive data, including firewalls and data encryption.

A Common Method for Security Apache Web Page Logins

The single most common (and simplest) method to authenticate Apache web pages is through a .htaccess and .htpasswd files. You have to update your core http.conf file to allow for password protection on the server. Keep in mind you should create a private directory for authentication, since these files will refer to a specific directory. These file updates utilize the mod_auth and mod_access modules in order to update user preferences in Apache.

To start, you should create a private directory within your public folder such as public_html/private where you can add the following lines to your .htaccess file:

AuthName “Private Login.”
AuthType Basic
AuthUserFile /home/domain/public_html/private/.htpasswd
Require user username

Next, you’ll need to create your .htpasswd file which is simply a list of user names and associated passwords in the format username:password. You can find a password generator for htpasswd files here since they need to be encrypted. Here’s a sample htpasswd file :

johndoe:n5SfEoROImkWg
dave:3fluV/1n84p2e

You can also add IP based restrictions using allow or deny commands in your Apache configuration which can further make private directives accessible only to their intended audience.

Preventing users from directly accessing private web pages may be one form of security, but having an entirely private server may also be a good idea for sensitive data. In these cases, you can limit access to the files from those within your firewall so you can limit outside access entirely. When working with partners, you can allow them to connect remotely to your server in order to gain access to the requisite files.

In general, the principles involved with a basic user security feature involve creating a session based user authentication method based upon a username and password. You can setup the script so users must authenticate for each directory or page after logging in, in case you need to implement multiple layers of security. Importantly, you should always implement an automated log-out method to limit the time allowance on user sessions.  This ensures public computers don’t retain unauthorized access to your files beyond the intended time period.