Protecting a website using the Apache server itself is one of the simplest and at the same time quite reliable methods. In this case, you do not need to thoroughly think through your security strategy, design it, and implement it in code. Moreover, in order to create good system the defense must have sufficient qualifications in this matter. Using the built-in protection of the Apache WEB server, you greatly simplify your task - all you have to do is perform a simple sequence of actions and your site will be sufficiently protected. This article will describe in detail the steps and actions that you need to take. And at the end of the article there will be examples of .htaccess files.

Basic authentication

This article will discuss the simplest and affordable way security - basic authentication.

Comment

Authentication is the process by which it is verified that someone is who they say they are. Typically, verification involves entering a username and password.

Let's look at how basic authentication works.
When a visitor accesses a protected directory, Apache server in response to the request, sends a header with code 401 (401 authentication required header). The visitor's browser accepts the 401 header and displays a window with fields for entering a username and password. After entering the username and password, this data is sent back to the server, which checks the username to see if it is in a special list, and the password to be correct. If everything is correct, then the visitor gets access to the resource. Along with the header, a special name called the scope is sent to the browser. The browser caches not only the username and password so that it is passed along with each request, but also the scope. Thanks to this, entering the name and password in the protected directory is carried out only once. Otherwise, they would need to be entered with every request to the protected directory. Caching of authentication parameters (name, password, scope) usually occurs only within one session.

Comment

At basic authentication The username and password are sent to the network in open form throughout the entire session when the visitor is working with the protected directory. A hacker can intercept this information using network analyzer packages. This type authentication should not be used where needed real protection commercially valuable information.

Comment

Apache WEB server supports another type of protection - digest authentication. During digest authentication, the password is not transmitted in clear text, but as a hash code calculated using the MD5 algorithm. Therefore, the password cannot be intercepted when scanning traffic. But, unfortunately, to use digest authentication, you need to install a special module on the server - mod_auth_digest. And this is only within the competence of the server administration. Also, until recently, digest authentication was not supported by all types of browsers.

Website protection made easy

In order to protect the site, you need to perform the following sequence of actions: create a file with passwords, copy it to the server, create a .htaccess file and also copy it to the server.
To organize protection you will need.

1. WEB site and FTP access to it.
2. Rights to create .htpaccess files and organize protection using them.
3. Password generation utility htpasswd.exe

Checking the operation of the .htaccess file on the server

In order to check whether you have rights to organize protection using .htaccess files, create text file with the name .htaccess (the first character is a dot, there is no extension).

Comment

It is convenient to create .htaccess files using the built-in editor in the Far, WindowsCommander, TotalCommander, etc. shells, as well as in the Notepad editor.

Comment

So that the notepad does not substitute automatically txt extension, in the save dialog, in the “file type” drop-down list, select the “All files” option.

Rice. 1. Saving .htaccess files in notepad

Checking the operation of .htaccess

AuthType Basic
AuthName admin
require valid-user

Then, via FTP access, rewrite the .htaccess file on the site, in the directory that you want to protect.

Comment

The effect of .htaccess files extends not only to the directory where the file is located, but also to all subdirectories located at a lower level.

Next, access this directory through your browser. If you are protecting the admin directory and have rewritten the .htaccess file there, then to check you should enter address bar browser the following URL: http://www.mysite.ru/admin/.

If after this you are prompted to enter your login and password, as in the figure below, then the testing was successful and you can continue protecting the directory.

Rice. 2. Login and password entry window

If you did everything correctly, but the password entry window does not appear, this means that the server settings prohibit you from using .htaccess files to protect directories. To resolve this issue, you should contact the server administration, or use another type of protection.
Once it has been determined that the .htaccess files work, you should remove the test file you just wrote from the site.

Comment

If for some reason you cannot delete the .htaccess file, then create an empty .htaccess file and replace it with the file on the server.

Creating a file with passwords.htpasswd

The password file is created by the htpasswd.exe utility. If you have the Apache WEB server installed on your machine, then this utility is located in the directory with installed Apache-eat in a subdirectory bin.

Comment

If you do not have Apache installed, you can download the htpasswd.exe utility.

To work with the htpasswd.exe utility, you need a command line interface. Programs such as Far, WindowsCommander, etc. have a command line interface. Here we will look at working with the command line using the cmd utility, which is included with Windows 2000/XP, etc.
Click "Start" -> "Run", enter in the input line cmd and press OK. A CMD utility window will open.

Rice. 3. CMD utility window

Next, you need to go to the directory where the htpasswd.exe utility is located. Let's say the Apache server is installed in the directory c:/Apache2, then enter in command line command: cd../../apache2/bin and press enter.

You have moved to the directory with: Apache2in. Now you need to give a command to create a file with a password. Type the following into the command line:

htpasswd -cm .htpasswd admin

• -cm are the switches for the utility. Key c - indicates what needs to be created new file with passwords. If a file with this name already exists, then it will be overwritten. Key m - determines encryption using the MD5 algorithm.
  .htpasswd - name of the password file (you can use any name).
  admin - the name of the visitor who will be allowed access to the restricted area of ​​the site.

In response, you should be asked to enter a password and repeat it. If everything is correct, the following message will appear at the end: Adding password for user admin. And in the c: Apache2in directory there will be a file .htpasswd, which will contain a line with the user name and the hash code of his password. In order to add another user to the same .htpasswd file, remove the -c switch from the htpasswd.exe utility launch command

htpasswd -m .htpasswd admin

Comment

If a file with passwords was not created, then it is possible that some utility keys are not supported on your operating system.
For example, sometimes the m key is not supported. In this case, you need to enter htpasswd -c .htpasswd admin

To view the keys and parameters of the utility, enter htpasswd.exe /? You will be given a description of the interface.
So, the password file has been created. Now you need to rewrite it on the server. It is highly advisable to place files with passwords above the root directory of the site - where visitors will not have access.

If this is not possible, then files with passwords must be protected.

This can be done using .htaccess files. To protect files with passwords, create a file with the lines shown in the following listing.

File protection.htpasswd
deny from all

And put it in the directory where your password file is located. Now site visitors will not be able to access it.

The password file has been created and is protected from unauthorized access. Now you need to create a .htaccess file that will be used in the protected directory.

• Creating the .htaccess file
  The following directives can be used to protect a directory:
  AuthType - The type of authentication to use. For basic authentication this directive must be set to: Basic
  AuthName - The name of the authentication scope. Text that helps the visitor understand where they are trying to access. For example, it may be written: "Private zone. Only for administrator!"
  AuthUserFile - path to the password file (.htpasswd).

AuthGroupFile - path to the groups file, if it exists.

AuthType Basic
Require - One or more requirements that must be met to gain access to a restricted area.
Example .htaccess file
AuthName "Private zone. Only for administrator!"
AuthGroupFile /usr/host/mysite/group

AuthUserFile /usr/host/mysite/.htpasswd

require group admins

The AuthUserFile and AuthGroupFile directives should be described in more detail. They contain absolute paths to the corresponding files from the server root. Attention!

Relative paths
will not work!

Specify the information to create .htpasswd and .htaccess files:

Login:
Password:
Full path to the file.htpasswd

Greeting(title):

HASH password format: MD5 crypt SHA

This password was generated using htpasswd and is suitable for Linux and Windows
Copy this line to your .htpasswd file:

Admin:SbMAWhf7pD0aYEzh Remember, only one entry can be per line!

To restrict access to the selected directory, copy these lines to your .htaccess file:

AuthType Basic AuthName "Thats protected Area!" AuthUserFile /usr/host/mysite/.htpasswd Require valid-user

To deny access only to the private.zip file, copy these lines to your .htaccess file:

AuthType Basic AuthName "Thats protected Area!" AuthUserFile /usr/host/mysite/.htpasswd Require valid-user deny from all #deny access from the browser to.htpasswd

Please note that the .htaccess and .htpasswd files must be saved in unix format. For example, in Far Manager This can be achieved by pressing Shift+F2 in file editing mode and selecting “in UNIX format (LF)” in the menu that appears.

Directives and description of the .htaccess file used to restrict access

• AuthType - The type of authentication to use. For basic authentication this directive must be set to: Basic
• AuthName - The name of the authentication scope. Text that helps the visitor understand where they are trying to access. For example, it may be written: "Private zone. Only for administrator!"
• AuthUserFile - full path to the password file (.htpasswd). Relative paths will not work.
• AuthGroupFile - path to the groups file, if it exists.
• Require - One or more requirements that must be met to gain access to a restricted area.
  • require valid-user - access is allowed to all verified users
  • require user admin alex mango - only visitors with the names admin, alex, mango are allowed access. Naturally, they must be authenticated.
  • require group admins - access is allowed to all users from the admins group

Group files

If a group of people should have access to a protected area of ​​the site, then it is convenient to unite people into groups and allow access by determining whether users belong to the group.

The group file format is a text file, each line which describes separate group. The first line should be the group name followed by a colon. And then the visitors included in the group are listed separated by a space.

Example groups file:

Admins: admin alex mango Users: guest user max23

The Admins group includes visitors with the names admin, alex, mango. And the Users group includes visitors with the names guest, user, max23.

An example of a .htaccess file for access by all authorized users:

AuthType Basic AuthName "Private zone. Only for administrator!" AuthUserFile /usr/host/mysite/.htpasswd require valid-user

An example of a .htaccess file for access only by admin and root users:

AuthType Basic AuthName "Private zone. Only for administrator!" AuthUserFile /usr/host/mysite/.htpasswd require user admin root

Access only to users from the admins group:

AuthType Basic AuthName "Private zone. Only for administrator!" AuthUserFile /usr/host/mysite/.htpasswd AuthGroupFile /usr/host/mysite/group require group admins

You can familiarize yourself with the remaining directives and capabilities of the .htaccess file in the article .htaccess

.

For some time now, TheBat's built-in certificate database for SSL has stopped working correctly (it is not clear for what reason).

When checking the post, an error appears:

Unknown CA certificate
The server did not present a root certificate in the session and the corresponding root certificate was not found in the address book.
This connection cannot be secret. Please
contact your server administrator.

And you are offered a choice of answers - YES / NO. And so every time you remove mail.

Solution

In this case, you need to replace the S/MIME and TLS implementation standard with Microsoft CryptoAPI in the TheBat settings!

Since I needed to combine all the files into one, I first converted everything doc files into a single pdf file(by using Acrobat programs), and then transferred it to fb2 through an online converter. You can also convert files individually. The formats can be absolutely any (source) - doc, jpg, and even a zip archive!

The name of the site corresponds to the essence :) Online Photoshop.

Update May 2015

I found another great site! Even more convenient and functional for creating a completely custom collage! This is the site http://www.fotor.com/ru/collage/. Enjoy it for your health. And I will use it myself.

In my life I came across the problem of repairing an electric stove. I’ve already done a lot of things, learned a lot, but somehow had little to do with tiles. It was necessary to replace the contacts on the regulators and burners. The question arose - how to determine the diameter of the burner on an electric stove?

The answer turned out to be simple. You don’t need to measure anything, you can easily determine by eye what size you need.

Smallest burner- this is 145 millimeters (14.5 centimeters)

Middle burner- this is 180 millimeters (18 centimeters).

And finally, the most large burner- this is 225 millimeters (22.5 centimeters).

It is enough to determine the size by eye and understand what diameter you need the burner. When I didn’t know this, I was worried about these dimensions, I didn’t know how to measure, which edge to navigate, etc. Now I'm wise :) I hope I helped you too!

In my life I faced such a problem. I think I'm not the only one.

There are situations when the website you make should not be public, but is used as a kind of service for a limited circle of people. You can, of course, block up authentication via PHP, but there is an almost elementary way - close the folder on the site using Apache. For example, using files .htaccess And .htpasswd. This is what we will talk about now.

Create a .htpasswd file with passwords

In order to set a password, first we must generate a file .htpasswd. This is done using the htpasswd utility, which exists in versions for both Linux and Windows.

htpasswd -c .htpasswd admin

Key -With indicates that a new password file needs to be created. .htpasswd- name of the generated file. admin– login of the user who will be allowed access to the restricted part of the site. After running the utility with all the necessary parameters, you will be asked to enter your password and repeat it. If you have already created a .htaccess file and you want to add a new user to it, simply run the utility by specifying a file with passwords without a key –c.

The created file is text and contains the user login and password hash, which are separated by a colon. By default, the hashing algorithm is DES. But you can change it and use the MD5 algorithm with a key –m, But the best option using the SHA algorithm( switch -s).

Protecting your site using .htaccess

So, the file is created, then we add to root directory website file.htaccess or add to an existing one following lines:

# Close access to the .htaccess file
Order allow,deny
Deny from all
Satisfy All

# Specify the location of the .htpasswd file, enable authentication
AuthUserFile /etc/apache2/passwd/.htpasswd
AuthName "Password Protected Area"
AuthType Basic
Require valid-user

Parameter AuthUserFile points to the absolute path to the file .htpasswd. For some reason unknown to me, in many manuals that I have seen, the password file is for some reason stored in the user’s home directory. I would not recommend storing this file in your home directory, much less in the root directory of the site.

After creating the file and placing the file .htaccess in the root of the site, it would be a good idea to restart the apache process.

I would also like to draw your attention to the fact that it would be a good idea to close the site from indexing search engines. To do this, create a file in the root directory of the site robots.txt with the following content:

User-agent: *
Disallow: /

On this I think we can end this post. If you have any other questions on the topic, I’m waiting for them in the comments.

Using standard Apache modules, it is possible to request a username and password from the user when trying to access specific page or catalogue. Access will be allowed if the login and password are present in a special file.

Creating a password file

The credentials file is usually called .htpasswd and is located in a directory to which access must be restricted. By default, Apache denies access to all files that begin with .ht, so the file with passwords is like the file .htaccess, cannot be read by any visitor to your site.

Each line of the file stores data about one user. The login and encrypted password are separated by a colon. Example:

Admin:YFC5nYLiUI2ig vasya:bnqw1eZHP2Ujs

A utility is used to encrypt passwords htpasswd, which comes bundled with Apache. To create a new file with data about
user admin, enter the command:

$ htpasswd -c .htpasswd admin

To add to already existing file The command used is:

$ htpasswd .htpasswd vasya

After launch, the utility will ask you to enter the password twice and, if they match, the user data will be added.

Access limitation

Now, to enable the authorization request when attempting to access, you need to make changes to the configuration file or to the file .htaccess. I remind you that the use of files .htaccess undesirable, as it reduces server performance.

AuthType Basic AuthName "Administrative zone" AuthUserFile /var/www/example.com/admin/.htpasswd Require valid-user

You will need to change the directory path (Directory), the path to the password file (AuthUserFile) and the prompt string (AuthName) that is displayed to the user when prompted for a password. You can find out the meaning of other directives from the Apache documentation.

After making changes to the configuration file, be sure to restart Apache.

Notes

IN in this example The simplest option for restricting access is given. In general, the capabilities of the Apache authentication system are much broader. For example, users can be divided into groups, passwords are stored in a database or requested via a special protocol from other servers. We recommend that you familiarize yourself with all the features in the Apache documentation.

The example shows simplest type authentication - Basic. You should be aware that in this case the password is transmitted from the client to the server in clear, unencrypted form. If this does not suit you, you can use another type of authentication or the HTTPS protocol.