HTTP Basic Authentication - htpasswd is a quite old technology which has been lasted and evolved for a long time. It's easy to setup, but the drawback is that it sends the password from the client to the server unencrypted and seemed vulnerable. Therefore we should choose the stronger authentication type, which is HTTP Digest Authentication - htdigest.
According to Apache official document: mod_auth_digest - Apache HTTP Server Version 2.4, the module mod_auth_basic is said as that:
This module implements HTTP Digest Authentication (RFC2617), and provides an alternative to mod_auth_basic where the password is not transmitted as cleartext ...
Now, let's start to make the directory /private to be password-protected.
- Create a password file for the valid-user "steven"
- Check the file
- Add directives into httpd configuration file (or .htaccess)
- Make sure the module is loaded
- Restart httpd service
[root@test ~]# htdigest -c /usr/local/httpd/passwords private_zone steven
New password:
Re-type new password:
Adding password for user steven
Please note that, you must provide the realm name before the user name. In this case, which is "private_zone".
[root@test ~]# ls -l /usr/local/httpd/passwords
-rw-r--r-- 1 root root 45 May 19 23:02 /usr/local/httpd/passwords
[root@test ~]# vi /etc/httpd/conf/httpd.conf
...
<Location /private/>
AuthType Digest
AuthName "private_zone"
AuthDigestDomain /private/ https://www.example.com/private/
AuthDigestProvider file
AuthUserFile /usr/local/httpd/passwords
Require valid-user
</Location>
...
The AuthName must match the realm name in the step 1.
[root@test ~]# grep mod_auth_digest /etc/httpd/conf/httpd.conf
LoadModule auth_digest_module modules/mod_auth_digest.so
For httpd 2.4 or above, you should find the module by this:
[root@test ~]# grep mod_auth_digest /etc/httpd/conf.modules.d/*
/etc/httpd/conf.modules.d/00-base.conf:LoadModule auth_digest_module modules/mod_auth_digest.so
Or, you can use the following command.
[root@test ~]# apachectl -M | grep auth_digest
Syntax OK
auth_digest_module (shared)
[root@test ~]# service httpd restart
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
In the official document, Apache also recommends us to apply both HTTP Digest Authentication and SSL for more security.
Digest authentication was intended to be more secure than basic authentication, but no longer fulfills that design goal. A man-in-the-middle attacker can trivially force the browser to downgrade to basic authentication. And even a passive eavesdropper can brute-force the password using today's graphics hardware, because the hashing algorithm used by digest authentication is too fast. Another problem is that the storage of the passwords on the server is insecure. The contents of a stolen htdigest file can be used directly for digest authentication. Therefore using mod_ssl to encrypt the whole connection is strongly recommended.
For a better security, you may follow my post to setup an official SSL certificate from any CA: How to Make Your Official SSL Work - Openssl + Apache + Linux + CA.
Or you may consider to create a self-signed SSL certificate at no cost: How to Create Self-Signed Certificate by Openssl on CentOS 6.4.
Except the technique of password-protected directories, you can limit and block unwanted sources from accessing sensitive directories: How to Limit Access to Web Directories Based on Hosts