Linux Microsoft VMware
Showing posts with label Apache. Show all posts
Showing posts with label Apache. Show all posts

Monday, August 27, 2012

Authentication / Password Protection in Apache


There are many ways you can password protect directories under Apache web server. This is important to keep your file privates from both unauthorized users and search engines (when you do not want to get your data indexed). Here you will see the basics of password protecting a directory on your server. You can use any one of the following method:

  1. Putting authentication directives in a <Directory> section, in your main server configuration httpd.conf file, is the preferred way to implement this kind of authentication.
  1. If you do not have access to Apache httpd.conf file (for example shared hosting) then with the help of file called .htaccess you can create password protect directories. .htaccess file provide a way to make configuration changes on a per-directory basis.


In order to create apache password protected directories you need:


Ø         a password file

Ø         and Directory name which you would like to password protect (/var/www/html/private)


Step 1: Make sure Apache is configured to use .htaccess file

You need to have AllowOverride AuthConfig directive in httpd.conf file in order for these directives to have any effect. Look for DocumentRoot Directory entry. In this example, our DocumentRoot directory is set to /var/www/html/private. Therefore, my entry in httpd.conf looks like as follows:

Options Indexes Includes FollowSymLinks MultiViews
AllowOverride AuthConfig
Order allow,deny
Allow from all

Save the file and restart Apache

# service httpd restart
Step 2: Create a password file with htpasswd

htpasswd command is used to create and update the flat-files (text file) used to store usernames and password for basic authentication of Apache users. General syntax:

# htpasswd -c password-file username
Where,

  • -c: Create the password-file. If password-file already exists, it is rewritten and truncated.
  • Username: The username to create or update in password-file. If username does not exist in this file, an entry is added. If it does exist, the password is changed.
Create directory outside apache document root, so that only Apache can access password file. The password-file should be placed somewhere not accessible from the web. This is so that people cannot download the password file:

# mkdir -p /home/password/
Add new user called marshal

# htpasswd -c /home/password/.htpasswd marshal
Make sure “/home/password/.htpasswd” file is readable by Apache web server. If Apache cannot read your password file, it will not authenticate you. You need to setup a correct permission using chown command.

Now allow apache user apache to read our password file:

# chown apache:apache /home/password/.htpasswd # chmod 0660 
/home/password/.htpasswd

Create a directory /var/www/html/private if it does not exist:

# mkdir -p /var/www/html/private

Create .htaccess file using text editor:

# cd /var/www/html/private # vi .htaccess

Add following text:

AuthType Basic
AuthName "Restricted Access"
AuthUserFile /home/password/.htpasswd
Require user marshal

Save file and exit to shell prompt.

Step 3: Test your configuration

Fire your browser type url http://yourdomain.com/private or http://localhost/private or http://ip-address/private

When prompted for username and password please supply username marshal and password. You can add following lines to any file <Directory> entry in httpd.conf file:

AuthType Basic
AuthName "Restricted Access"
AuthUserFile /home/password/.htpasswd
Require user marshal

To change or setup new user use htpasswd command again.

Securing Apache Web Server with Encryption


In this blog we are going to discuss about encrypting communications to web server using TLS/SSL.

Step 1:  Install mod_ssl and httpd

# yum -y install mod_ssl httpd
Step 2: Perform the things required for web server by editing the “/etc/httpd/conf/httpd.conf” and also the creation of web pages in the directories described in the configuration file.

Steps 3: Edit the ssl configuration file

# vim /etc/httpd/conf.d/ssl.conf
Check line number 88

SSLEngine on    ------>>> remove comments if exists
We are using the default certificate and it’s key

Line number 105 pointing to certificate file

SSLCertificateFile /etc/pki/tls/certs/localhost.crt
line nu 112 pointing to certificate key file

SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
Thats all editing the ssl configuration file.

Step 4: Restart httpd service

# service httpd restart
Step 5: Check it out

Open Browser and type the URL in the address bar

http://server.example.com
Now an error message is displayed saying that “this page can only be viewed using the URL “https://server.example.com”. Type the URL

https://server.example.com
When Browser presents a warning,> click the “I understand the Risks” link > click the “Add Exceptions… ” button, > click “View…” when it becomes active. > click “Close”… > click “Confirm security exception”…

Above we used the default certificate / key pair. We too can use a custom self signed certificate using crypto-utils.

Install crypto-utils

# yum -y install crypto-utils
Generate self signed certificate/key pair using “genkey” tool

You should be root to generate a key.

First, use the “cd” command to change to the ”/etc/httpd/conf/” directory. Remove the fake key and certificate that were generated during the installation with the following commands:

# rm ssl.key/server.key rm ssl.crt/server.crt
# genkey www.example.com

 Click next >>

Click next >>

On generating your key, you will be prompted to send a Certificate Request (CSR) to a Certificate Authority (CA).

Click no >>

Click next >>

If you choose to encrypt, you should set a pass phrase to decrypt the key. And also selecting “encrypt the private key”, always you will be asked for the pass phrase whenever restarting the httpd service.


enter the pass phrase and click next >>

Click close.

Now configure the server to use the new certificate and key.

Check whether you have the new certificate and key.

# ls /etc/pki/tls/certs/
ca-bundle.crt  ca-bundle.trust.crt  localhost.crt  make-dummy-cert  
Makefile  server.csr    server.crt    www.example.com.crt
# ls /etc/pki/tls/private/
server.key     www.example.com.key

Edit “/etc/httpd/conf.d/ssl.conf”. Change the SSLCertificateFile and SSLCertificateKey lines to be.

SSLCertificateFile /etc/pki/tls/certs/www.example.com.crt
SSLCertificateKeyFile /etc/pki/tls/private/www.example.com.key

Now restart the httpd service

# service httpd restart






Configure Apache in RHEL / CENTOS



Packages required
httpd, httpd-devel, httpd-manual
Daemon
/usr/sbin/httpd
Script
/etc/init.d/httpd
Ports
80/tcp (http) , 443/tcp (https)
Configuration
/etc/httpd/*
/var/www/*

These are the things to be thought of while setting web server.

Thursday, July 26, 2012

How to make a tomcat as a service in CENTOS/RHCE


Introduction

This document will teach you how to setup Tomcat to run as a service (startup when booted) on Linux. 

Powered by Blogger.