The htdigest
and dbmmanage
tools, also
in the /usr/local/web/apache/bin/
directory, are similar
to the htpasswd
application. htdigest
allows you to maintain text database files for use with Digest
authentication, and dbmmanage
supports the
DB, DBM, GDBM, and NDBM database formats. dbmmanage
is a Perl script, so you will need to have the Perl interpreter
(version 5 or later) installed on your system in order to use it.
Location of Your Authentication Database
Remember that one of the main things the Apache Web server does is
serve up files to visitors from the Internet — and don’t put your
authentication database files anyplace where that could happen to
them!
For server-wide database files (that is, those managed by the
Webmaster and listed in the httpd.conf
file, rather
than in user’s .htaccess
files), make sure you put them
someplace where they’re not under the DocumentRoot. Also
make sure you don’t put them someplace where they’re under
an Alias
ed or ScriptAlias
ed directory.
For access control used by individual users to protect their own documents,
the database files should not be under the directory listed in
the UserDir
directive in the server’s httpd.conf
file (typically public_html
). Having your users
put their database files in their home directory, or in another
subdirectory (other than under public_html
!) is
a good idea.
Recent versions of Apache (those newer than 1.3.4 or so) include
a default limitation on the common filenames used for per-directory
authentication databases:
Order allow,deny Deny from allThis will prevent the server from processing requests for files named
.htpasswd
,.htaccess
,
.htpasswd-foo.db
, and so on. Note that if you
upgraded your Apache server from an earlier version, your
httpd.conf
file may not include these lines, and you
may want to add them yourself.Frequently-Asked Apache Security Questions