Guides Securing Your Web Pages with Apache Page 9

Securing Your Web Pages with Apache Page 9




mod_auth
This is the basis for most Apache security modules; it
uses ordinary text files for the authentication database. Entries
are of the form “username:password“;
additional fields may follow the password, separated from it
by a colon,
but they’re ignored.

mod_auth_db
This module is essentially the same as mod_auth,
except that the authentication credentials are stored in a
Berkeley DB file format. The directives contain the additional
letters “DB” (e.g., AuthDBUserFile).

mod_auth_dbm
Like mod_auth_db, save that credentials are stored
in a DBM file.

mod_auth_anon
This module mimics the behaviour of anonymous FTP; rather than
having a database of valid credentials, it recognises a list of
valid usernames (i.e., the way an FTP server recognises
ftp and anonymous) and grants access
to any of those with essentially any passwords. This module is
most useful for logging access to resources and keeping
robots out than it is for actual access control.

mod_auth_digest
Whereas the other discretionary control modules suuplied with
Apache all support Basic authentication,
mod_auth_digest is currently
the sole supporter of the Digest mechanism. It underwent some
serious revamping in 1999, and the new version is currently
considered ‘experimental,’ but no problems have been identified with
the new code and it’s likely to be moved back into the standard
stable soon. Like mod_auth, the credentials used by
this module are stored in a text file. Digest database
files are managed with the htdigest
tool. Using mod_digest is much more involved than
setting up Basic authentication; please see the
module documentation for details.

Allowing Users to Control Access to Their Own Documents

All of the security-related module directives can be used in
per-directory .htaccess files. However,
in order for Apache to pay attention to them, the directories
in question need to be within the scope of a AllowOverride
directive that includes the AuthConfig (for discretionary
controls) or Limit (for mandatory controls) keywords.
For instance, a standard Linux installation of Apache can enable
this with the following lines in the httpd.conf
file:

  
    
        AllowOverride AuthConfig Limit
    

Using Your System passwd File

This is a common request, and an incredibly bad idea: "How
can I use my system's /etc/passwd file as my
Web authentication database?"

The simple answer is: you don't. I'll just list a couple
of reasons:

  1. If someone manages to crack the username and password of someone
    accessing a Web page, that person can now log onto your system.
    (Remember, most of the Web authentication uses the Basic
    method, which is incredibly simple to crack.)

Latest Posts

Get-MsolUser PowerShell Attributes & Properties

This article has been updated for 2020. Please note that WAAD was retired in 2018, but the cmdlets listed in this article are still...

Microsoft Azure PowerShell Scripts and Commands

Using PowerShell scripts and commands for quickly executing tasks in Windows operating systems offers a number of benefits over traditional scripting languages, such as...

Microsoft Hyper V Review

Microsoft Hyper-V: The Bottom line Microsoft Hyper-V lagged behind VMware's virtualization tool, one of the most popular tools in the space, when it was first...

Best Cloud Based Services & Companies

Any company that’s delayed introducing cloud-based software into their infrastructure needs to consider leveraging these new technologies to reap all the benefits cloud computing...

Best Load Balancers for 2020

The best load balancers are able to provide either hardware or software-based load balancing to ensure maximum service availability by offering network traffic distribution...

Related Stories