Securing Your Web Pages with Apache Page 12

The htdigest and dbmmanage tools, also
in the /usr/local/web/apache/bin/ directory, are similar
to the htpasswd application. htdigest
allows you to maintain text database files for use with Digest
authentication, and dbmmanage supports the
DB, DBM, GDBM, and NDBM database formats. dbmmanage
is a Perl script, so you will need to have the Perl interpreter
(version 5 or later) installed on your system in order to use it.

Location of Your Authentication Database

Remember that one of the main things the Apache Web server does is
serve up files to visitors from the Internet — and don’t put your
authentication database files anyplace where that could happen to
them!

For server-wide database files (that is, those managed by the
Webmaster and listed in the httpd.conf file, rather
than in user’s .htaccess files), make sure you put them
someplace where they’re not under the DocumentRoot. Also
make sure you don’t put them someplace where they’re under
an Aliased or ScriptAliased directory.

For access control used by individual users to protect their own documents,
the database files should not be under the directory listed in
the UserDir directive in the server’s httpd.conf
file (typically public_html). Having your users
put their database files in their home directory, or in another
subdirectory (other than under public_html!) is
a good idea.

Recent versions of Apache (those newer than 1.3.4 or so) include
a default limitation on the common filenames used for per-directory
authentication databases:

  
    
        Order allow,deny
        Deny from all
    
  This will prevent the server from processing requests for files named

  .htpasswd, .htaccess,

  .htpasswd-foo.db, and so on.  Note that if you

  upgraded your Apache server from an earlier version, your

  httpd.conf file may not include these lines, and you

  may want to add them yourself.
  
   
Frequently-Asked Apache Security Questions