Apache lock-down

16th May 2012

This blog post is more than 7 years old, so the content may be out of date.

It's a request I get a lot when a site's in development: put the website on a public server, but lock it down so you need a password to get into the site.

There are a few Drupal modules for this:

But I want to do something with Apache (why? I don't want to add a module that's not going to be used in production, and it makes testing a little more reliable).

Preparing a password file

Both of the methods rely on a password file which can be used by Apache.

Initially create the password file by using the '-c' option.

htpasswd -c /var/www/.htpasswd username

It'll then prompt you for a password for that username.

Add new users using the same command:

htpasswd /var/www/.htpasswd username

Standard Apache lock-down

Here's the standard way to add basic-auth:

  <Directory /var/www/html>
 
    # Basic setup...default is deny, unless someone is allowed.
    Order Deny,Allow
    Deny from all
 
    # Instructions for basic auth
    AuthType Basic
    AuthName "Restricted Files"
    # Path to the file created with htpasswd
    AuthUserFile /var/www/.htpasswd
    # If we're using the password file, and user in the password file is accepted
    Require valid-user
  </Directory>

Apache lock-down with IP whitelist

This takes the apache basic-auth lockdown, but whitelists certain IP addresses (basically so I don't have to remember usernames and passwords!)

  <Directory /var/www/html>
 
    # Basic setup...default is deny, unless someone is allowed.
    Order Deny,Allow
    Deny from all
 
    # Instructions for basic auth
    AuthType Basic
    AuthName "Restricted Files"
    # Path to the file created with htpasswd
    AuthUserFile /var/www/.htpasswd
    # If we're using the password file, and user in the password file is accepted
    Require valid-user
 
 
 
    # Any of the authentication methods are OK: password or IP allow.
    Satisfy Any
 
    # Localhost
    Allow from 127.0.0.1
 
    # Marcus' IP address
    Allow from 1.2.3.4
  </Directory>

Footname

Site's behind Varnish and you want to use the same approach? Mig5 has an answer: Excluding IPs from HTTP auth when Apache is behind Varnish.

Blog tags:

Add new comment

More information about text formats

Filtered HTML

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.
  • You can enable syntax highlighting of source code with the following tags: <code>, <blockcode>, <apache>, <bash>, <c>, <cpp>, <drupal5>, <drupal6>, <java>, <javascript>, <php>, <python>, <ruby>. The supported tag styles are: <foo>, [foo]. PHP source code can also be enclosed in <?php ... ?> or <% ... %>.

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
By submitting this form, you accept the Mollom privacy policy.