Protecting Your Pages
by Nathan Poole
In this age protecting your pages from those who are considered a threat to your content or company is simplistic in theory. The problem is, it requires some knowledge of the Apache Web server or if you're merely a client on a server, knowledge of your shell account. There are two ways of utilizing user authentication via the web, one being safe from everyday users, the other being safe from anyone--if used correctly.
This toolkit offers an extensive look at .htpasswd and using .htaccess to your complete advantage. The steps shown here are of course safe, and will work on any Apache system.
Note You will be editing a vital file which requires the exact correct syntax, failure to copy the code correctly will result in a 500 Internal Server Error denying your Web site's visitors access to your content.
Methods Of Implementation
As mentioned, there are two ways of password protecting your pages--the first is by using Allow/Deny. This method allows you to choose who has permission to access your page by reading their REMOTE ADDRESS (such as .user.com) and who doesn't have permission by using the deny attribute. This method is especially useful if you run an ISP and offer a service for your current customers only. You can allow everyone from your_isp.com and nobody else will be able to use the service you provide.
The problem with the Allow/Deny method is that it's completely useless if you're protecting pages that are for...
- paying members
- staff only
- or contain valuble information
If a user has root (owns the server) in which he/she is running on, they can run a program called spoof which will change their REMOTE ADDRESS to read anything they like. This is an obvious security flaw.
htpasswd is a great tool and seems to be as flawless as they come. htpasswd prompts your HTTP client to prompt the user with a dialog box asking for a username and a password to confirm that they do have access. Given the correct information and the page will load as it should, if not the user sees an Authentication Failed message.
Setting up Allow/Deny
First of all, you'll want to start a Telnet session to your server. If you don't have a shell (the server will kick you out if you try to access it) you can use FTP to send the file. First, we'll use the shell method.
You'll want to start by changing the directory to the path you want to protect. For example - /home/servername/html/members/. Next, you'll want to type vi .htaccess--this will open a clear screen with a flashing prompt, to start typing hit "INSERT" (or if you're on Windows 9x hit your "I" key). Next, type the following exactly how it is shown below. Any error in typing this will result in a server error.
deny from all
allow from .host.com
After the above is typed, hit your ESC key and type :x. Now you have officially restricted access. Simple as that.
Note In the example, .host.com should be replaced with the host you want to allow.