Monday, 13 April 2015

HTTP Authentication (httpd) in RHEL7/CentOS7

Basic Authentication:

In this tutorial, we will limit access to websites configured on the Apache server to authorized users with passwords. The htpasswd command is used to create usernames and passwords for Apache. Users in Apache database do not need to have a regular Linux account.

Consider the following scenario:

HTTP Server IP Address:
                      Host Name:

Server Configuration:

1)  Install httpd
[batul@server2 ~]$ sudo yum -y install httpd

2) Edit the file '/etc/httpd/conf/httpd.conf'.


3) Make Virtual Host Config file
     3.1) Copy sample file. 
[batul@server2 ~]$ cp /usr/share/doc/httpd-2.4.6/httpd-vhosts.conf /etc/httpd/conf.d

     3.2) Edit the file '/etc/httpd/conf.d/httpd-vhosts.conf'. Comment all the lines and  add the following lines.
             <VirtualHost *:80>
                 DocumentRoot "/var/mysite"
           <Virtual Host>

            <Directory "/var/mysite">
                  AuthType Basic 
                  AuthName "Private Access"
                  AuthUserFile /etc/httpd/passwords
                  Require valid-user

4) Create http password file and add 3 users 'batul', 'ali', 'taher'.
[batul@server2 ~]$ sudo htpasswd  -c /etc/httpd/passwords batul

[batul@server2 ~]$ sudo htpasswd   /etc/httpd/passwords ali

[batul@server2 ~]$ sudo htpasswd   /etc/httpd/passwords taher

The -c switch creates the specified file and the first user is batul. You are prompted to enter a password for batul. To add more users, leave out the -c switch.

5) Make directory for virtual host and change SELinux file label.
[batul@server2 ~]$ sudo mkdir -p /var/mysite
[batul@server2 ~]$ sudo chcon -R -t httpd_sys_content_t /var/mysite

6) Create a file '/var/mysite/index.html'
              <h1> Hello World  </h1>

7) Check config file syntax errors
[batul@server2 ~]$ sudo httpd -t
[batul@server2 ~]$ sudo httpd -D DUMP_VHOSTS

8) Open HTTP (Port 80) in firewall
[batul@server2 ~]$ sudo firewall-cmd --zone=public --add-service=http --permanent
[batul@server2 ~]$ sudo firewall-cmd --reload

9)  Start httpd
[batul@server2 ~]$ sudo systemctl start httpd

10)  Enable on boot
[batul@server2 ~]$ sudo systemctl enable httpd

Client Configuration:

1)  Make entry in '/etc/hosts' if DNS Server is not configured


2) Browse web site in Firefox web browse. Users 'batul', 'ali' and 'taher' can access the website after entering their passwords.

Configure Group Access

To restrict access to a group of users.

Perform the following steps on the web server

1) Create the group file '/etc/httpd/testgroup'. 'ali' and 'taher' are members of group 'employees'. 'batul' is member of group 'managers'.

[batul@server2 ~]$ sudoedit /etc/httpd/testgroup

employees: ali taher
managers: batul

2) Edit the <Directory> container in '/etc/httpd/conf.d/httpd-vhosts.conf' as shown below:
           <Directory "/var/mysite"> 
                  AuthType Basic
                  AuthName "Private Access"
                  AuthUserFile /etc/httpd/passwords
                  AuthGroupFile testgroup
                  Require group employees

3)  Restart httpd
[batul@server2 ~]$ sudo systemctl restart httpd

Since access is restricted to members of group 'employees', only ali and taher can access the website. 'batul' cannot access the website.

No comments:

Post a Comment