Tag Archives: password protect

Protect Website Folders via Web.config

Posted on by
Reply

If you would like to configure password protect for some of your website folders you can do it via web.config directly instead disable the anonymous access on IIS. Just make a new web.config in that folder and paste into the following

<configuration>
  <system.webServer>
    <security>
      <authorization>
        <add accessType="Deny" users="?" />
      </authorization>
    </security>
  </system.webServer>
</configuration>

You can configure the specific user from the folder permissions.

Share

How to password protect website under apache

Posted on by
4

A general description on how to password protect a website

Protecting content with basic authentication

1. Create a password file
2. Set the configuration to use this password file
3. Optionally, create a group file

To create the file, type:

htpasswd -c /usr/local/apache/passwd/passwords username
you can create that file to whatever directory, but it’s advised to put to website root or apache working directory; htpasswd will ask you for the password, and then ask you to type it again to confirm it:

# htpasswd -c /usr/local/apache/passwd/passwords kin
New password: mypassword
Re-type new password: mypassword
Adding password for user kin

The -c flag is used only when you are creating a new file. After the first time, you will omit the -c flag, when you are adding new users to an already-existing password file.

htpasswd /usr/local/apache/passwd/passwords testuser

set the password file user/group as apache and only writeable by root

chown root.apache /usr/local/apache/passwd/passwords
chmod 640 /usr/local/apache/passwd/passwords


Set the configuration to use this password file

AuthType Basic
AuthName "By Invitation Only"
AuthUserFile /usr/local/apache/passwd/passwords
Require user kin testuser

The phrase "By Invitation Only” will be displayed in the password pop-up box, where the user will have to type their credentials. if you need all the users in the password file to be able to login, you can use "Require valid-user" to replace the last line option.

>>>Optionally, create a group file

just create the group file and add the group name, user to it. A group name appears first on a line, followed by a colon, and then a list of the members of the group, separated by spaces. For example:

authors: kin testuser1 testuser2

the configuration looks like the following:

AuthType Basic
AuthName "Apache Admin Guide Authors"
AuthUserFile /usr/local/apache/passwd/passwords
AuthGroupFile /usr/local/apache/passwd/groups
Require group authors

Don’t use basic authentication for anything that requires real security, however, will be secure if it’s acrossing ssl connection.


Protecting content with digest authentication is much the same as basic authentiation, it will just hash the password into md5 during thet transfer, you just need to change the following:

To create a new digest password file, type:

htdigest -c /usr/local/apache/passwd/digest realm username
htdigest will ask you for the desired password, and then ask you to type it again to confirm it.
specify "AuthType Digest" in the configuratino section.

Allow and Deny

The Allow and Deny directives let you allow and deny access based on the host name, or host address, of the machine requesting a document.

The usage of these directives is:

allow from address

deny from 11.22.33.44

Satisfy

Satisfy can take as an argument one of two options – all or any. any — if the user satisfies any of these, then they will be granted entrance. all — user must satisfies all the options.

A sample configuration:
<Directory /usr/local/apache/htdocs/sekrit>
  AuthType Basic
  AuthName intranet
  AuthUserFile /www/passwd/users
  AuthGroupFile /www/passwd/groups
  Require group customers
  Order allow,deny
  Allow from internal.com
  Satisfy any
</Directory>

Share

Password protect website

Posted on by
25
The following article explains how to create a password protected section of your website. The protected section will require users to login before they can view contents of the folders. This is a three step process; the first step creates a Windows user account with limited access to the machine, the second step removes Anonymous Access to the folder, and the third step assigns the user to the folder.

To password protect a folder, please follow these steps:

  1. Log into your server through Terminal Services or Remote Desktop Connection.
  2. Create the Windows User which you would like to use for your website authentication.
  3. Click Start, select Programs, and then click Administrative Tools
    .

    • For IIS 5.0 click Internet Services Manager.
    • For IIS 6.0 click Internet Information Services.
  4. In the left column you will see the Server Name.
    • In IIS 5.0, expand the Server Name to find the domain name.
    • In IIS 6.0, expand the Server Name and then Web Sites to find the domain name.
  5. Right-click on the domain name and select Properties
    .
  6. On the Directory Security Tab under Authentication and Access Control click Edit
  7. Uncheck Enable Anonymous Access
    .
  8. Choose the level of Authenticated Access:
    • Integrated Windows Authentication: encrypts the password sent to the server (we recommend this method)
    • Digest Authentication: this level works only if Active Directory is configured
    • Basic Authentication: sends the password across the network in clear text (we do not recommend this method)
    • .Net Passport Authentication: a web authentication service
  9. Click Ok and then click Ok a second time.
  10. Navigate to the folder on your server containing the contents of your website.
  11. Right click the folder and select Properties.
  12. On the Security tab click Add
    .
  13. Enter the name of the user you created and click OK
    .
  14. If you wish to allow other users to login, repeat steps 12 and 13 with the additional user names.

Your website is now password protected. If you prefer to password protect only a folder, rather than your entire website, you can repeat the exact steps above on the individual folder, rather than your entire website.

Share