When it comes to configuring Apache, my idea of what's tricky to do is a little unusual. I tend to have no problems setting up complex rewrite rules, yet if you were to ask me to lock down a directory with a username and password, I'd be sent scrambling to Google. I can never remember the right sequence of directives to make Apace require authentication.
But there's hope - I've found the .htaccess password generator. You put in the users you want to have, their passwords and a detail or two about your web server setup and it spits out exactly the files you need.
Here's a glimpse of the UI:
It's a thing of beauty, and will save me from trying to make sense of the official Apache docs.
Are you sure you're ok with sending user name/password combinations for business servers to an outside server you don't know that you can trust?
ReplyDeleteThey have your IP address, so if they're malicious (or someone hacks them and installs a request logger!) they are inside your protected directories in a jiffy.
Also, this site is served over http, meaning the username/password is submitted in cleartext. (of course, basic HTTP auth is usually plaintext too, so that may not matter too much)
Good point / warning Peter!
ReplyDeleteI was mostly thinking this was useful from an example perspective. That is, you'd get, a .htaccess file in just the right format.
Also, I'd be comfortable for using this to protect demos and other stuff that isn't critical. If a hacker wants to break in to see the latest mockup of my website, go for it.
I certainly wouldn't use it to lock down a server, or anything involving real access to the box.