Password Protection

Problems with the Windows version of XAMPP, questions, comments, and anything related.

Password Protection

Postby regriff » 25. November 2004 02:22

Hello community. I'm new here to ApaceFriends. I want to block access to my locahost from the internet so that if someone goes to my address, http://<ip address>, they will be instructed to enter a password. How do I go about setting this up?

Thank you in advance for all your help!
regriff
 
Posts: 9
Joined: 25. November 2004 02:08
Location: Maryland, USA

Postby MacDaddy » 25. November 2004 02:34

go into the folder called "forbidden" there are 2 files in there one called ".htaccess" and one called ".htpasswd" put .htaccess in your root htdocs folder and add usernames and passwords to the .htpasswd eg. open the .htpasswd file with word pad or text editor and put YourName:YourPassWord so when you open it it looks like
Code: Select all
Admin:hello
user:welcome

oh and allso move the htpasswd file out of your forbidden folder to somewhere safer like C:/
so it cant get accessed at all edit htaccess and put this in
Code: Select all
AuthType Basic
AuthName "FORBIDDEN AREA"
require valid-user
AuthUserfile "C:/.htpasswd"

so now the htaccess file will look for the .htpasswd file in C:/ not the file called forbidden in htdocs its just for safty ;)
User avatar
MacDaddy
 
Posts: 38
Joined: 11. November 2004 14:26
Location: Australia

You 'da man

Postby regriff » 26. November 2004 04:20

Thank you so much!! This one of the first times I've posted on a forum and actually got an answer that fast! You rock, thank you so much!

One last question: Will this completely protect me from users gaining access to my computer via http:<ip address>? Like, that wouldn't be able to gain access to my hard drive? Thanks again for your help!
regriff
 
Posts: 9
Joined: 25. November 2004 02:08
Location: Maryland, USA

Re: You 'da man

Postby MacDaddy » 26. November 2004 05:32

regriff wrote:Thank you so much!! This one of the first times I've posted on a forum and actually got an answer that fast! You rock, thank you so much!

One last question: Will this completely protect me from users gaining access to my computer via http:<ip address>? Like, that wouldn't be able to gain access to my hard drive? Thanks again for your help!


all users are locked to your htdocs folder by default but im sure a good hacker could hack into your system no matter what you do but why would thay want to ;) and if you have .htaccess in the root of your htdocs you must enter a username and password to enter the site if thay dont thay will not be able to enter try it your self and you will see. enter the wrong usermane or password

oh and also .htaccess and .htpasswd are invisable to people browsing your website Apache hides them for you but its a good idea to put the .htpasswd file somewhere that noone can get to it thats whay i told you to put it in C:\ ;)
User avatar
MacDaddy
 
Posts: 38
Joined: 11. November 2004 14:26
Location: Australia

Postby Dave_L » 26. November 2004 08:13

For additional protection:

1) You can name the password file something other than .htpasswd.

2) The passwords can be encrypted using the htpasswd command. And MD5 encryption is better than the default "crypt" encryption.
User avatar
Dave_L
 
Posts: 212
Joined: 23. October 2004 00:43

Postby regriff » 26. November 2004 21:13

Ok, I think I get it. Could you explain this encryption process for me? I'm clueless as to what you are talking about.
regriff
 
Posts: 9
Joined: 25. November 2004 02:08
Location: Maryland, USA

Postby Dave_L » 26. November 2004 21:29

Open a command prompt window in the subdirectory /apache/bin under your XAMPP install directory, then enter the command "htpasswd". That will display usage information for that command:

C:\Program Files\xampp\apache\bin>htpasswd

Usage:

htpasswd [-cmdpsD] passwordfile username
htpasswd -b[cmdpsD] passwordfile username password

htpasswd -n[mdps] username
htpasswd -nb[mdps] username password

-c Create a new file.
-n Don't update file; display results on stdout.
-m Force MD5 encryption of the password (default).
-d Force CRYPT encryption of the password.
-p Do not encrypt the password (plaintext).
-s Force SHA encryption of the password.
-b Use the password from the command line rather than prompting for it.
-D Delete the specified user.

On Windows, NetWare and TPF systems the '-m' flag is used by default.
On all other systems, the '-p' flag will probably not work.


For example, "htpasswd -nm reginald" will prompt you for a password, and then display the line to place in the .htpasswd file for the user "reginald", using MD5 encryption for the password. If you use the "s" option instead of the "m" option, you'll get SHA encryption, which is even stronger than MD5.

You don't have to tell Apache whether the passwords in .htpasswd are encrypted, or what kind of encryption they use. Apache figures it out automatically.

Of course if someone manages to get direct access to your file system, bypassing Apache, and can read any files there, this kind of protection won't accomplish anything.
User avatar
Dave_L
 
Posts: 212
Joined: 23. October 2004 00:43


Return to XAMPP for Windows

Who is online

Users browsing this forum: No registered users and 61 guests