Apache basic authentication

Apache basic authentication is a general mechanism to password-protect certain webpages, without installing anything extra on top of Apache web server. Apache comes already installed on OSX computers, and can easily be installed on Linux computers. Windows users can also probably use this tutorial as well, but that has not been tested by the author(s). As password-protection of a server is not a problem specific to bioinformatics, there are numerous websites detailing how to set it up. Here, a protocol specific to setting up a wwwblast server is provided, assuming there may be multiple wwwblast installations on the one server.

=Tell Apache to use password-protection= As an administrator, add the following lines to your Apache config of the directory you want to password-protect. The apache config file might be for instance, /etc/httpd/httpd.conf or /etc/apache2/conf.d/blast.conf AuthUserFile /etc/apache_users AuthName "myblastname welcome message" AuthGroupFile /etc/apache_groups AuthType Basic Require group myblastname So then the whole directory entry might look like this, for example:  Options FollowSymLinks +ExecCGI +Indexes AuthUserFile /etc/apache_users AuthName "myblastname welcome message" AuthGroupFile /etc/apache_groups AuthType Basic Require group myblastname  Apache needs to be restarted for this to take effect. The easiest way to do this is to restart the computer. If that is not possible, it may be possible to use apache2ctl. As an adminstrator, $ apache2ctl graceful

After restarting the webserver, going to your webpage e.g. http://localhost/~ben/blast/blast.html should now require a password. However, you won't be able to login just yet.

=Specify the passwords themselves= The first time a password is specified, the file that stores the passwords needs to be created. The passwords are encrypted in this file. Use the -c flag to create the file. As an administrator, $ htpasswd -c /etc/apache_users New password: Re-type new password: Adding password for user replacing with the login name of the first user. It is normal that nothing appears to happen when you type / copy the password in (unlike what happens when you login to your computer and stars or dots appear).

As usual with passwords, it is most likely best to specify a strong password. There are many websites that will generate strong passwords randomly, for instance the first google hit for "password generator".

After this users file has been created, the -c flag can be omitted: $ htpasswd /etc/apache_users New password: Re-type new password: Adding password for user After this step is complete there should be a new file /etc/apache_users with username and encrypted passwords in it, for instance myfirstusername:X/ZYo/PJfXMIw mysecondusername:ndAEVeLPRWcfc

=Add users to groups= Above, in the apache configuration file, these lines were specified: AuthGroupFile /etc/apache_groups Require group myblastname was specified. This means that only people in the group "myblastname" will be able to get through the password protection. To specify who is in which group, create a new file in a text editor, use the template below, and save it as "/etc/apache_groups": myblastname: mysecondusername myfirstusername After this step is complete, you should be able to login to your blast webpage.

=Checking= When configuring Apache, it is easy to lose track of whether you are logged into particular servers. Therefore, it is best to start a new browser session and go from start to finish. Open up a browser you don't usually use (e.g. if you use Safari usually, then open up Firefox). Go to your server's webpage and make sure that:
 * 1) It asks you for a password. If it doesn't then your server isn't password-protected.
 * 2) You can actually login using the username/password that you expect.

=Acknowledgements= Creation of this wiki page was funded by Dan Jackson's group at the University of Göttingen.