[Practice 5] Password Protect for the website in EC2 — THE END
Co-author: Eileen Chu
For the purpose of strengthening the security of the website, we can use .htaccess for password protection. All visitors will see a pop-up window prompting you to enter your username and password, and those who don’t know this information will be denied access to the website.
To set up .htaccess for a website in EC2, login to your EC2 then follow these steps:
- Create a .htpasswd file in a new directory
- Create a .htaccess file in the directory ‘/var/www/html’
- Configure the file httpd.conf in the EC2
Create a .htpasswd file in a new directory
Firstly, we are going to create a new file named .htpasswd. The .htpasswd file aims to store the .htaccess username and password. In order to prevent unknown users from easily obtaining the password authentication of the website, we need to create a new, inaccessible directory to save the .htpasswd file, and it must not under the directory ‘/var/www/html’.
In this case, we named the new directory ‘private’ under the ‘/var/www’ to save the .htpasswd file:
cd /var/www
mkdir private
cd private
vim .htpasswdUse a Password Encryption Program to create your passwords. Input your desire username and password, it will generate a crypt password line:
<username>:<encrypted password>
alpey:fJEcziXdnDx2I
Copy this line into your .htpasswd file then save the file.
Create a .htaccess file in the directory ‘/var/www/html’
The .htaccess file should be saved in the directory you want to protect, which means your directory ‘html’ in EC2.
cd /var/www/html
vim .htaccessThe .htaccess file content will include
- AuthUserFile: the route for your password file
- AuthName: can be changed into your own preference
- AuthType as Basic
- Require as valid-user, then save the file
When a user visits the website, the server will activate the .htpasswd file and ask for entering username and password. The system will validate the input by the crypt password line tracking through the AuthUserFile direction.
Configure the file httpd.conf in the EC2
But it won’t work for EC2 yet, you need to edit the related setting in the ‘httpd.config’ file.
cd /etc/httpd/conf/
vim /etc/httpd/conf/httpd.confFind the part which mentions <Directory ‘/var/www/html’> and set AllowOverride None into AllowOverride All. Save the file after changing.
Restart the http server to update the change:
service httpd restartIt should show ‘OK’ after restarting:
Once the server displays ‘OK’, the password protection setting via .htaccess is done.
When you open the browser and visit your website, a password protected window will pop up on the website. Enter the correct password for authentication to access the website.
Issue
In the last step, if it ‘FAILED’ after restarting:
It may be because other services are using the same port.
Use the command below to find out which service is using TCP port number 80 (the default webserver port):
sudo netstat -ltnp | grep ':80'It would show the result as below:
Note:
0 :: :80 — Source IP: Port
11515/httpd — PID/Process name
Kill all connections that we are not using:
sudo kill -9 tcp *:httpd
sudo killall apache
sudo killall httpd
ps aux | grep apacheThe process would look like below:
After killing all apache and httpd, the command netstat -tulpn | grep :80 will show nothing, which means there is no service using port 80. You can also check the httpd status by using the command:
service httpd statusThe status shows httpd dead but pid file exists, then you can start the httpd server again:
service httpd startAfter these steps, you will see the server shows ‘OK’. Congratulations on the successful troubleshooting. Now you can visit your website and see the password protection window shown on the website.
We hope that after these exercises, you will boost self-confidence in your abilities and understanding of these concepts. Wishing you all the best in your future endeavors.
Support my writing by becoming a Medium member today and getting access to an unlimited number of articles.
