Using Apache mod_auth_form

Protecting a web site area using Apache httpd basic security is very simple but you have no control over the login alert window displayed by the browser, so when at work we saw that since version 2.3 Apache added a module that will let you use a an html form instead of the ugly alert we decided to upgrade to latest version and give it a try.

I compiled Apache 2.4.2 on CentOS 6.2 32 bit. I won’t detail here the installation process, if you need help just follow this tutorial.

The following instructions are based on the mod_auth_form documentation page and the few tutorials I found online.

First of all create a test folder in the web server root and put a test page inside it

cd /usr/local/apache/www/
mkdir testfolder
echo 'It Works' > ./testfolder/index.html
chmod -R 755 testfolder/

Then create a login page in the webserver root that will be used to authenticate users

		<title>Login page</title>
		<form method="POST" action="">
			User: <input type="text" name="httpd_username" value="" />
			Pass: <input type="password" name="httpd_password" value="" />
			<input type="submit" name="login" value="Login" />

Please note that leaving the action empty, after a successfull login the user will be redirected to the previously requested resource.

Now edit Apache main configuration file enabling required modules

LoadModule auth_form_module modules/
LoadModule session_module modules/
LoadModule request_module modules/
LoadModule session_cookie_module modules/

and then add a Directory directive to protect the folder

<Directory "/usr/local/apache/www/testfolder">
    AuthFormProvider file
    AuthType form
    AuthName "Reserved Area"
    Session On
    SessionCookieName session path=/
    require valid-user

 	# This is the login page
    ErrorDocument 401 /login.html

    # This is the file containing users login data
    AuthUserFile /usr/local/apache/auth/.htpasswd


Now add a user to the .htpasswd file and reload the web server configuration before trying to navigate to the protected folder.

htpasswd -c /usr/local/apache/auth/.htpasswd myusername