介绍 (Introduction)
As a web administrator, you may find it valuable to restrict some parts of a website from visitors, whether temporarily or on a permanent basis. While web applications may provide their own authentication and authorization methods, you can also rely on the web server itself to restrict access if these are inadequate or unavailable.
作为网络管理员,您可能会发现暂时限制或永久限制访问者限制网站的某些部分很有价值。 尽管Web应用程序可以提供其自己的身份验证和授权方法,但是如果这些应用程序不足或不可用,您也可以依靠Web服务器本身来限制访问。
This tutorial will walk you through password-protecting assets on an Apache web server running on Ubuntu 18.04 in order to provide your server with additional security.
本教程将引导您逐步了解在Ubuntu 18.04上运行的Apache Web服务器上的密码保护资产,以便为您的服务器提供额外的安全性。
先决条件 (Prerequisites)
In order to complete this tutorial, you will need access to an Ubuntu 18.04 server.
为了完成本教程,您将需要访问Ubuntu 18.04服务器。
In addition, you will need the following setup before you can begin:
此外,您需要进行以下设置才能开始:
A
sudo
user on your server: You can create a user withsudo
privileges by following the Ubuntu 18.04 initial server setup guide.服务器上的
sudo
用户 :您可以按照Ubuntu 18.04初始服务器设置指南创建具有sudo
特权的用户。An Apache2 web server: If you haven’t already set one up, the How To Install the Apache Web Server on Ubuntu 18.04 tutorial can guide you.
Apache2 Web服务器 :如果尚未设置,则“ 如何在Ubuntu 18.04上安装Apache Web服务器”教程可以指导您。
A site secured with SSL: How you set this up depends on whether you have a domain name for your site.
使用SSL保护的网站 :如何设置此设置取决于您的网站是否具有域名。
If you have a domain name, you can secure your site with Let’s Encrypt, which provides free, trusted certificates. Follow the Let’s Encrypt guide for Apache to set this up.
如果您拥有一个域名 ,则可以使用Let's Encrypt(提供免费的受信任证书)保护您的网站。 按照Apache的“让我们加密”指南进行设置。
If you do not have a domain and you are just using this configuration for testing or personal use, you can use a self-signed certificate instead. This provides the same type of encryption, but without the domain validation. Follow the self-signed SSL guide for Apache to get set up.
如果您没有域 ,而只是使用此配置进行测试或个人使用,则可以使用自签名证书。 这提供了相同类型的加密,但没有域验证。 请遵循Apache的自签名SSL指南进行设置。
When all of these are in place, log into your server as the sudo
user and continue below.
当所有这些都就绪后,以sudo
用户身份登录到您的服务器,然后在下面继续。
第1步-安装Apache Utilities软件包 (Step 1 — Installing the Apache Utilities Package)
Let’s begin by updating our server and installing a package that we’ll need. In order to complete this tutorial, we will be using a utility called htpasswd
, part of the apache2-utils
package, to create the file and manage the username and passwords needed to access restricted content.
首先,更新服务器并安装所需的软件包。 为了完成本教程,我们将使用名为htpasswd
的实用程序(属于apache2-utils
软件包的一部分)来创建文件并管理访问受限内容所需的用户名和密码。
- sudo apt update sudo apt更新
- sudo apt install apache2-utils sudo apt安装apache2-utils
With this installed, we now have access to the htpasswd
command.
安装此程序后,我们现在可以访问htpasswd
命令。
第2步-创建密码文件 (Step 2 — Creating the Password File)
The htpasswd
command will allow us to create a password file that Apache can use to authenticate users. We will create a hidden file for this purpose called .htpasswd
within our /etc/apache2
configuration directory.
htpasswd
命令将允许我们创建一个密码文件,Apache可以使用该文件来认证用户。 为此,我们将在/etc/apache2
配置目录中创建一个名为.htpasswd
的隐藏文件。
The first time we use this utility, we need to add the -c
option to create the specified passwdfile. We specify a username (sammy
in this example) at the end of the command to create a new entry within the file:
第一次使用此实用程序时,我们需要添加-c
选项以创建指定的passwdfile 。 我们在命令末尾指定一个用户名(在此示例中为sammy
),以在文件内创建新条目:
sudo htpasswd -c /etc/apache2/.htpasswd sammy
须藤htpasswd -c /etc/apache2/.htpasswd sammy
You will be asked to supply and confirm a password for the user.
系统将要求您提供并确认用户密码。
Leave out the -c
argument for any additional users you wish to add so you don’t overwrite the file:
对于要添加的其他任何用户,请省略-c
参数,以免覆盖文件:
sudo htpasswd /etc/apache2/.htpasswd another_user
须藤htpasswd /etc/apache2/.htpasswd another_user
If we view the contents of the file, we can see the username and the encrypted password for each record:
如果查看文件的内容,则可以看到每个记录的用户名和加密密码:
- cat /etc/apache2/.htpasswd 猫/etc/apache2/.htpasswd
Output
sammy:$apr1$.0CAabqX$rb8lueIORA/p8UzGPYtGs/
another_user:$apr1$fqH7UG8a$SrUxurp/Atfq6j7GL/VEC1
We now have our users and passwords in a format that Apache can read.
现在,我们拥有Apache可以读取的格式的用户名和密码。
步骤3 —配置Apache密码认证 (Step 3 — Configuring Apache Password Authentication)
In this step, we need to configure Apache to check this file before serving our protected content. We can do this in one of two ways: either directly in a site’s virtual host file or by placing .htaccess
files in the directories that need restriction. It’s generally best to use the virtual host file, but if you need to allow non-root users to manage their own access restrictions, check the restrictions into version control alongside the website, or have a web application using .htaccess
files for other purposes already, check out the second option.
在此步骤中,我们需要配置Apache在提供受保护的内容之前检查该文件。 我们可以通过以下两种方式之一来执行此操作:直接在站点的虚拟主机文件中,或者通过将.htaccess
文件放置在需要限制的目录中。 通常最好使用虚拟主机文件,但是如果您需要允许非root用户管理自己的访问限制,请在网站旁边将限制检查到版本控制中,或者已经将Web应用程序使用.htaccess
文件用于其他目的,请检查第二个选项。
Choose the option that best suits your needs.
选择最适合您需求的选项。
选项1:在虚拟主机定义中配置访问控制(首选) (Option 1: Configuring Access Control within the Virtual Host Definition (Preferred))
The first option is to edit the Apache configuration and add the password protection to the virtual host file. This will generally give better performance because it avoids the expense of reading distributed configuration files. This option requires access to the configuration, which isn’t always available, but when you do have access, it’s recommended.
第一个选项是编辑Apache配置并将密码保护添加到虚拟主机文件。 这通常会提供更好的性能,因为它避免了读取分布式配置文件的开销。 此选项需要访问配置,该访问并非总是可用,但是建议您访问该配置。
Begin by opening up the virtual host file that you wish to add a restriction to. For our example, we’ll be using the default-ssl.conf
file that holds the default virtual host installed through Ubuntu’s apache package. Open up the file with a command-line text editor such as nano:
首先打开要添加限制的虚拟主机文件。 对于我们的示例,我们将使用default-ssl.conf
文件,该文件包含通过Ubuntu的apache软件包安装的默认虚拟主机。 使用命令行文本编辑器(例如nano)打开文件:
sudo nano /etc/apache2/sites-enabled/default-ssl.conf
须藤纳米/ etc / apache2 / sites-enabled / default-ssl.conf
Inside, with the comments stripped, the file should look similar to this:
在内部,除去注释后,文件应类似于以下内容:
<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
Authentication is done on a per-directory basis. To set up authentication, you will need to target the directory you wish to restrict with a <Directory ___>
block. In our example, we’ll restrict the entire document root, but you can modify this listing to only target a specific directory within the web space:
身份验证是基于每个目录进行的。 要设置身份验证,您需要使用<Directory ___>
块定位要限制的<Directory ___>
。 在我们的示例中,我们将限制整个文档的根目录,但是您可以修改此列表,使其仅定位到Web空间中的特定目录:
<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
<Directory "/var/www/html">
</Directory>
</VirtualHost>
Within this directory block, specify that we are setting up Basic
authentication. For the AuthName
, choose a realm name that will be displayed to the user when prompting for credentials. Use the AuthUserFile
directive to point Apache to the password file we created. Finally, make it a requirement that only a valid-user
may access this resource, which means anyone who can verify their identity with a password will be allowed in:
在此目录块中,指定我们正在设置Basic
身份验证。 对于AuthName
,选择一个在提示输入凭据时将显示给用户的领域名称。 使用AuthUserFile
指令将Apache指向我们创建的密码文件。 最后,规定只有valid-user
才能访问此资源,这意味着可以使用以下任何方式使用密码验证身份的人:
<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
<Directory "/var/www/html">
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
</Directory>
</VirtualHost>
Save and close the file when you are finished. If you are using nano, you can do so by pressing CTRL+X
followed by Y
then ENTER
.
完成后保存并关闭文件。 如果使用的是nano,则可以按CTRL+X
然后按Y
然后按ENTER
。
Before restarting the web server, you can check the configuration with the following command:
重新启动Web服务器之前,可以使用以下命令检查配置:
- sudo apache2ctl configtest 须藤apache2ctl configtest
If everything checks out and you get Syntax OK
as output, you can restart the server to implement your password policy. Since systemctl
doesn’t display the outcome of all service management commands, we’ll use the the status
to be sure the server is running:
如果一切都检查完,并且输出的Syntax OK
,则可以重新启动服务器以实施密码策略。 由于systemctl
不会显示所有服务管理命令的结果,因此我们将使用status
来确保服务器正在运行:
- sudo systemctl restart apache2 sudo systemctl重新启动apache2
- sudo systemctl status apache2 sudo systemctl状态apache2
Now, the directory you specified should be password protected.
现在,您指定的目录应受密码保护。
选项2:使用.htaccess文件配置访问控制 (Option 2: Configuring Access Control with .htaccess Files)
Apache can use .htaccess
files in order to allow certain configuration items to be set within a content directory. Since Apache has to re-read these files on every request that involves the directory, which can negatively impact performance, Option 1 is preferred, but if you are already using .htaccess
file or need to allow non-root users to manage restrictions, .htaccess
files make sense.
Apache可以使用.htaccess
文件,以便允许在内容目录中设置某些配置项。 由于Apache必须在涉及该目录的每个请求上重新读取这些文件,这可能会对性能产生负面影响,因此选择Option 1是首选,但是如果您已经在使用.htaccess
文件,或者需要允许非root用户管理限制,则.htaccess
文件很有意义。
To enable password protection using .htaccess
files, open the main Apache configuration file with a command-line text editor such as nano:
要使用.htaccess
文件启用密码保护,请使用命令行文本编辑器(例如nano)打开主Apache配置文件:
- sudo nano /etc/apache2/apache2.conf 须藤纳米/etc/apache2/apache2.conf
Find the <Directory>
block for the /var/www
directory that holds the document root. Turn on .htaccess
processing by changing the AllowOverride
directive within that block from None
to All
:
在保存文档根目录的/var/www
目录中找到<Directory>
块。 通过将该块内的AllowOverride
指令从None
更改为All
来打开.htaccess
处理:
. . .
<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
. . .
Save and close the file when you are finished. If you are using nano, you can do so by pressing CTRL+X
followed by Y
then ENTER
.
完成后保存并关闭文件。 如果使用的是nano,则可以按CTRL+X
然后按Y
然后按ENTER
。
Next, we need to add an .htaccess
file to the directory we wish to restrict. In our demonstration, we’ll restrict the entire document root (the entire website) which is based at /var/www/html
, but you can place this file in any directory where you wish to restrict access:
接下来,我们需要将.htaccess
文件添加到我们希望限制的目录中。 在我们的演示中,我们将限制基于/var/www/html
的整个文档根目录(整个网站),但是您可以将此文件放置在您希望限制访问的任何目录中:
- sudo nano /var/www/html/.htaccess 须藤纳米/var/www/html/.htaccess
Within this file, specify that we wish to set up Basic
authentication. For the AuthName
, choose a realm name that will be displayed to the user when prompting for credentials. Use the AuthUserFile
directive to point Apache to the password file we created. Finally, we will require a valid-user
to access this resource, which means anyone who can verify their identity with a password will be allowed in:
在此文件中,指定我们希望设置Basic
身份验证。 对于AuthName
,选择一个在提示输入凭据时将显示给用户的领域名称。 使用AuthUserFile
指令将Apache指向我们创建的密码文件。 最后,我们将要求一个valid-user
来访问此资源,这意味着任何可以使用密码验证身份的人都将被允许进入:
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
Save and close the file. Restart the web server to password protect all content in or below the directory with the .htaccess
file and use systemctl status
to verify the success of the restart:
保存并关闭文件。 重新启动Web服务器,以密码保护.htaccess
文件目录中或目录下的所有内容,并使用systemctl status
验证重新启动是否成功:
- sudo systemctl restart apache2 sudo systemctl重新启动apache2
- sudo systemctl status apache2 sudo systemctl状态apache2
The directory you specified should now be password protected.
您指定的目录现在应该受密码保护。
步骤4 —确认密码身份验证 (Step 4 — Confirming Password Authentication)
To confirm that your content is protected, try to access your restricted content in a web browser. You should be presented with a username and password prompt that looks like this:
要确认您的内容受到保护,请尝试在Web浏览器中访问受限制的内容。 应该显示一个用户名和密码提示,如下所示:
If you enter the correct credentials, you will be allowed to access the content. If you enter the wrong credentials or hit “Cancel”, you will see the “Unauthorized” error page:
如果输入正确的凭据,则将允许您访问内容。 如果输入错误的凭据或点击“取消”,则会看到“未经授权”错误页面:
结论 (Conclusion)
Congratulations! If you’ve followed along, you’ve now set up basic authentication for your site.
恭喜你! 如果您已经按照步骤进行操作,那么现在您已经为网站设置了基本身份验证。
There is much more that you can do with Apache configuration and .htaccess
. To learn more about the flexibility and power available in Apache configuration, try one of these tutorials:
您可以使用Apache配置和.htaccess
做更多的事情。 要了解有关Apache配置中可用的灵活性和功能的更多信息,请尝试以下教程之一:
For a better understanding of the with the main configuration file, read the section about Getting Familiar with Important Apache Files and Directories in our Apache installation guide.
为了更好地理解主配置文件,请阅读我们的Apache安装指南中的“ 熟悉重要的Apache文件和目录 ”部分。
Learn more about the virtual host files in How To Set Up Apache Virtual Hosts on Ubuntu 16.04
在如何在Ubuntu 16.04上设置Apache虚拟主机中了解有关虚拟主机文件的更多信息。
Learn about rewriting URLs, customizing error pages like the “Unauthorized” message above, or including common elements on all your pages with Server Side Includes in our guide How To Use the .htaccess File.
在我们的指南“ 如何使用.htaccess文件 ”中了解有关重写URL,自定义错误页面(如上面的“未经授权”消息)或在所有页面上使用Server Side Includes包含公共元素的信息。