nixCraft Poll

Topics

Lighttpd setup a password protected directory (directories)

Posted by Vivek Gite [Last updated: May 26, 2008]

Lighttpd logo

If you require authentication on certain directories using the Lighttpd web server, you can use Lighttpd's mod_auth module. It allows you to protect any directory in web server with access restrictions (just like Apache's password protected directory) .

Lighttpd supports both basic and digest authentication methods. Now consider following sample setup:

  1. Domain name: theos.in
  2. Directory (DocRoot) to protect with a password: /home/lighttpd/theos.in/http/docs
  3. Username: vivek
  4. Lighttpd password file: /home/lighttpd/.lighttpdpassword (this file should be outside default http document root)

How do I use Basic authentication method?

Easy to implement and password stored in cleartext format using files. If you are going to use this method make sure you use SSL (Secure Socket Layer) connection/encryption.

Step #1: Open /etc/lighttpd/lighttpd.conf file

Make sure mod_auth is loaded:
server.modules += ( "mod_auth" )

Now add following three directives:
auth.debug = 2
auth.backend = "plain"
auth.backend.plain.userfile = "/home/lighttpd/.lighttpdpassword"

Where,

Next, you need specify which directory you want to password protect. For example, consider directory /home/lighttpd/theos.in/http/docs directory. Find out your domains virtual hosting section (theos.in) and append following text:
auth.require = ( "/docs/" =>
(
"method" => "basic",
"realm" => "Password protected area",
"require" => "user=vivek"
)
)

Where,

At the end, your configuration should read as follows:
$HTTP["host"] == "theos.in" {
server.document-root = "/home/lighttpd/theos.in/http"
server.errorlog = "/var/log/lighttpd/theos.in/error.log"
accesslog.filename = "/var/log/lighttpd/theos.in/access.log"
auth.require = ( "/docs/" =>
(
"method" => "basic",
"realm" => "Password protected area",
"require" => "user=vivek"
)
)
}

Save and close the file.

Step # 2: Create a password file

Create a plain text username (vivek) and password file:
# vi /home/lighttpd/.lighttpdpassword

Append username:password:
vivek:mysecretepassword

Where,

Save and close the file. Make sure file /home/lighttpd/.lighttpdpassword is readable by lighttpd:
# chown lighttpd:lighttpd /home/lighttpd/.lighttpdpassword

Finally, restart lighttpd server:
# /etc/init.d/lighttpd restart

Step # 3: Test your configuration

Fire your browser and point a web browser to http://yourdomain.com/docs/ or http://localhost/docs/ or http://ip-address/docs. You should be prompted for a username and password.

Lighttpd password dialog

This way you can restrict access to certain areas of your website. Make sure you also use SSL encryption for authenticating users and secure digest authentication.

Want to stay up to date with the latest Linux tips, news and announcements? Subscribe to our free e-mail newsletter or RSS feed to get all updates. You can Email this page to a friend.

You may also be interested in other helpful articles:

Discussion on This Article:

  1. Howto: Keep wordpress blog private from search engines » Computer, Technology and OS blog Says:

    [...] I have already wrote about how to password protect directory using Apache and Lighttpd webserver. Please follow instructions as given on these two urls. [...]

  2. Bryan Says:

    Hello,

    Great post .I am new to lightTPD and having trouble implementing the changes to the lighttpd.conf file.

    Is there a way you could post the conf in its entirety?

    Thanks,

    Bryan

  3. nixcraft Says:

    You want to see my sample conf file…

  4. Bryan Says:

    Yeah, that would be great. I am having a hard time inserting the tutorial items into my existing conf file.

  5. nixcraft Says:

    Sorry for trouble. It was CSS code that was causing the problem. It is fixed now. You can now copy and paste instructions. Or just grab my configuration file:

    http://www.cyberciti.biz/tmp/lighttpd.conf.txt

  6. Bryan Says:

    Thanks, I was able to get it working using your sample as a reference.

  7. Fabian Says:

    Do you have somehting like this for samba….??? I can’t get samba to ask for authentication crednetials after having worked on the config file and retsarted the daemon [and also tried restarted the server].

  8. Fabian Says:

    As you describe in this detailed post, using plain text password is not secure enough without SSL.

    Question: What about using basic htpasswd or htdigest? Are these susceptible to replay attacks also?

    Thanks,
    Fabian.

  9. nixcraft Says:

    Fabian,

    There only 2 methods:
    a) Basic - username nad password in cleartext over the network
    b) Digest - The Digest method only transfers a hashed value over the network hence more secure

    digest onlysupport plaintext or htdigest backend to store username/password information.

    Question: What about using basic htpasswd or htdigest? Are these susceptible to replay attacks also?

    To be frank, your password is more secure as compare to plain text, there are two things you need to consider:
    Not all browser supports digest method (only IE 5.0+, Mozilla/FF 1.0.1. Netscape 7+, Opera4+ etc supports digest)
    Second if an attacker knows http protocol very well he can still find out your password (a rare case)

    In short which ever method you use, get SSL support. You can also use your own SSL certificate if you cannot afford to purchase original one.

  10. Hans Says:

    Great article, just what I was looking for. I have everything, except for the Chown command. I get the error message stating that there is no such group (or user) as lighttpd. Hope you can help!

  11. vivek Says:

    Open your lighttpd config file and find out username and apply the same to .password file

  12. Mike Says:

    If you only want to secure a file (not the entire directory), just add the full path information, e.g.:

    auth.require = ( “/docs/secretpage.html” =>
    (
    “method” => “basic”,
    “realm” => “Password protected area”,
    “require” => “user=vivek”
    )

  13. Patrick Says:

    Just tried to implement this, however I get stuck at the chown and the restart.(running lighttpd on my dns323)

    So I skipped those and went to:
    ./lighttpd -D -f lighttpd.conf

    Then I get the message:
    can’t handle ‘$HTTP[url] =~ …’ as you compiled without pcre support.
    two questions, what is pcre support, and what do Ihave to put in stead of the [url]

    thanks
    Patrick

  14. vivek Says:

    PCRE support requires for perl style regex config option such as $HTTP[url] =~ ‘^/patj/to’ etc

    Please add support package pcre-devel or pcre-lib and recompile lighttpd.

  15. kunal Says:

    hi,

    this configuration is not working i m not getting any username or password filed is i try to open the doc folders and its files in the browsers.

    It shows me error 404- File Not Found

    can you explain me why this error is coming

    Thanks in advance

  16. kunal Says:

    hi,

    Aforsaid configuration is working now its my fault.
    but now the problem is i have restriced a folder name d as docs in auth.require module and it has a file name as index.htm in it now when ever i run the website in my browser as https://mysite.com/docs/then it will ask me for username and password and after entering the username and password it shows error 404- File Not Found but i have index.htm in the doc folder.

    what is the reason for this error.hope you will reply soon

    Thanks in advance

  17. kunal Says:

    hi,

    sorry guys its me again.
    no problem in ur article its fully my fault and i figured out where i was doing wrong.

    sorry again ur tutorial helps me a lot starting from installing and configuring to protecting directories
    i m really thankful to you

    thanks a lot

  18. influenza Says:

    Hi,

    I’ve a question regarding all this. I don’t kno if it’s possible at all. My nas uses lighttpd for it’s administrative tasks. I use the build in lighttpd as well to serve some pages etc. Now I want to set a password on a folder. The admin function uses a password already and I want the same, I just want to add my folder that needs password protection. I have been trying to alter the conf file, but with no luck. Maybe you can shed some light on it? conf file pasted below:

    server.document-root = “/usr/www/lib/”
    server.pid-file = “/var/run/lighttpd.pid”
    server.errorlog = “/var/log/lighttpd/error.log”
    dir-listing.activate = “enable”

    server.port = 5000

    server.username = “www-data”
    server.groupname = “www-data”

    server.modules = (
    “mod_auth”,
    “mod_access”,
    “mod_alias”,
    “mod_cgi”,
    “mod_fastcgi”,
    “mod_accesslog”
    )

    server.errorfile-prefix = “/usr/www/lib/error-”

    mimetype.assign = (
    “.html” => “text/html”,
    “.txt” => “text/plain”,
    “.jpg” => “image/jpeg”,
    “.png” => “image/png”,
    “.gif” => “image/gif”,
    “.css” => “text/css”
    )

    accesslog.filename = “/var/log/lighttpd/access.log”

    static-file.exclude-extensions = ( “.fcgi”, “.php”, “.rb”, “~”, “.inc”, “.cgi” )
    index-file.names = ( “nasMaster.pl” )

    # bruce - I don’t think we need this now…
    #cgi.assign = ( “.cgi” => “/usr/bin/perl” )

    alias.url = ( “/auth” => “/usr/www/lib” )

    auth.backend = “htdigest”
    auth.backend.htdigest.userfile = “/var/private/lighttpd.htdigest.user”
    auth.require = ( “/auth” =>
    (
    “method” => “digest”,
    “realm” => “nas admin”,
    “require” => “valid-user”
    # bruce - removed user=
    # “require” => “user=admin”

    )

    )

    fastcgi.debug = 0

    # Bruce - Removed host & port and replaced with a socket
    # “host” => “127.0.0.1″,
    # “port” => 1026,
    fastcgi.server = ( “.pl” =>
    (( “socket” => “/tmp/lighttpd.fcgi.socket”,
    “bin-path” => “/usr/www/lib/nasMaster.pl”,
    “check-local” => “disable”,
    “min-procs” => 1,
    “max-procs” => 1,
    “idle-timeout” => 30,
    “bin-environment” => (
    # Environment variables for nasMaster.pl
    “PERL5LIB” => “/usr/www/lib”,
    “NAS_NBIN” => “/usr/www/nbin”,
    ),
    )),
    “nasMaster.pl” => (( “socket” => “/tmp/lighttpd.fcgi.socket”,
    “check-local” => “disable”,
    ))
    )

  19. Vincent Says:

    Hi,

    I use the htdigest authentication, by adding a line to /var/private/lighttpd.htdigest.user .
    Somehow, this added line is disappearing, so it seems the file is overwritten every now and then.

    Anyone knows when and how?

  20. vivek Says:

    Vincent,

    Make file readonly using chattr or chmod.

  21. paul Says:

    How do I setup multiple user IDs? This example show only for one “user=vivek”

  22. vivek Says:

    Paul,

    Just append a new user / password

    HTH

  23. nitin Says:

    Hi…I have the same problem as influenza. I am trying to add a authentication to my nas (mybook). Has anyone figured this out.

  24. pille Says:

    you can add multiple users by sparating them with a tilde.
    eg.
    “require” => “user=user1|user=user2″

  25. ak.from.wf Says:

    Is there a way to suppress directory listings?

  26. vivek Says:

    directory listings can be enabled or disabled using

    server.dir-listing = "enable"

    Turn on listing for /docs/ only:

    $HTTP["url"] =~ “^/docs($|/)” {   server.dir-listing = “enable”   }

Leave a Reply

We encourage your comments, and suggestions. But please stay on topic, be polite, and avoid spam. Thank you very much for stopping by our site!

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

*
To prove you're a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.
Click to hear an audio file of the anti-spam word

Tags: , , , , , , , , ,

Copyright © 2004-2008 nixCraft. All rights reserved - TOS/Disclaimer - Privacy policy - Sitemap - Powered by Open source software.