≡ Menu

lighthttpd password

There is a way to protect different directories with different username/password under Lighttpd server.

If you use different userfile files for authenticating in different directories, you can attach each to the correct directory by using conditionals.

Let us see how to protect two different directories using conditionals directives:
/docs/ with username tom
/sales/ with username jerry

Open lighttpd configuration file:
# vi lighttpd.conf
Make sure mod_auth is loaded:
server.modules += ( "mod_auth" )
Now add first conditionals directive to protect /docs/:

$HTTP["url"] =~ "^/docs/" {
auth.backend = "plain"
auth.backend.plain.userfile = "/home/lighttpd/.lighttpdpassword-DOCS"
auth.require = ( "/docs/" =>
 	(
	"method" => "basic",
	"realm" => "Password protected area",
	"require" => "user=tom"
	)
   )
}

Add second conditionals directive to protect /sales/:

$HTTP["url"] =~ "^/sales/" {
auth.backend = "plain"
auth.backend.plain.userfile = "/home/lighttpd/.lighttpdpassword-SALES"
auth.require = ( "/sales/" =>
 	(
	"method" => "basic",
	"realm" => "Password protected area",
	"require" => "user=jerry"
	)
   )
}

Save and close the file. Now create a password for tom user:
# vi /home/lighttpd/.lighttpdpassword-DOCS
Append username:password for tom:
tom:TomsPassword
Save and close the file. Also, create a password for jerry user:
vi /home/lighttpd/.lighttpdpassword-SALES
Append username:password for jerry:
jerry:JerrysPassword
Save and close the file. Restart lighttpd:
# /etc/init.d/lighttpd restart

Lighttpd logo

If you require authentication on certain directories using the Lighttpd web server, you can use Lighttpd's mod_auth module. It allows you to protect any directory in web server with access restrictions (just like Apache's password protected directory) .

Lighttpd supports both basic and digest authentication methods. Now consider following sample setup:

  1. Domain name: theos.in
  2. Directory (DocRoot) to protect with a password: /home/lighttpd/theos.in/http/docs
  3. Username: vivek
  4. Lighttpd password file: /home/lighttpd/.lighttpdpassword (this file should be outside default http document root)

How do I use Basic authentication method?

Easy to implement and password stored in cleartext format using files. If you are going to use this method make sure you use SSL (Secure Socket Layer) connection/encryption.

Step #1: Open /etc/lighttpd/lighttpd.conf file

Make sure mod_auth is loaded:
server.modules += ( "mod_auth" )

Now add following three directives:
auth.debug = 2
auth.backend = "plain"
auth.backend.plain.userfile = "/home/lighttpd/.lighttpdpassword"

Where,

  • auth.debug = 2 : Specify debug level (0 turns off debug message, 1 for authentication ok message and 2 for detailed/verbose debugging message). This is useful for troubleshooting authentication problem. It logs message in access.log and error.log files
  • auth.backend = "plain" : You are using plain text backend (other options are ldap, htpasswd and others)
  • auth.backend.plain.userfile = "/home/lighttpd/.lighttpdpassword" : Filename of the username:password storage

Next, you need specify which directory you want to password protect. For example, consider directory /home/lighttpd/theos.in/http/docs directory. Find out your domains virtual hosting section (theos.in) and append following text:
auth.require = ( "/docs/" =>
(
"method" => "basic",
"realm" => "Password protected area",
"require" => "user=vivek"
)
)

Where,

  • auth.require = ( "/docs/" => : Directory name
  • "method" => "basic", : Authentication type
  • "realm" => "Password protected area", : Password realm/message
  • "require" => "user=vivek" : Only user vivek can use /docs/

At the end, your configuration should read as follows:
$HTTP["host"] == "theos.in" {
server.document-root = "/home/lighttpd/theos.in/http"
server.errorlog = "/var/log/lighttpd/theos.in/error.log"
accesslog.filename = "/var/log/lighttpd/theos.in/access.log"
auth.require = ( "/docs/" =>
(
"method" => "basic",
"realm" => "Password protected area",
"require" => "user=vivek"
)
)
}

Save and close the file.

Step # 2: Create a password file

Create a plain text username (vivek) and password file:
# vi /home/lighttpd/.lighttpdpassword

Append username:password:
vivek:mysecretepassword

Where,

  • vivek - is the name of a user. Please note that do not use a system user stored in /etc/passwd file. It is recommended that you use a different username that only exists for the purpose of authenticating password protected directories.
  • mysecretepassword - is the password for user vivek (must be in clear text format for plain text method)

Save and close the file. Make sure file /home/lighttpd/.lighttpdpassword is readable by lighttpd:
# chown lighttpd:lighttpd /home/lighttpd/.lighttpdpassword

Finally, restart lighttpd server:
# /etc/init.d/lighttpd restart

Step # 3: Test your configuration

Fire your browser and point a web browser to http://yourdomain.com/docs/ or http://localhost/docs/ or http://ip-address/docs. You should be prompted for a username and password.

Lighttpd password dialog

This way you can restrict access to certain areas of your website. Make sure you also use SSL encryption for authenticating users and secure digest authentication.