Apache server by default does not have any authentication when accessing web directories. This may be desirable for only locally accessible addresses but would present a security and privacy issue when available externally. If you plant to setup No-IP DDNS on Arch Linux, custom DDNS on Arch Linux or just setup port forwarding on it’s own, it is important to secure all applications that will be accessible externally. Before configuring authentication make sure to install Apache web server.
Create Apache Passwords
Create a password file with htpasswd utility.
sudo htpasswd -c /etc/httpd/conf/passwords dom
By default htpasswd utility will append new passwords to the file but the -c option will create a new file which is what we want the first time. When prompted enter the password and then again to confirm it.
Configure Apache Authentication
Open the configuration file.
sudo nano /etc/httpd/conf/httpd.conf
Copy the options to the configuration file or to .htaccess file between
<Directory> tags. Modify directives as necessary and save the file.
AuthType Basic AuthName "Apache Web Root" AuthBasicProvider file AuthUserFile /etc/httpd/conf/passwords Require valid-user Allow from 192.168.0.15 192.168.0.100 Satisfy Any
AuthType should always be set to basic. This sends the password unencrypted so if security is very important use SSL encryption. Realm is defined with
AuthName directive which is often displayed on he login screen as well as used to eliminate password prompts when entering directories within the same realm. Type of password storage is defined with
AuthBasicProvider and is by default
file. The path of the passwords file is defined with
Require directive specifies which users are allowed to log in. The value of
valid-user allows all users that have an entry in the passwords file to log in.
Optionally the password authentication requirement can be removed for certain IP addresses which are defined with
Allow from directive. The Satisfy directive needs to be set to
Any. Alternatively it can be set to
All which would require both the IP address to match and the password.
Restart the web server for the changes to take effect.
sudo systemctl restart httpd