This post will describe a simple technique to secure your Magento virtual host with basic HTTP password protection provided by Apache. This can be useful if you want to keep users away from the webstore during development, or if you sell products wholesale and do not want unauthorized users to view your catalog/pricing.
To be very clear from the outset, this technique uses basic HTTP authentication, which if used over HTTP (rather than HTTPS) affords no security for the passwords while they are in transit across the internet. If you are interested, you can learn more about the limitations of basic access authentication. As a simple mechanism for keeping people out of a site, it will do just fine. If you store your nuclear missile access codes in a Magento store database, do not use this technique to protect them, please.
Normally when I’m developing a new site I just use virtual hosting and a modified operating system hosts file to prevent people visiting it while it’s in development. I realize that’s not really security, more obscurity, but it has worked fine for me in the past.
Recently I have had a need to more fully protect a site, but also to make it public via DNS records. In a nutshell the steps required are, configure virtual hosting for your webstore, configure Apache authentication, setup a user/password and reload apache. I’ll run through everything in detail below.
Configure virtual hosting for your webstore
I won’t go in to details here about how to set this up, I have a tutorial on configuring virtual hosts for MAMP on a Mac and it’s not really different across other platforms.
Let’s just say you have a virtual host such as this configured:
<VirtualHost *:80> ServerName distribution.example.com DocumentRoot /var/www/distribution.example.com </Virtualhost>
Configure Apache authentication
The configuration change is quite simple on the Apache side of things, place the following
Directory block into you
<Directory "/var/www/distribution.example.com/"> Options Indexes MultiViews FollowSymLinks AllowOverride all AuthName "Wholesale Buyer Access" AuthType Basic AuthUserFile /etc/apache2/wholesale_buyers.htpasswd Require valid-user </Directory>
The important things to note here, the
AuthName i.e ‘Wholesale Buyer Access’ string is what users will see on the browser prompt that pops up asking for a password. The
AuthUserFile is the file that stores the usernames and passwords for the Secure area. Place this
Directory block into the
VirtualHost block like so:
<VirtualHost *:80> ServerName distribution.example.com DocumentRoot /var/www/distribution.example.com <Directory "/var/www/distribution.example.com/"> Options Indexes MultiViews FollowSymLinks AllowOverride all AuthName "Wholesale Buyer Access" AuthType Basic AuthUserFile /etc/apache2/wholesale_buyers.htpasswd Require valid-user </Directory> </Virtualhost>
You can see clearly that the directory has to match the document root of the virtual host for this to make sense. Note that this same configuration can be applied to non-virtual host configurations, you basically just do not place the
Directory configuration inside of a
Setup a user/password
To add a password to the Apache file you use a command line utility called
# Touch the file to create it # It'll save you accidentally wiping out your passwords using the -c option to htpaswd. touch /etc/apache2/wholesale_buyers.htpasswd # Run this command once for each user you want to grant access to the store. # Put your desired name in place of 'your_name', obviously. htpasswd /etc/apache2/wholesale_buyers.htpasswd your_name # Lock the file down chown root.root /etc/apache2/wholesale_buyers.htpasswd chmod 644 /etc/apache2/wholesale_buyers.htpasswd
Now all that’s left is a quick reload of Apache configuration files. If you do not use a Debian-based distro (such as Ubuntu) then your control of Apache may be different to what I’m describing here. If you do, lucky you, you can copy past your way to a secure Magento store!
With these simple steps you can protect your Magento store with a basic HTTP password. Remember though that HTTP basic authentication over non-HTTPS connections is no substitute for real security, but it will at least let you control who can access your store, during development, or once it is running in production mode.