How to access a server http port 80 with port forwarding behind a router but require a password

Lisa Kachold lisakachold at obnosis.com
Thu Jun 30 19:13:09 MST 2011 

Please NOTE correction for port 443 (rather than 80) below in the port
forwarding section of the HowTo:

<<SNIP>

> >> Hi,
>> >>
>> >> Using Ubuntu 10.04 LTS.
>> >>
>> >> I have an intranet server behind a NAT router. Very standard linksys
>> >> router home setup. The server has a static IP. I used port forwarding
>> in
>> >> the router to use SSH and log into the server remotely - it works OK.
>> >>
>> >> I want no one outside my home network to access any webpages on the
>> >> server unless they're authenticated.. I know I could port forward like
>> >> with ssh but with http port 80 and then see webpages , but again this
>> >> would open it up to anyone with my cable modem's IP - wouldn't it?
>> >>
>> >> I need a secure way like SSH that requires a password before anyone
>> >> could access port 80 and http from the server from a remote network.
>> >>
>> >> How do I do this? And on the local network people can get served pages
>> >> normally as usual. Just remote would need authentication. Must be
>> >> commonly done(?)
>>
>> Here's your Step X Step How to:
>
> 0)  Configure DNS and URI port forwarding:
>
> Setup a free DynDNS.org WebHop using something like
> https://leegold.homelinux.org which allows you to use custom URI
> forwarding with an alternate port so your friends don't have to use
> something horrible like https://198.23.22.13:8001/secret/index.htm.
>
> 1) Setup port forwarding:
>
> Configure your router to port forward all port 8001 to port *443* on your
> local 192.168.n.n NAT network.
>
> 2) Configure your Authentication on Apache2:
>
> On your Apache web server, add a .htaccess file to the subdirectory under
> your DocumentRoot (example= /var/www/htdocs/secret) for authentication
> following the Apache2 Howto:
>
> :: hacked-up excerpt::
>
> Authentication example
>
> If you jumped directly to this part of the document to find out how to do
> authentication, it is important to note one thing. There is a common
> misconception that you are required to use .htaccess files in order to
> implement password authentication. This is not the case. Putting
> authentication directives in a <Directory> section, in your main server
> configuration file, is the preferred way to implement this, and .htaccessfiles should be used only if you don't have access to the main server
> configuration file. See above for a discussion of when you should and should
> not use .htaccess files.
>
> Having said that, if you still think you need to use a .htaccess file, you
> may find that a configuration such as what follows may work for you.
>
> You must have "AllowOverride AuthConfig" in effect for these directives to
> be honored.
>
> .htaccess file contents:
>
>  AuthType Basic
> AuthName "Password Required"
> AuthUserFile /www/passwords/password.file
> AuthGroupFile /www/passwords/group.file
> Require Group admins
>
> Note that AllowOverride AuthConfig must be in effect (in your httpd.conf
> or apache2.conf in /etc/apache2 or /etc/httpd [depending on your distro])
> for these directives to have any effect.
>
> Please see the authentication tutorial<http://httpd.apache.org/docs/1.3/howto/auth.html>for a more complete discussion of authentication and authorization.
>
> ::end hacked up excerpt::
> This should work like a charm for you.
>

NOTE: If you are currently only running a port 80 system, you can do this
also via port 80 and not install https 443 with a self signed server
signature, as that might confuse some people with browser warnings.  Just
substitute http for https in the first step and where we reference port 443,
use port 80.  Port 80 authentication behind a NAT network is probably not
secure enough.

*One word of warning: HTTP Basic Auth passwords pass in very nearly plain
text over the network, and thus are extremely insecure.*

https://help.ubuntu.com/10.04/serverguide/C/httpd.html
::excerpt::
HTTPS Configuration

The *mod_ssl* module adds an important feature to the Apache2 server - the
ability to encrypt communications. Thus, when your browser is communicating
using SSL, the https:// prefix is used at the beginning of the Uniform
Resource Locator (URL) in the browser navigation bar.

The *mod_ssl* module is available in *apache2-common* package. Execute the
following command from a terminal prompt to enable the *mod_ssl* module:

*sudo a2enmod ssl*

 There is a default HTTPS configuration file in
/etc/apache2/sites-available/default-ssl. In order for *Apache2* to provide
HTTPS, a *certificate* and *key* file are also needed. The default HTTPS
configuration will use a certificate and key generated by the
*ssl-cert*package. They are good for testing, but the auto-generated
certificate and
key should be replaced by a certificate specific to the site or server. For
information on generating a key and obtaining a certificate see the section
called “Certificates”<https://help.ubuntu.com/10.04/serverguide/C/certificates-and-security.html>

To configure *Apache2* for HTTPS, enter the following:

*sudo a2ensite default-ssl*

  [image: [Note]]

The directories /etc/ssl/certs and /etc/ssl/private are the default
locations. If you install the certificate and key in another directory make
sure to change *SSLCertificateFile* and *SSLCertificateKeyFile*appropriately.

With Apache2 now configured for HTTPS, restart the service to enable the new
settings:

*sudo /etc/init.d/apache2 restart*

::end excerpt::

*Hints from experience: Do not use a passphrase for your self signed
certificate, since you would have to add an additional step so you don't
have to manually add that phrase everytime you restart your server.*


>
>
>
>>  SNIP
>>
>>
> --
> (602) 791-8002  Android
> (623) 239-3392 Skype
> (623) 688-3392 Google Voice
> **
> HomeSmartInternational.com <http://www.homesmartinternational.com>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> > On Thu, Jun 30, 2011 at 5:22 PM,<leegold at speedymail.org>  wrote:



-- 
(602) 791-8002  Android
(623) 239-3392 Skype
(623) 688-3392 Google Voice
**
HomeSmartInternational.com <http://www.homesmartinternational.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20110630/a48b8d4b/attachment.html>

More information about the PLUG-discuss mailing list