Sometimes you want to test some server-side software on public server but don’t want be hit by automated scripts that explore known vulnerabilities in software. The simplest solution is to add additional protection using Apache-based access restrictions.
Enable .htaccess in Apache
Changing configuration can be very flexible and as simple as placing special file in directory you want to protect. Special files “.htaccess” are fragments of Apachec configuration that can be placed in your WWW directory structure. But you have to enable them in apache config (/etc/apache2/sites-available/default):
<Directory /var/www/> Options Indexes FollowSymLinks MultiViews AllowOverride All Order allow,deny allow from all </Directory>
Restrict by login / password
We would like to protect application installed under given path with additional login/password. We use digest method to protect password from sniffing even with HTTP connections.
First of all we need mod_auth_digest to be enabled in Apache (a module must be enabled):
# a2enmod auth_digest
# /etc/init.d/apache2 restart
Then we will create file with user passwords:
$ htdigest -c /home/www-data/.htpasswd app admi
And finally we need to point to that file (fill .htaccess in appropriate directory):
AuthType Digest AuthName "app" AuthUserFile /home/www-data/.htpasswd Require user admin
Then browser should show you authentication window.
Even if installed software probably has some bugs and exploits you can safely test it on public site as long as you trust your users won’t try to hack this site (site access is not public, requires Apache login).