Protect access to Web interface with HTTP Basic authentication

Secure Web interface with HTTP Basic Authentication

Q: By default, IPHost Network Monitor Web interface is open to everyone, can I restrict access to it?

A: Yes, you can use HTTP Authentication to require user name and password pair to access Web interface. The detailed instructions follow.

Restricting access with HTTP Basic Authentication

IPHost Network Monitor installation provides means to use HTTP Basic Authentication or HTTP Digest Authentication for its bundled Web server. In the below instructions, we explain how to use HTTP Basic Authentication.

In the below instructions it is assumed that you are using 64-bit Windows to run IPHost, and IPHost installation directory is C:\Program Files (x86)\IPHost Network Monitor, referred from now on as “IPHost installation directory”.

Similarly, C:\ProgramData\IPHost Network Monitor will be referred as “IPHost data directory”.

Backup your current Web interface configuration

This step is important. Every time you need to alter IPHost components configuration, make sure you make a backup copy of existing configuration files. Otherwise, you might end up with broken IPHost installation.

Please make a backup copy of entire conf\ directory under IPHost installation directory before you proceed.

Make sure the below line in conf\httpd.conf is present and is not started with has sign (‘#’):

LoadModule auth_basic_module web_interface_modules/mod_auth_basic.so

(by default). If the line is absent, among other “LoadModule” directives, or is commented out (starts with a hash sign), add it in any simple text editor such as Notepad, save the file and restart IPHost monitoring service (from IPHost GUI client “Tools” menu).

Create a password file

Authentication data (user name and password) should be stored in a file. In this example, we will create users.dat in IPHost data directory. For the sake of example, we assume we are creating access credentials for user name “operator”.

Open elevated cmd.exe (right-click, “Run as Administrator”) and type the below command in one line (when prompted, enter the same password twice):

"C:\Program Files (x86)\IPHost Network Monitor\conf\htpasswd.exe" -c -B "C:\ProgramData\IPHost Network Monitor\users.dat" operator

Typical program output:

New password: ********
Re-type new password: ********
Adding password for user operator

When prompted, enter the same password twice. Make sure you can remember the password; otherwise, remove the mentioned “users.dat” file and re-create it as mentioned above.

Add authentication section to httpd.conf

Start elevated Notepad (right-click, “Run as Administrator”) or other plain text editor, open conf\httpd.conf file under IPHost installation directory, scroll to the end of file and add the below lines:


    AuthName "Access to Web interface is restricted"
    AuthType Basic
    AuthBasicProvider file
    AuthUserFile "C:/ProgramData/IPHost Network Monitor/users.dat"
    Require valid-user

Save the file. In the elevated cmd.exe window, run the below two commands:

cd "C:\Program Files (x86)\IPHost Network Monitor"
NMSWebServr.exe -t

The program should output:

Syntax OK

If anything else is reported, check the above steps to make sure you followed the instructions. In the worst case, restore backup copy of conf\ directory and edit the file anew.

Test Web interface access restriction

Stop and start IPHost monitoring service (from “Tools” menu). Open Web interface; it should request name and password. Try the “operator” user (without quotes) and the password you entered.

If name and password pair isn’t accepted, proceed to the “Troubleshooting” section below.

Provide access credentials for Web interface monitor

In case you were running IPHost Web interface HTTP(S) monitor, you will notice it will fail. Open the corresponding monitor’s “Main parameters” tab, scroll and open “Credentials” section and click plus icon to add new credentials:

Web interface access credentials

Save them and start/poll the monitor.

Adding more users to access Web interface

It might be a good idea add several users to the credentials file. That way, you can revoke access for certain users without re-building the entire credentials file and informing the personnel still allowed to access. To add another user named “patrick”, run command like this:

"C:\Program Files (x86)\IPHost Network Monitor\conf\htpasswd.exe" -B "C:\ProgramData\IPHost Network Monitor\users.dat" patrick

Note the absence of “-c” parameter (the latter is only required to create the credentials file for the first time). Every time you run the command like above, you either create a new user, or change its password.

To remove a user access altogether, run command like

"C:\Program Files (x86)\IPHost Network Monitor\conf\htpasswd.exe" -D "C:\ProgramData\IPHost Network Monitor\users.dat" patrick

Make sure you restart IPHost monitoring service every time you change the credentials file.

Troubleshooting

If access credentials do not work, please make sure you are entering them correctly. If that doesn’t help, try changing the access credentials password as explained above.

Make sure you have created backup copies of everything under conf\ in IPHost installation directory. In case you would need to revert the change, just copy the configuration files back and restart IPHost monitoring service.

In case you need to disable everyone’s access quickly, remove the credentials file, re-create it for any user with password only you may know, and restart IPHost monitoring service.

In case Windows Edge browser doesn’t accept name/password pair, try removing “-B” parameter from credentials creating command line. Note that the resulting hashed password will be easier to crack. You might wish to use a browser different from Edge, in such a case.

If everything else fails, please send us all the details of your setup, all the files you created, copy of httpd.conf file and screenshots of problems you encountered.

Security note

Please make sure no one has access to credentials file. On a multi-user system, you might wish to place the credentials file (“users.dat”) in a different directory, with only access allowed for you and the account IPHost monitoring service runs as (by default, SYSTEM account).

Related topics