9.0 Securing files and directories with various WWW servers

By: Kurt Seifried, [email protected], Copyright Kurt Seifried, 2001


 

Often times most users simply want to secure access to a certain set of directories or files on their website. Fortunately most web servers provide this capability with reasonably easy to use tools.

9.1 Apache based

Apache supports a wide variety of authentication methods, several of which can be considered "standard" and are typically included in vendor packages of Apache. You can assign security to files and directories with Apache, the configuration for this is either done in the central httpd.conf file or in the defined "AccessFileName". For example to make ".htaccess" files your access file you would add the following to httpd.conf:

AccessFileName .htaccess

And in order to prevent people from downloading these files you would add the following to your httpd.conf:

<Files ~ "^\.ht">
    Order allow,deny
    Deny from all
</Files>

This means that any file starting with ".ht" (i.e. .htaccess, .htpasswd, .htgroup, .htfoobar) will not be sent if a client requests it.

You will then need to configure Apache to allow for specific features, using the "AllowOverride" directive within a "<Directory"> configuration section. Typically the safest thing to do is define a "<Directory />" that disables everything and then enable features as needed on a per directory basis. For example to allow .htaccess files in /var/www/secure-area:

<Directory /var/www/>
	AllowOverride AuthConfig
	Order allow,deny
	Allow from all
</Directory>

If your .htaccess file does not work and "AccessFileName" is defined then this is probably the problem.

To enable password authentication you need to create a .htaccess file, and a password file minimally, you can also use a groups file which allows you to have a large centralized password file for multiple directories with different access requirements. Into your .htaccess file you will need to put an AuthUserFile directive (the password file), AuthName directive (the name of this restricted area), the AuthType (i.e. basic or digest, typically basic is used), and a require directive (i.e. what conditions someone must meet to gain access). You can also optionally place a Order directive if you need to create a more complex authentication requirement (more on this later).

To create a basic password file for apache you use the "htpasswd" command, the basic options are "-c" to create a new file, and "-m", "-d" and "-s" to specify the encryption method (MD5, Crypt and SHA1 respectively). You can also use "-b" to specify the password instead of entering it when prompted, this is useful for importing large numbers of users. So to create a basic .htpassword file you would:

[[email protected] www]$ htpasswd -c .htpassword joesmith
New password: 
Re-type new password: 
Adding password for user joesmith

Using the password "test" and the default encryption method of Crypt we would end up with a .htpassword file that looks like:

joesmith:Dw0yWEhkXNT/U

So, to password protect a directory, using the file ".htpasswords" as the passwords file you would minimally need:

AuthUserFile .htpasswd
AuthName example01
AuthType Basic
require valid-user

So when someone tries to access the directory the .htaccess file is placed in they would be prompted for a username and password, they would need to enter the username "joesmith" and the password "test" to gain access.

The next step would be to use the groups capability, this is useful if you have several directories you want to protect with a variety of different policies, i.e. the group "sales" has access to the sales directory, and the group "marketing" has access to the marketing directory.

In the directory "/wwwroot/sales/" you would place an .htaccess file with the following:

AuthUserFile /wwwroot/.htpassword
AuthGroupFile /wwwroot/.htgroup
AuthName sales-area
AuthType Basic
require valid-user
require group sales

In the directory "/wwwroot/marketing/" you would place an .htaccess file with the following:

AuthUserFile /wwwroot/.htpassword
AuthGroupFile /wwwroot/.htgroup
AuthName marketing-area
AuthType Basic
require valid-user
require group marketing

You would then need to add users to the /wwwroot/.htpassword file, for something like:

janedoe:BBQ3KOR1fNBDU
bobmarley:PpP/7iZvLWJiw
joesmith:BRJ3YT11fYbcs
sysadmin:BvQpL.pb1xH0w

And the groups file would look like:

sales:janedoe,bobmarley,sysadmin
marketing:joesmith,sysadmin

Note that a user can belong to multiple groups. In this case the users "janedoe" ,"bobmarley" and "sysadmin" would be allowed into marketing, and the users "joesmith" and "sysadmin" would be allowed into sales.

Flat text files such as the above examples are easy to start out with, however if you have many users and groups they will quickly become very slow, and to solve this problem you can use dbm files.

Please see the following URL for more on dbm authentication:

http://www.apacheweek.com/features/dbmauth

For these two authentication methods to work you should make sure that the following lines (or something similar) are in your httpd.conf file:

LoadModule auth_module        modules/mod_auth.so
LoadModule anon_auth_module   modules/mod_auth_anon.so
LoadModule db_auth_module     modules/mod_auth_db.so
AddModule mod_auth.c
AddModule mod_auth_anon.c
AddModule mod_auth_db.c

http://www.apacheweek.com/features/userauth
http://www.apacheweek.com/features/dbmauth

9.1.1 Apache-SSL

See main Apache section.

9.1.2 Apache mod-ssl

See main Apache section.

9.1.3 Raven

See main Apache section.

9.1.4 Red Hat Secure Server

See main Apache section.

9.1.5 Stronghold

See main Apache section.

http://www.c2.net/products/sh3/

Stronghold was purchased by Red Hat.

9.2 Netscape

To be added.

9.2.1 Netscape Enterprise

To be added.

9.3 Roxen

To be added.

9.4 Zeus

To be added.

9.5 Novell

To be added.

9.6 IBM Websphere

See main Apache section.

9.7 Volera

To be added.

9.8 Squid

To be added.

 

[ Index | Back | Next ]