Date: Thu, 26 Dec 96 12:44:21 -0500 From: <dwoodward@intraserve.com> To: dooby <dooby@camel.com> Cc: "freebsd-isp@freebsd.org" <freebsd-isp@freebsd.org> Subject: Re: access.conf in Apache Message-ID: <m0vdMcc-00447kC@intraserve.com>
next in thread | raw e-mail | index | archive | help
-- [ From: Doug Woodward * EMC.Ver #3.1 ] --
> From: dooby \ Internet: (dooby@camel.com)
> To: freebsd-isp@FreeBSD.ORG \ Internet: (freebsd-isp@freebsd.org)
> Can anyone point me to instructions how to restrict access to a
> directory to just one user using access.conf in the Apache web server?
See www.apache.org/docs (Run-Time Configuration Directives and Security
Tips). But here is how to do it. Note, in all of the examples below, the
use of upper and lower case. It is required. These examples probably
require Apache 1.1.1 or higher.
Setup your access.conf file as follows then "re-start your webserver".
1) Add the following:
<Directory /apache/root/dir>
AllowOverride None
Options None
<Limit GET PUT POST>
allow from all
</Limit>
</Directory>
This blocks anyone from getting open access to any directory or sub-
dir. on your Web-Site as well as any of your system wide settings.
/Apache/Root/Dir is the root document directory of your webserver such
as:
/usr/local/httpd/htdocs
This command can (should!) be placed inside the <Virtual Host> setup in
the httpd.conf for any virtual web-sites you have.
2) Add the following for "each" sub-directory you wish to allow
restricted access to:
<Directory /apache/root/dir/sub-dir>
AllowOverride All
Options None
<Limit GET PUT POST>
order allow,deny
allow from .yourdomain.com
deny from all
</Limit>
</Directory>
This examples allows access by anyone who is from your domain
(.yourdomain.com being your real domain name, of course).
To restrict it to a single computer from a domain change the "allow
from" to "yourcomputer.yourdomain.com" (without the quotes). This
restricts it to just the computer who's host name matches the
"computername". You can not restrict it by user e-mail id since nearly
all web-browsers will not pass the email address to the web-server. This
command also works inside a "virtual host command" in the httpd.conf
file.
3) If you wish to restrict by person and not by computer/domain then you
must add .htaccess and .htpasswds files to each directory you wish to
allow restricted access to. To do this:
A) Add the following to your access.conf (one for each sub-directory):
<Directory /apache/root/dir/sub-dir>
AllowOverride All
Options None
</Directory>
B) Create a .htaccess file as follows and put it in each sub-directory
AuthType Basic
AuthName Enter Your Password
AuthUserFile /apache/root/dir/sub-dir/.htpasswds
AuthGroupFile /dev/null
<Limit GET PUT POST>
require valid-user
</Limit>
AuthType - must be Basic unless you compiled with the "Digest Auth
Type Module.
AuthGroup - is not needed so it must be set to /dev/null
AuthUserFile - is the location and name of the Apache password file.
AuthName - is what you want you want to say to the people when they
attempt to access the directory, Above The User Name And
Password fields.
C) Use the Apache htpasswd program to add each user's sign-on name and
password. This program is included with the sourc ebut is not compiled
automatically. Check your apache src/support directory for it. The
syntax for this program is:
htpasswd -c /passwd/dir/yourpasswordfile username (to create the
file and add a user)
htpasswd /passwrd/dir/yourpasswordfile username (to add a new user
to the file or change the password of an existing user in the file).
4) The Options None command can be changed to what ever you want to
allow in each directory such as:
Options All
Options ExecCGI, IncludesNOEXEC
5) The .htaccess file can be any name you wish by changing it in your
srm.conf file. This is the default name. If you do change it I strongly
recommend you keep the . in front of the file name as a security
precaution. Web browsers can not issue the equivalent of ls -al so
therefore should anyone get a listing of your directory(s) they still
wont see (or access) this file. Be sure to set the file to to read only
as well after creating it. Your password file, of course, should be in a
totally restriced area of your system.
Doug Woodward
IntraServe Technologies Inc.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?m0vdMcc-00447kC>