Date: Thu, 26 Dec 96 12:44:21 -0500 From: <dwoodward@intraserve.com> To: dooby <dooby@camel.com> Cc: "freebsd-isp@freebsd.org" <freebsd-isp@freebsd.org> Subject: Re: access.conf in Apache Message-ID: <m0vdMcc-00447kC@intraserve.com>
next in thread | raw e-mail | index | archive | help
-- [ From: Doug Woodward * EMC.Ver #3.1 ] -- > From: dooby \ Internet: (dooby@camel.com) > To: freebsd-isp@FreeBSD.ORG \ Internet: (freebsd-isp@freebsd.org) > Can anyone point me to instructions how to restrict access to a > directory to just one user using access.conf in the Apache web server? See www.apache.org/docs (Run-Time Configuration Directives and Security Tips). But here is how to do it. Note, in all of the examples below, the use of upper and lower case. It is required. These examples probably require Apache 1.1.1 or higher. Setup your access.conf file as follows then "re-start your webserver". 1) Add the following: <Directory /apache/root/dir> AllowOverride None Options None <Limit GET PUT POST> allow from all </Limit> </Directory> This blocks anyone from getting open access to any directory or sub- dir. on your Web-Site as well as any of your system wide settings. /Apache/Root/Dir is the root document directory of your webserver such as: /usr/local/httpd/htdocs This command can (should!) be placed inside the <Virtual Host> setup in the httpd.conf for any virtual web-sites you have. 2) Add the following for "each" sub-directory you wish to allow restricted access to: <Directory /apache/root/dir/sub-dir> AllowOverride All Options None <Limit GET PUT POST> order allow,deny allow from .yourdomain.com deny from all </Limit> </Directory> This examples allows access by anyone who is from your domain (.yourdomain.com being your real domain name, of course). To restrict it to a single computer from a domain change the "allow from" to "yourcomputer.yourdomain.com" (without the quotes). This restricts it to just the computer who's host name matches the "computername". You can not restrict it by user e-mail id since nearly all web-browsers will not pass the email address to the web-server. This command also works inside a "virtual host command" in the httpd.conf file. 3) If you wish to restrict by person and not by computer/domain then you must add .htaccess and .htpasswds files to each directory you wish to allow restricted access to. To do this: A) Add the following to your access.conf (one for each sub-directory): <Directory /apache/root/dir/sub-dir> AllowOverride All Options None </Directory> B) Create a .htaccess file as follows and put it in each sub-directory AuthType Basic AuthName Enter Your Password AuthUserFile /apache/root/dir/sub-dir/.htpasswds AuthGroupFile /dev/null <Limit GET PUT POST> require valid-user </Limit> AuthType - must be Basic unless you compiled with the "Digest Auth Type Module. AuthGroup - is not needed so it must be set to /dev/null AuthUserFile - is the location and name of the Apache password file. AuthName - is what you want you want to say to the people when they attempt to access the directory, Above The User Name And Password fields. C) Use the Apache htpasswd program to add each user's sign-on name and password. This program is included with the sourc ebut is not compiled automatically. Check your apache src/support directory for it. The syntax for this program is: htpasswd -c /passwd/dir/yourpasswordfile username (to create the file and add a user) htpasswd /passwrd/dir/yourpasswordfile username (to add a new user to the file or change the password of an existing user in the file). 4) The Options None command can be changed to what ever you want to allow in each directory such as: Options All Options ExecCGI, IncludesNOEXEC 5) The .htaccess file can be any name you wish by changing it in your srm.conf file. This is the default name. If you do change it I strongly recommend you keep the . in front of the file name as a security precaution. Web browsers can not issue the equivalent of ls -al so therefore should anyone get a listing of your directory(s) they still wont see (or access) this file. Be sure to set the file to to read only as well after creating it. Your password file, of course, should be in a totally restriced area of your system. Doug Woodward IntraServe Technologies Inc.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?m0vdMcc-00447kC>