Changes

From SME Server
Jump to navigationJump to search
280 bytes added ,  01:29, 10 November 2014
text
Line 7: Line 7:  
=== Solution ===
 
=== Solution ===
   −
The most common method of implementing access controls or custom directives on a Linux-based server is to create a file called .htaccess in the directory you want to control, and include your instructions in that file.  The alternative is to add the instructions to the web server's main configuration file.  The [http://httpd.apache.org/docs/current/howto/htaccess.html Apache web server documentation] recommends avoiding use of .htaccess files when possible, for both performance and security reasons.  Therefore, '''.htaccess files are disabled by default''' on SME Server, and should not be enabled unless you have a need for your users to independently change web access controls.
+
The [http://httpd.apache.org/docs/current/howto/htaccess.html Apache web server documentation] recommends avoiding use of .htaccess files when possible, for both performance and security reasons.
    
The recommended way to implement custom access controls or web server directives on an SME server is to add those controls to the main web server configuration file using custom template fragments.  This method allows the system administrator to keep control of the web server security settings, and ensures that other system users will not inadvertently (or deliberately) compromise the web server's security.
 
The recommended way to implement custom access controls or web server directives on an SME server is to add those controls to the main web server configuration file using custom template fragments.  This method allows the system administrator to keep control of the web server security settings, and ensures that other system users will not inadvertently (or deliberately) compromise the web server's security.
   −
If users need to be able to independently change web access controls, and the system administrator is willing to permit this, .htaccess can be enabled for an ibay using the following commands:
+
Various examples on this page show how to implement secure authorised access to folders/subfolders in your SME Server ibays.  The default settings in SME Server allow you to secure the ibays using the Information Bay panel in server manager, by creating an ibay password which is used to allow authorised access to the ibay from the Internet, but this does not control access to individual folders.
   −
[root@e-smith httpd.conf]# '''db accounts setprop ibayname AllowOverride All'''
  −
[root@e-smith httpd.conf]# '''expand-template /etc/httpd/conf/httpd.conf'''
  −
[root@e-smith httpd.conf]# '''service httpd-e-smith restart'''
  −
Restarting httpd-e-smith                                  [  OK  ]
     −
AllowOverride can be set to values other than "All", and should be set as narrowly as possible to meet users' needs.  Consult the [http://httpd.apache.org/docs/current/mod/core.html#allowoverride Apache documentation] for valid values of this parameter.  Again, this is only recommended if there is a legitimate need for system users to independently change web access controls.  If this is enabled, the system administrator should regularly monitor the contents of .htaccess files to ensure security is not compromised.
+
The alternative commonly used method of implementing access controls or custom directives on a Linux-based server is to create a file called .htaccess in the directory you want to control, and include your instructions in that file.   
 +
 
 +
 
 +
===Enabling .htaccess on SME server===
 +
 
 +
These instructions are added here for general interest. Users should heed recommendations in this article & instead use custom templates where possible to achieve the same end result.
 +
 
 +
To allow users to independently change web access controls (where this is permitted by the system administrator), .htaccess can be enabled for an ibay using the following commands:
 +
 
 +
db accounts setprop ibayname AllowOverride All
 +
expand-template /etc/httpd/conf/httpd.conf
 +
service httpd-e-smith restart
 +
 
 +
The screen will display
 +
 +
Restarting httpd-e-smith                                  [  OK  ]
 +
 
 +
AllowOverride can be set to values other than "All", and should be set as narrowly as possible to meet users' needs.  Consult the [http://httpd.apache.org/docs/current/mod/core.html#allowoverride Apache documentation] for valid values of this parameter.  This is only required if there is a legitimate need for system users to independently change web access controls.  If this is enabled, the system administrator should regularly monitor the contents of .htaccess files to ensure security is not compromised.
 +
 
    
==== Determining contents of htaccess fragment ====
 
==== Determining contents of htaccess fragment ====
624

edits

Navigation menu