Changes

From SME Server
Jump to navigationJump to search
1,145 bytes added ,  16:38, 11 November 2014
Consolidated template creation instructions to their own section, removed example numbers (auto-number on the headings takes care of it)
Line 1: Line 1: −
== htaccess configuration using custom templates ==
+
= htaccess configuration using custom templates =
   −
=== Problem ===
+
== Problem ==
    
A system administrator wants to implement custom restrictions or directives for a web-accessible directory on a SME Server, but as '''.htaccess files are disabled by default''' on SME Server, and the enabling of them is not generally recommended, then another method is required.  
 
A system administrator wants to implement custom restrictions or directives for a web-accessible directory on a SME Server, but as '''.htaccess files are disabled by default''' on SME Server, and the enabling of them is not generally recommended, then another method is required.  
Line 7: Line 7:  
These restrictions or access controls may include limiting access to a specified range of IP addresses, enabling the Apache rewrite engine (and specifying rewrite rules), requiring a password to access a subdirectory of an ibay, and numerous other possibilities.
 
These restrictions or access controls may include limiting access to a specified range of IP addresses, enabling the Apache rewrite engine (and specifying rewrite rules), requiring a password to access a subdirectory of an ibay, and numerous other possibilities.
   −
=== Solution ===
+
== Solution ==
    
The recommended way to implement custom access controls or web server directives on an SME server is to add those controls to the main web server configuration file using custom template fragments.  This method allows the system administrator to keep control of the web server security settings, and ensures that other system users will not inadvertently (or deliberately) compromise the web server's security.
 
The recommended way to implement custom access controls or web server directives on an SME server is to add those controls to the main web server configuration file using custom template fragments.  This method allows the system administrator to keep control of the web server security settings, and ensures that other system users will not inadvertently (or deliberately) compromise the web server's security.
Line 19: Line 19:  
{{Note box|These are specific examples only, & the custom template method can be configured for any directives, as required by the sysadmin.}}
 
{{Note box|These are specific examples only, & the custom template method can be configured for any directives, as required by the sysadmin.}}
   −
===Using custom templates to configure htaccess requirements===
+
==Using custom templates to configure htaccess requirements==
   −
==== Determining contents of htaccess fragment ====
+
=== Determining contents of template fragment ===
   −
This method involves creating a httpd.conf custom template fragment with the required information.
+
A .htaccess file implements web server directives for the directory in which it is placed, and any subdirectory.  Those directives can also be placed in the main web server configuration file, which is the method described on this page.  Due to the way SME server uses [[Template Tutorial|templates]] for configuration files, we will create a small template file (a "template fragment") incorporating our desired changes, rather than directly editing the main configuration file. For this method to work, however, the directory to which those directives apply must be explicitly specified.
 +
 
 +
A template fragment intended to replace a .htaccess file will include a Directory tag, the server directives, and a /Directory tag. It will look like this:
 +
 
 +
<Directory /home/e-smith/files/ibays/youribayname/html>
 +
(any server directives that are appropriate)
 +
</Directory>
    
Initially you will need to determine the contents of your .htacess file to be used in the fragment. Refer to the .htaccess web site links below for more details.
 
Initially you will need to determine the contents of your .htacess file to be used in the fragment. Refer to the .htaccess web site links below for more details.
Line 46: Line 52:  
{{Warning box|Please choose your AuthUserFile password file name carefully so that it does not correspond with existing filenames. Do not name the file passwd as that filename already exists, and you will overwrite the original system file and make your server inaccessible. Choose a meaningful name like ibaypasswords or similar.}}
 
{{Warning box|Please choose your AuthUserFile password file name carefully so that it does not correspond with existing filenames. Do not name the file passwd as that filename already exists, and you will overwrite the original system file and make your server inaccessible. Choose a meaningful name like ibaypasswords or similar.}}
   −
====Examples====
+
===Creating the template fragment===
 +
For any of the examples below, you will create one or more custom template fragments, edit them to meet your requirements, expand the httpd.conf file, and restart the web server.  Take the following steps:
   −
=====Example 1 - Basic layout of fragment for a redirect rewrite directive=====
+
First, create the directory for your template fragments, if it doesn't already exist:
   −
Create a custom httpd.conf template fragment that looks like this (replace with appropriate details)
+
[root@e-smith ~]# '''mkdir -p /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf'''
 +
 
 +
The -p flag will create any intermediate directories, if they don't already exist.  If this directory already exists, the command will return without an error.
 +
 
 +
Then, change to the template directory and create a new template fragment, with the name of your choice:
   −
<Directory /home/e-smith/files/ibays/youribay/html>
+
  [root@e-smith ~]# '''cd /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf'''
RewriteEngine On
+
  [root@e-smith httpd.conf]# '''nano -w 50AddSecureIbayFolder'''
RewriteRule whatever
  −
...
  −
</Directory>
     −
Then
+
Edit the file to include the text from one of the examples below, or any other directives that are appropriate for your installation. The -w flag to nano disables word wrap, so nano will not insert line breaks on long linesOnce you are finished editing the file, press Ctrl-X to exit, and Y to save.  Then
  expand-template /etc/httpd/conf/httpd.conf
  −
  service httpd-e-smith restart
     −
===== Example 2 - authentication against a user password file =====
+
  [root@e-smith httpd.conf]# '''expand-template /etc/httpd/conf/httpd.conf'''
 +
  [root@e-smith httpd.conf]# '''service httpd-e-smith restart'''
   −
Determine the contents of your .htacess file to be used in the fragment, as mentioned previously.  
+
Your web server is now restarted with your custom settings in place. You should test them to ensure the function as intended.
The contents shown below will suffice for standard situations.
  −
  −
====== Custom template creation ======
     −
Next you need to create the custom template.
+
===Examples===
   −
Log on to your server command prompt as root or with root privileges and do:
+
====Basic layout of fragment for a redirect rewrite directive====
(assuming that it does not already exist)
     −
mkdir -p /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf
+
Create a custom httpd.conf template fragment that looks like this (replace with appropriate details)
   −
Create a fragment with a name of your choice
+
<Directory /home/e-smith/files/ibays/youribay/html>
 +
Options +FollowSymLinks
 +
RewriteEngine On
 +
RewriteCond %{QUERY_STRING} base64_encode[^(]*\([^)]*\) [OR]
 +
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
 +
...
 +
</Directory>
   −
cd /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf
+
====Authentication against a user password file====
nano -w 50AddSecureIbayFolder
  −
      
Using the htaccess file contents example from above, and assuming we want to secure an ibay subfolder called
 
Using the htaccess file contents example from above, and assuming we want to secure an ibay subfolder called
Line 97: Line 104:  
  </Limit>
 
  </Limit>
 
  </Directory>
 
  </Directory>
  −
save by ctrl+x
      
{{Note box|msg= in according with [[bugzilla:7871]] and [[bugzilla:7890]] the following apache modules are loaded by default in the SME8 and also in the future release of SME9.
 
{{Note box|msg= in according with [[bugzilla:7871]] and [[bugzilla:7890]] the following apache modules are loaded by default in the SME8 and also in the future release of SME9.
Line 106: Line 111:  
there is no longer the requirement to add these by using a custom template 20LoadModule55}}
 
there is no longer the requirement to add these by using a custom template 20LoadModule55}}
   −
====== Password file creation ======
+
=====Password file creation=====
    
Now you need to create the password file, change to the location you want the password file in
 
Now you need to create the password file, change to the location you want the password file in
Line 144: Line 149:  
If you use the -c switch when entering additional user details you will overwrite the password file completely and only have the one user entry there.
 
If you use the -c switch when entering additional user details you will overwrite the password file completely and only have the one user entry there.
   −
===== Example 3 - authentication against all sme users =====
+
====Authentication against all sme users====
    
Determine the contents of your .htacess file to be used in the fragment, as mentioned previously.  
 
Determine the contents of your .htacess file to be used in the fragment, as mentioned previously.  
 
The contents shown below will suffice for standard situations.
 
The contents shown below will suffice for standard situations.
  −
====== Custom template creation ======
  −
  −
mkdir -p /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf
  −
cd /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf
  −
nano -w 50AddSecureIbayFolder
   
   
 
   
 
Assuming we want to secure an ibay subfolder called
 
Assuming we want to secure an ibay subfolder called
Line 191: Line 190:  
there is no longer the requirement to add these by using a custom template 20LoadModule55}}
 
there is no longer the requirement to add these by using a custom template 20LoadModule55}}
   −
===== Example 4 - authentication against specified sme users =====
+
====Authentication against specified sme users====
    
Determine the contents of your .htacess file to be used in the fragment, as mentioned previously.  
 
Determine the contents of your .htacess file to be used in the fragment, as mentioned previously.  
 
The contents shown below will suffice for standard situations.
 
The contents shown below will suffice for standard situations.
  −
====== Custom template creation ======
  −
  −
mkdir -p /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf
  −
cd /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf
  −
nano -w 50AddSecureIbayFolder
   
   
 
   
 
Assuming we want to secure an ibay subfolder called
 
Assuming we want to secure an ibay subfolder called
Line 239: Line 232:  
there is no longer the requirement to add these by using a custom template 20LoadModule55}}
 
there is no longer the requirement to add these by using a custom template 20LoadModule55}}
   −
===== Example 5 - authentication against groups =====
+
====Authentication against groups====
    
* Unixgroup  
 
* Unixgroup  
Line 315: Line 308:  
http://forums.contribs.org/index.php/topic,38959.msg177967.html#msg177967
 
http://forums.contribs.org/index.php/topic,38959.msg177967.html#msg177967
   −
==== Testing ====
+
===Testing===
    
Now you can test the web site access.
 
Now you can test the web site access.
Line 331: Line 324:  
Enter any combination that is allowed by your configuration to gain access, ie is in your password file, is any sme user, or is a specfied sme user.
 
Enter any combination that is allowed by your configuration to gain access, ie is in your password file, is any sme user, or is a specfied sme user.
   −
==== Deletion procedure ====
+
===Deletion procedure===
    
To undo any changes you make using this method, do the following, replacing filenames with those actually used
 
To undo any changes you make using this method, do the following, replacing filenames with those actually used
Line 342: Line 335:  
  sv s /service/httpd-e-smith
 
  sv s /service/httpd-e-smith
   −
===Using a .htaccess file to configure htaccess requirements - not recommended===
+
==Using a .htaccess file to configure htaccess requirements - not recommended==
    
These instructions are added here for general interest. Users should heed recommendations in this article & instead use custom templates where possible to achieve the same end result.
 
These instructions are added here for general interest. Users should heed recommendations in this article & instead use custom templates where possible to achieve the same end result.
Line 360: Line 353:  
AllowOverride can be set to values other than "All", and should be set as narrowly as possible to meet users' needs.  Consult the [http://httpd.apache.org/docs/current/mod/core.html#allowoverride Apache documentation] for valid values of this parameter.  This is only required if there is a legitimate need for system users to independently change web access controls.  If this is enabled, the system administrator should regularly monitor the contents of .htaccess files to ensure security is not compromised.
 
AllowOverride can be set to values other than "All", and should be set as narrowly as possible to meet users' needs.  Consult the [http://httpd.apache.org/docs/current/mod/core.html#allowoverride Apache documentation] for valid values of this parameter.  This is only required if there is a legitimate need for system users to independently change web access controls.  If this is enabled, the system administrator should regularly monitor the contents of .htaccess files to ensure security is not compromised.
   −
=== Additional Information ===
+
== Additional Information ==
    
See these resources for further information about creating and using htaccess. Much of the information is not directly applicable to the method outlined in this HOWTO, but it will assist in determining the contents of the custom template fragment (ie the directives to use).
 
See these resources for further information about creating and using htaccess. Much of the information is not directly applicable to the method outlined in this HOWTO, but it will assist in determining the contents of the custom template fragment (ie the directives to use).
147

edits

Navigation menu