Difference between revisions of "Htaccess"

From SME Server
Jump to navigationJump to search
m (corrected typo in command)
(added sections for authentication against valid sme users)
Line 13: Line 13:
 
The recommended way to implement .htaccess on a SME server, is to use custom templates, which are only under the control of the administrator and cannot be tampered with by anonymous Internet users. Using this method you do NOT need to install any contrib rpm.
 
The recommended way to implement .htaccess on a SME server, is to use custom templates, which are only under the control of the administrator and cannot be tampered with by anonymous Internet users. Using this method you do NOT need to install any contrib rpm.
  
=== Procedure ===
+
 
 +
==== Determining contents of htaccess fragment ====
  
 
This method involves creating a httpd.conf custom template fragment with the required information.
 
This method involves creating a httpd.conf custom template fragment with the required information.
  
Initially you will need to determine the contents of your .htacess file to be used in the fragment. Refer to the .htaccess web site links below for more details but a basic .htaccess file would contain the following:
+
Initially you will need to determine the contents of your .htacess file to be used in the fragment. Refer to the .htaccess web site links below for more details but a basic .htaccess file would contain the following (see specific examples in following sections):
  
 
AuthUserFile /etc/passwordfilename
 
AuthUserFile /etc/passwordfilename
Line 39: Line 40:
 
The AuthName can be any name you want.
 
The AuthName can be any name you want.
  
The rest of the details are basic and can be amended to suit your particular requirements. The contents shown will suffice for standard situations.
+
The rest of the details are basic and can be amended to suit your particular requirements.
 +
 
 +
 
 +
==== Procedure - authentication against a user password file ====
 +
 
 +
Determine the contents of your .htacess file to be used in the fragment, as mentioned previously.
 +
The contents shown below will suffice for standard situations.
 
   
 
   
==== Custom template creation ====
+
===== Custom template creation =====
  
 
Next you need to create the custom template.
 
Next you need to create the custom template.
Line 80: Line 87:
 
  sv s /service/httpd-e-smith
 
  sv s /service/httpd-e-smith
  
==== Password file creation ====
+
===== Password file creation =====
  
 
Now you need to create the password file, change to the location you want the password file in
 
Now you need to create the password file, change to the location you want the password file in
Line 117: Line 124:
  
 
If you use the -c switch when entering additional user details you will overwrite the password file completely and only have the one user entry there.
 
If you use the -c switch when entering additional user details you will overwrite the password file completely and only have the one user entry there.
 +
 +
 +
==== Procedure - authentication against all sme users ====
 +
 +
Determine the contents of your .htacess file to be used in the fragment, as mentioned previously.
 +
The contents shown below will suffice for standard situations.
 +
 +
===== Custom template creation =====
 +
 +
mkdir -p /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf
 +
cd /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf
 +
pico -w 50AddSecureIbayFolder
 +
 +
Assuming we want to secure an ibay subfolder called
 +
/home/e-smith/files/ibays/ibayname/html/foldername/subfoldername
 +
 +
edit the fragment file to contain the following
 +
 +
<Directory /home/e-smith/files/ibays/ibayname/html/foldername/subfoldername>
 +
AuthName "My Site Security Group"
 +
AuthType Basic
 +
AuthExternal pwauth
 +
<Limit GET>
 +
order deny,allow
 +
require valid-user
 +
</Limit>
 +
</Directory>
 +
 +
(the "valid-user" setting will allow any valid sme user to gain access)
 +
 +
then do
 +
 +
expand-template /etc/httpd/conf/httpd.conf
 +
sv t /service/httpd-e-smith
 +
sv s /service/httpd-e-smith
 +
 +
 +
==== Procedure - authentication against specified sme users ====
 +
 +
Determine the contents of your .htacess file to be used in the fragment, as mentioned previously.
 +
The contents shown below will suffice for standard situations.
 +
 +
===== Custom template creation =====
 +
 +
mkdir -p /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf
 +
cd /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf
 +
pico -w 50AddSecureIbayFolder
 +
 +
Assuming we want to secure an ibay subfolder called
 +
/home/e-smith/files/ibays/ibayname/html/foldername/subfoldername
 +
 +
edit the fragment file to contain the following
 +
 +
<Directory /home/e-smith/files/ibays/ibayname/html/foldername/subfoldername>
 +
AuthName "My Site Security Group"
 +
AuthType Basic
 +
AuthExternal pwauth
 +
<Limit GET>
 +
order deny,allow
 +
require user admin smeusername1 smeusername2 smeusername3 smeusername4
 +
</Limit>
 +
</Directory>
 +
 +
(where admin, smeusername1, smeusername2 etc are valid users on the sme server)
 +
 +
then do
 +
 +
expand-template /etc/httpd/conf/httpd.conf
 +
sv t /service/httpd-e-smith
 +
sv s /service/httpd-e-smith
  
 
=== Testing ===
 
=== Testing ===
Line 128: Line 205:
 
You will be asked for a user Id and password.
 
You will be asked for a user Id and password.
  
Enter any combination that is in your password file to gain access.
+
Enter any combination that is allowed by your configuration to gain access, ie is in your password file, is any sme user, or is a specfied sme user.
  
 
=== Deletion procedure ===
 
=== Deletion procedure ===
  
To delete or reverse any changes you make using this method, do the following, replacing filenames with those actually used
+
To undo any changes you make using this method, do the following, replacing filenames with those actually used
  
 
  rm /etc/passwordfilename
 
  rm /etc/passwordfilename
Line 138: Line 215:
 
  expand-template /etc/httpd/conf/httpd.conf
 
  expand-template /etc/httpd/conf/httpd.conf
 
  sv t /service/httpd-e-smith
 
  sv t /service/httpd-e-smith
 
It is recommended practise to check that the service did actually restart and is running, with
 
 
  sv s /service/httpd-e-smith
 
  sv s /service/httpd-e-smith
  
Line 162: Line 237:
 
http://wiki.contribs.org/SME_Server:Documentation:Developers_Manual
 
http://wiki.contribs.org/SME_Server:Documentation:Developers_Manual
  
=== Old Howto ===
 
 
This is a link to an earlier Howto that is still applicable to sme7.x
 
http://mirror.contribs.org/smeserver/contribs/rmitchell/smeserver/howto/htaccess%20configuration%20with%20custom%20templates%20HOWTO%20for%20sme%20server.htm
 
 
The Howto refers to a deprecated command
 
/etc/e-smith/events/actions/restart-httpd-graceful
 
 
Instead of the above, please use the following commands to restart & check the httpd-e-smith service
 
 
sv t /service/httpd-e-smith
 
sv s /service/httpd-e-smith
 
  
 
----
 
----
 
[[Category:Howto]]
 
[[Category:Howto]]

Revision as of 15:18, 30 October 2007

htaccess configuration using custom templates

Problem

You want to implement secure authorised access to folders/subfolders in your sme server ibays.

The default settings in sme server allow you to secure the ibays using the Information Bay panel in server manager, by creating an ibay password which is used to allow authorised access to the ibay from the Internet, but this does not control access to individual folders.

Solution

The use of a .htaccess file and associated password file can control the security of subfolders within ibays by username and password. Htaccess is not enabled by default and .htaccess files are inherently exposed to the Internet and require the correct permissions to be applied to ensure that unauthorised access is not allowed, therefore creating a security risk.

The recommended way to implement .htaccess on a SME server, is to use custom templates, which are only under the control of the administrator and cannot be tampered with by anonymous Internet users. Using this method you do NOT need to install any contrib rpm.


Determining contents of htaccess fragment

This method involves creating a httpd.conf custom template fragment with the required information.

Initially you will need to determine the contents of your .htacess file to be used in the fragment. Refer to the .htaccess web site links below for more details but a basic .htaccess file would contain the following (see specific examples in following sections):

AuthUserFile /etc/passwordfilename

AuthGroupFile /dev/null

AuthName "My Site Security Group"

AuthType Basic

<Limit GET>

order deny,allow

require valid-user

</Limit>

The AuthUserFile will be the location on your sme server of the htaccess password file. You can choose whichever name and location you want, but the password file SHOULD NOT be placed in a publicly accessible are ie NOT in web site folders. Note that this file is created using the htpasswd command (see steps later).

The AuthName can be any name you want.

The rest of the details are basic and can be amended to suit your particular requirements.


Procedure - authentication against a user password file

Determine the contents of your .htacess file to be used in the fragment, as mentioned previously. The contents shown below will suffice for standard situations.

Custom template creation

Next you need to create the custom template.

Log on to your server command prompt as root or with root privileges and do: (assuming that it does not already exist)

mkdir -p /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf

Create a fragment with a name of your choice

cd /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf
pico -w 50AddSecureIbayFolder

Using the htaccess file contents example from above, and assuming we want to secure an ibay subfolder called /home/e-smith/files/ibays/ibayname/html/foldername/subfoldername

edit the fragment file to contain the following

<Directory /home/e-smith/files/ibays/ibayname/html/foldername/subfoldername>
AuthUserFile /etc/passwordfilename
AuthGroupFile /dev/null
AuthName "My Site Security Group"
AuthType Basic
<Limit GET>
order deny,allow
require valid-user
</Limit>
</Directory>

then do

expand-template /etc/httpd/conf/httpd.conf
sv t /service/httpd-e-smith

It is recommended practise to check that the service has started and is running, so do

sv s /service/httpd-e-smith
Password file creation

Now you need to create the password file, change to the location you want the password file in

cd /etc

then do

htpasswd -c passwordfilename user1

then you will be asked to enter the password

and then asked to confirm the password

The user name and password will be encoded into the password file

To add a second user and password do

htpasswd passwordfilename user2

then you will be asked to enter the password

and then asked to confirm the password

To add a third user and password do

htpasswd passwordfilename user3

then you will be asked to enter the password

and then asked to confirm the password

and so on.

You should only use the -c switch when entering the first user.

If you use the -c switch when entering additional user details you will overwrite the password file completely and only have the one user entry there.


Procedure - authentication against all sme users

Determine the contents of your .htacess file to be used in the fragment, as mentioned previously. The contents shown below will suffice for standard situations.

Custom template creation
mkdir -p /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf
cd /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf
pico -w 50AddSecureIbayFolder

Assuming we want to secure an ibay subfolder called /home/e-smith/files/ibays/ibayname/html/foldername/subfoldername

edit the fragment file to contain the following

<Directory /home/e-smith/files/ibays/ibayname/html/foldername/subfoldername>
AuthName "My Site Security Group"
AuthType Basic
AuthExternal pwauth
<Limit GET>
order deny,allow
require valid-user
</Limit>
</Directory>

(the "valid-user" setting will allow any valid sme user to gain access)

then do

expand-template /etc/httpd/conf/httpd.conf
sv t /service/httpd-e-smith
sv s /service/httpd-e-smith


Procedure - authentication against specified sme users

Determine the contents of your .htacess file to be used in the fragment, as mentioned previously. The contents shown below will suffice for standard situations.

Custom template creation
mkdir -p /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf
cd /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf
pico -w 50AddSecureIbayFolder

Assuming we want to secure an ibay subfolder called /home/e-smith/files/ibays/ibayname/html/foldername/subfoldername

edit the fragment file to contain the following

<Directory /home/e-smith/files/ibays/ibayname/html/foldername/subfoldername>
AuthName "My Site Security Group"
AuthType Basic
AuthExternal pwauth
<Limit GET>
order deny,allow
require user admin smeusername1 smeusername2 smeusername3 smeusername4
</Limit>
</Directory>

(where admin, smeusername1, smeusername2 etc are valid users on the sme server)

then do

expand-template /etc/httpd/conf/httpd.conf
sv t /service/httpd-e-smith
sv s /service/httpd-e-smith

Testing

Now you can test the web site access.

Ensure you have created the actual web site folder or subfolder, and then browse to your newly secured location ie

www./yourdomain.com/ibayname/foldername/subfoldername

You will be asked for a user Id and password.

Enter any combination that is allowed by your configuration to gain access, ie is in your password file, is any sme user, or is a specfied sme user.

Deletion procedure

To undo any changes you make using this method, do the following, replacing filenames with those actually used

rm /etc/passwordfilename
rm /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf 50AddSecureIbayFolder
expand-template /etc/httpd/conf/httpd.conf
sv t /service/httpd-e-smith
sv s /service/httpd-e-smith

Additional Information

See these resources for further information about creating and using htaccess although much of that information is not applicable to the method outlined in this HOWTO.

It will assist you to determine the contents of the htaccess file that will be placed into the custom template fragment.

http://www.freewebmasterhelp.com/tutorials/htaccess/

http://www.its.queensu.ca/network/policy/htaccess.shtml

http://www.washington.edu/computing/web/publishing/htaccess.html

http://www.htmlite.com/HTA003.php

http://www.cs.hmc.edu/qref/web/htaccess.html

For further information about custom templates see:

http://wiki.contribs.org/SME_Server:Documentation:Developers_Manual