Difference between revisions of "Htaccess"

From SME Server
Jump to navigationJump to search
m (empty line comment added)
(Consolidated template creation instructions to their own section, removed example numbers (auto-number on the headings takes care of it))
 
(59 intermediate revisions by 6 users not shown)
Line 1: Line 1:
== htaccess configuration using custom templates ==
+
= htaccess configuration using custom templates =
  
=== Problem ===
+
== Problem ==
  
You want to implement secure authorised access to folders/subfolders in your sme server ibays.
+
A system administrator wants to implement custom restrictions or directives for a web-accessible directory on a SME Server, but as '''.htaccess files are disabled by default''' on SME Server, and the enabling of them is not generally recommended, then another method is required.  
  
The default settings in sme server allow you to secure the ibays using the Information Bay panel in server manager, by creating an ibay password which is used to allow authorised access to the ibay from the Internet, but this does not control access to individual folders.
+
These restrictions or access controls may include limiting access to a specified range of IP addresses, enabling the Apache rewrite engine (and specifying rewrite rules), requiring a password to access a subdirectory of an ibay, and numerous other possibilities.
  
=== Solution ===
+
== Solution ==
  
The use of a .htaccess file and associated password file can control the security of subfolders within ibays by username and password. Htaccess is not enabled by default and .htaccess files are inherently exposed to the Internet and require the correct permissions to be applied to ensure that unauthorised access is not allowed, therefore creating a security risk.
+
The recommended way to implement custom access controls or web server directives on an SME server is to add those controls to the main web server configuration file using custom template fragments. This method allows the system administrator to keep control of the web server security settings, and ensures that other system users will not inadvertently (or deliberately) compromise the web server's security.
  
The recommended way to implement .htaccess on a SME server, is to use custom templates, which are only under the control of the administrator and cannot be tampered with by anonymous Internet users. Using this method you do NOT need to install any contrib rpm.
+
The [http://httpd.apache.org/docs/current/howto/htaccess.html Apache web server documentation] recommends avoiding use of .htaccess files when possible, for both performance and security reasons.
  
 +
Various examples are shown in this article, which include basic redirection & rewrite, and how to implement secure authorised access to folders/subfolders in SME Server ibays using different auth methods. 
  
==== Determining contents of htaccess fragment ====
+
A default SME Server server manager panel allows ibay access from the Internet to be secured with a password, (see Information Bay panel). This only controls access to the main ibay folder & does not control access to individual folders or subfolders, so the auth examples given, can allow further control possibilities beyond the default settings available in SME server.
  
This method involves creating a httpd.conf custom template fragment with the required information.
+
{{Note box|These are specific examples only, & the custom template method can be configured for any directives, as required by the sysadmin.}}
  
Initially you will need to determine the contents of your .htacess file to be used in the fragment. Refer to the .htaccess web site links below for more details but a basic .htaccess file would contain the following (see specific examples in following sections):
+
==Using custom templates to configure htaccess requirements==
  
AuthUserFile /etc/passwordfilename
+
=== Determining contents of template fragment ===
  
AuthGroupFile /dev/null
+
A .htaccess file implements web server directives for the directory in which it is placed, and any subdirectory.  Those directives can also be placed in the main web server configuration file, which is the method described on this page.  Due to the way SME server uses [[Template Tutorial|templates]] for configuration files, we will create a small template file (a "template fragment") incorporating our desired changes, rather than directly editing the main configuration file.  For this method to work, however, the directory to which those directives apply must be explicitly specified.
  
AuthName "My Site Security Group"
+
A template fragment intended to replace a .htaccess file will include a Directory tag, the server directives, and a /Directory tag.  It will look like this:
  
AuthType Basic
+
<Directory /home/e-smith/files/ibays/youribayname/html>
 +
(any server directives that are appropriate)
 +
</Directory>
  
<Limit GET>
+
Initially you will need to determine the contents of your .htacess file to be used in the fragment. Refer to the .htaccess web site links below for more details.
 +
A basic .htaccess file designed for user authorisation purposes, may contain the following (see specific examples in following sections):
  
order deny,allow
+
AuthUserFile /etc/passwordfilename
 
+
AuthGroupFile /dev/null
require valid-user
+
AuthName "My Site Security Group"
 
+
AuthType Basic
</Limit>
+
<Limit GET>
 +
order deny,allow
 +
require valid-user
 +
</Limit>
  
 
The AuthUserFile will be the location on your sme server of the htaccess password file. You can choose whichever name and location you want, but the password file SHOULD NOT be placed in a publicly accessible area ie NOT in web site folders. Note that this file is created using the htpasswd command (see steps later).
 
The AuthUserFile will be the location on your sme server of the htaccess password file. You can choose whichever name and location you want, but the password file SHOULD NOT be placed in a publicly accessible area ie NOT in web site folders. Note that this file is created using the htpasswd command (see steps later).
Line 45: Line 52:
 
{{Warning box|Please choose your AuthUserFile password file name carefully so that it does not correspond with existing filenames. Do not name the file passwd as that filename already exists, and you will overwrite the original system file and make your server inaccessible. Choose a meaningful name like ibaypasswords or similar.}}
 
{{Warning box|Please choose your AuthUserFile password file name carefully so that it does not correspond with existing filenames. Do not name the file passwd as that filename already exists, and you will overwrite the original system file and make your server inaccessible. Choose a meaningful name like ibaypasswords or similar.}}
  
==== Procedure - authentication against a user password file ====
+
===Creating the template fragment===
 +
For any of the examples below, you will create one or more custom template fragments, edit them to meet your requirements, expand the httpd.conf file, and restart the web server.  Take the following steps:
  
Determine the contents of your .htacess file to be used in the fragment, as mentioned previously.  
+
First, create the directory for your template fragments, if it doesn't already exist:
The contents shown below will suffice for standard situations.
+
 
+
[root@e-smith ~]# '''mkdir -p /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf'''
===== Custom template creation =====
+
 
 +
The -p flag will create any intermediate directories, if they don't already exist.  If this directory already exists, the command will return without an error.
 +
 
 +
Then, change to the template directory and create a new template fragment, with the name of your choice:
 +
 
 +
  [root@e-smith ~]# '''cd /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf'''
 +
  [root@e-smith httpd.conf]# '''nano -w 50AddSecureIbayFolder'''
 +
 
 +
Edit the file to include the text from one of the examples below, or any other directives that are appropriate for your installation. The -w flag to nano disables word wrap, so nano will not insert line breaks on long lines.  Once you are finished editing the file, press Ctrl-X to exit, and Y to save. Then
 +
 
 +
  [root@e-smith httpd.conf]# '''expand-template /etc/httpd/conf/httpd.conf'''
 +
  [root@e-smith httpd.conf]# '''service httpd-e-smith restart'''
 +
 
 +
Your web server is now restarted with your custom settings in place.  You should test them to ensure the function as intended.
  
Next you need to create the custom template.
+
===Examples===
  
Log on to your server command prompt as root or with root privileges and do:
+
====Basic layout of fragment for a redirect rewrite directive====
(assuming that it does not already exist)
 
  
mkdir -p /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf
+
Create a custom httpd.conf template fragment that looks like this (replace with appropriate details)
  
Create a fragment with a name of your choice
+
<Directory /home/e-smith/files/ibays/youribay/html>
 +
Options +FollowSymLinks
 +
RewriteEngine On
 +
RewriteCond %{QUERY_STRING} base64_encode[^(]*\([^)]*\) [OR]
 +
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
 +
...
 +
</Directory>
  
cd /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf
+
====Authentication against a user password file====
pico -w 50AddSecureIbayFolder
 
 
  
 
Using the htaccess file contents example from above, and assuming we want to secure an ibay subfolder called
 
Using the htaccess file contents example from above, and assuming we want to secure an ibay subfolder called
Line 81: Line 105:
 
  </Directory>
 
  </Directory>
  
then do
+
{{Note box|msg= in according with [[bugzilla:7871]] and [[bugzilla:7890]] the following apache modules are loaded by default in the SME8 and also in the future release of SME9.
 +
'''auth_basic'''
 +
'''authn_file,'''
 +
'''authz_groupfile'''
 +
there is no longer the requirement to add these by using a custom template 20LoadModule55}}
  
expand-template /etc/httpd/conf/httpd.conf
+
=====Password file creation=====
sv t /service/httpd-e-smith
 
 
 
It is recommended practise to check that the service has started and is running, so do
 
sv s /service/httpd-e-smith
 
 
 
===== Password file creation =====
 
  
 
Now you need to create the password file, change to the location you want the password file in
 
Now you need to create the password file, change to the location you want the password file in
Line 127: Line 149:
 
If you use the -c switch when entering additional user details you will overwrite the password file completely and only have the one user entry there.
 
If you use the -c switch when entering additional user details you will overwrite the password file completely and only have the one user entry there.
  
 
+
====Authentication against all sme users====
==== Procedure - authentication against all sme users ====
 
  
 
Determine the contents of your .htacess file to be used in the fragment, as mentioned previously.  
 
Determine the contents of your .htacess file to be used in the fragment, as mentioned previously.  
 
The contents shown below will suffice for standard situations.
 
The contents shown below will suffice for standard situations.
 
===== Custom template creation =====
 
 
mkdir -p /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf
 
cd /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf
 
pico -w 50AddSecureIbayFolder
 
 
   
 
   
 
Assuming we want to secure an ibay subfolder called
 
Assuming we want to secure an ibay subfolder called
Line 154: Line 169:
 
  </Directory>
 
  </Directory>
  
(the "valid-user" setting will allow any valid sme user to gain access)
+
{{Note box|the "valid-user" setting will allow any valid sme user to gain access}}
  
then do
+
* With SME9 you have to slightly modified the code due to the new authentication authnz_external_module
 +
<Directory /home/e-smith/files/ibays/ibayname/html/foldername/subfoldername>
 +
AuthName "My Site Security Group"
 +
'''AuthBasicProvider external'''
 +
AuthType Basic
 +
AuthExternal pwauth
 +
<Limit GET>
 +
order deny,allow
 +
require valid-user
 +
</Limit>
 +
</Directory>
  
  expand-template /etc/httpd/conf/httpd.conf
+
   
  sv t /service/httpd-e-smith
+
{{Note box|msg= in according with [[bugzilla:7871]] and [[bugzilla:7890]] the following apache modules are loaded by default in the SME8 and also in the future release of SME9.
  sv s /service/httpd-e-smith
+
  '''auth_basic'''
 +
'''authn_file,'''
 +
  '''authz_groupfile'''
 +
there is no longer the requirement to add these by using a custom template 20LoadModule55}}
  
==== Procedure - authentication against specified sme users ====
+
====Authentication against specified sme users====
  
 
Determine the contents of your .htacess file to be used in the fragment, as mentioned previously.  
 
Determine the contents of your .htacess file to be used in the fragment, as mentioned previously.  
 
The contents shown below will suffice for standard situations.
 
The contents shown below will suffice for standard situations.
 
===== Custom template creation =====
 
 
mkdir -p /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf
 
cd /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf
 
pico -w 50AddSecureIbayFolder
 
 
   
 
   
 
Assuming we want to secure an ibay subfolder called
 
Assuming we want to secure an ibay subfolder called
Line 188: Line 210:
 
  </Directory>
 
  </Directory>
  
(where admin, smeusername1, smeusername2 etc are valid users on the sme server)
+
{{Note box| where admin, smeusername1, smeusername2 etc are valid users on the sme server}}
 +
 
 +
* With SME9 you have to slightly modified the code due to the new authentication authnz_external_module
 +
 
 +
<Directory /home/e-smith/files/ibays/ibayname/html/foldername/subfoldername>
 +
AuthName "My Site Security Group"
 +
'''AuthBasicProvider external'''
 +
AuthType Basic
 +
AuthExternal pwauth
 +
<Limit GET>
 +
order deny,allow
 +
require user admin smeusername1 smeusername2 smeusername3 smeusername4
 +
</Limit>
 +
</Directory>
 +
 
  
then do
+
{{Note box|msg= in according with [[bugzilla:7871]] and [[bugzilla:7890]] the following apache modules are loaded by default in the SME8 and also in the future release of SME9.
 +
'''auth_basic'''
 +
'''authn_file,'''
 +
'''authz_groupfile'''
 +
there is no longer the requirement to add these by using a custom template 20LoadModule55}}
 +
 
 +
====Authentication against groups====
 +
 
 +
* Unixgroup
 +
 
 +
You have to download a plugin of pwauth to authenticate unix group in SME Server 8 : http://code.google.com/p/pwauth/
 +
For SME Server 9 a nfr is raised see [[bugzilla:3690]]
 +
 
 +
wget http://pwauth.googlecode.com/files/pwauth-2.3.10.tar.gz
 +
tar xvzf pwauth-2.3.10.tar.gz
 +
cp pwauth-2.3.10/unixgroup /usr/lib/httpd/modules/
 +
chown root:www /usr/lib/httpd/modules/unixgroup
 +
chmod 750 /usr/lib/httpd/modules/unixgroup
 +
 
 +
We need to create a new fragment<br />
 +
 
 +
nano /etc/e-smith/templates/etc/httpd/conf/httpd.conf/35-group-auth
 +
{
 +
        $OUT .= "    AddExternalGroup unixgroup /usr/lib/httpd/modules/unixgroup\n";
 +
        $OUT .= "    SetExternalGroupMethod unixgroup environment\n";
 +
}
 +
 +
 
 +
[root@sme8 ~]# expand-template /etc/httpd/conf/httpd.conf
 +
[root@sme8 ~]# sv t /service/httpd-e-smith
 +
[root@sme8 ~]# sv s /service/httpd-e-smith
 +
 
 +
 
 +
 
 +
After that you are able to check for group membership using following code in .htaccess-Files:
 +
(be sure that you are allowed to "AllowOverride AuthConfig" in your directory-rule from apache.
 +
 
 +
    AuthName "mySite"
 +
    AuthType Basic
 +
    AuthExternal pwauth
 +
    GroupExternal unixgroup
 +
    Require group mygroup
 +
    Satisfy all
 +
 
 +
mygroup must be a valid group on your server. After that you are able to check for group-membership. Use this syntax if you have several group : group1 group 2 group 3
 +
 
 +
If you want to allow groups and certain users you can do like this.
 +
 
 +
    AuthName "mySite"
 +
    AuthType Basic
 +
    AuthExternal pwauth
 +
    GroupExternal unixgroup
 +
    AuthzUserAuthoritative off
 +
    Require group group1 group2 group3
 +
    Require user admin pierre paul
 +
    Satisfy all
 +
 
 +
* With SME9 you have to slightly modified the code due to the new authentication authnz_external_module
 +
    AuthName "mySite"
 +
    AuthType Basic
 +
    '''AuthBasicProvider external'''
 +
    AuthExternal pwauth
 +
    GroupExternal unixgroup
 +
    AuthzUserAuthoritative off
 +
    Require group group1 group2 group3
 +
    Require user admin pierre paul
 +
    Satisfy all
 +
 
 +
 
 +
* Forum's references
 +
Two methods are outlined in this forum post
 +
 
 +
http://forums.contribs.org/index.php/topic,38959.msg177967.html#msg177967
 +
 
 +
One method solves this by expanding the group to all members in it and adding them to the required user directive, see
 +
 
 +
http://forums.contribs.org/index.php/topic,38959.msg177464.html#msg177464
 +
 
 +
The other method solves this by using the unixgroup check script, see
  
expand-template /etc/httpd/conf/httpd.conf
+
http://forums.contribs.org/index.php/topic,38959.msg177967.html#msg177967
sv t /service/httpd-e-smith
 
sv s /service/httpd-e-smith
 
  
=== Testing ===
+
===Testing===
  
 
Now you can test the web site access.
 
Now you can test the web site access.
  
Ensure you have created the actual web site folder or subfolder, and then browse to your newly secured location ie
+
Carry out appropriate testing to ensure the directives used are working.
 +
 
 +
For rewrites check that the correct site is resolved.
  
www./yourdomain.com/ibayname/foldername/subfoldername
+
For auth, firstly ensure you have created the actual web site folder or subfolder, and then browse to your newly secured location ie
 +
 
 +
www.yourdomain.com/ibayname/foldername/subfoldername
  
 
You will be asked for a user Id and password.
 
You will be asked for a user Id and password.
Line 208: Line 324:
 
Enter any combination that is allowed by your configuration to gain access, ie is in your password file, is any sme user, or is a specfied sme user.
 
Enter any combination that is allowed by your configuration to gain access, ie is in your password file, is any sme user, or is a specfied sme user.
  
=== Deletion procedure ===
+
===Deletion procedure===
  
 
To undo any changes you make using this method, do the following, replacing filenames with those actually used
 
To undo any changes you make using this method, do the following, replacing filenames with those actually used
  
 
  rm /etc/passwordfilename
 
  rm /etc/passwordfilename
  rm /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf 50AddSecureIbayFolder
+
  rm /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/50AddSecureIbayFolder
 +
rm /etc/e-smith/templates/etc/httpd/conf/httpd.conf/35-group-auth
 
  expand-template /etc/httpd/conf/httpd.conf
 
  expand-template /etc/httpd/conf/httpd.conf
 
  sv t /service/httpd-e-smith
 
  sv t /service/httpd-e-smith
 
  sv s /service/httpd-e-smith
 
  sv s /service/httpd-e-smith
  
=== Additional Information ===
+
==Using a .htaccess file to configure htaccess requirements - not recommended==
 +
 
 +
These instructions are added here for general interest. Users should heed recommendations in this article & instead use custom templates where possible to achieve the same end result.
 +
 
 +
The alternative commonly used method of implementing access controls or custom directives on a Linux-based server is to create a file called .htaccess in the directory you want to control, and include your instructions in that file.
 +
 
 +
To allow users to independently change web access controls (where this is permitted by the system administrator), .htaccess can be enabled for an ibay on SME server using the following commands:
 +
 
 +
db accounts setprop ibayname AllowOverride All
 +
expand-template /etc/httpd/conf/httpd.conf
 +
service httpd-e-smith restart
 +
 
 +
The screen will display
 +
 +
Restarting httpd-e-smith                                  [  OK  ]
 +
 
 +
AllowOverride can be set to values other than "All", and should be set as narrowly as possible to meet users' needs.  Consult the [http://httpd.apache.org/docs/current/mod/core.html#allowoverride Apache documentation] for valid values of this parameter.  This is only required if there is a legitimate need for system users to independently change web access controls.  If this is enabled, the system administrator should regularly monitor the contents of .htaccess files to ensure security is not compromised.
 +
 
 +
== Additional Information ==
  
See these resources for further information about creating and using htaccess although much of that information is not applicable to the method outlined in this HOWTO.
+
See these resources for further information about creating and using htaccess. Much of the information is not directly applicable to the method outlined in this HOWTO, but it will assist in determining the contents of the custom template fragment (ie the directives to use).
  
It will assist you to determine the contents of the htaccess file that will be placed into the custom template fragment.
+
http://httpd.apache.org/docs/current/howto/htaccess.html
  
 
http://www.freewebmasterhelp.com/tutorials/htaccess/
 
http://www.freewebmasterhelp.com/tutorials/htaccess/
Line 237: Line 372:
  
 
http://wiki.contribs.org/SME_Server:Documentation:Developers_Manual
 
http://wiki.contribs.org/SME_Server:Documentation:Developers_Manual
 +
 +
Other References:
 +
 +
http://forums.contribs.org/index.php?topic=42190.0
  
  
 
----
 
----
 
[[Category:Howto]]
 
[[Category:Howto]]
 +
[[Category:Security]]

Latest revision as of 16:38, 11 November 2014

htaccess configuration using custom templates

Problem

A system administrator wants to implement custom restrictions or directives for a web-accessible directory on a SME Server, but as .htaccess files are disabled by default on SME Server, and the enabling of them is not generally recommended, then another method is required.

These restrictions or access controls may include limiting access to a specified range of IP addresses, enabling the Apache rewrite engine (and specifying rewrite rules), requiring a password to access a subdirectory of an ibay, and numerous other possibilities.

Solution

The recommended way to implement custom access controls or web server directives on an SME server is to add those controls to the main web server configuration file using custom template fragments. This method allows the system administrator to keep control of the web server security settings, and ensures that other system users will not inadvertently (or deliberately) compromise the web server's security.

The Apache web server documentation recommends avoiding use of .htaccess files when possible, for both performance and security reasons.

Various examples are shown in this article, which include basic redirection & rewrite, and how to implement secure authorised access to folders/subfolders in SME Server ibays using different auth methods.

A default SME Server server manager panel allows ibay access from the Internet to be secured with a password, (see Information Bay panel). This only controls access to the main ibay folder & does not control access to individual folders or subfolders, so the auth examples given, can allow further control possibilities beyond the default settings available in SME server.


Important.png Note:
These are specific examples only, & the custom template method can be configured for any directives, as required by the sysadmin.


Using custom templates to configure htaccess requirements

Determining contents of template fragment

A .htaccess file implements web server directives for the directory in which it is placed, and any subdirectory. Those directives can also be placed in the main web server configuration file, which is the method described on this page. Due to the way SME server uses templates for configuration files, we will create a small template file (a "template fragment") incorporating our desired changes, rather than directly editing the main configuration file. For this method to work, however, the directory to which those directives apply must be explicitly specified.

A template fragment intended to replace a .htaccess file will include a Directory tag, the server directives, and a /Directory tag. It will look like this:

<Directory /home/e-smith/files/ibays/youribayname/html>
(any server directives that are appropriate)
</Directory>

Initially you will need to determine the contents of your .htacess file to be used in the fragment. Refer to the .htaccess web site links below for more details. A basic .htaccess file designed for user authorisation purposes, may contain the following (see specific examples in following sections):

AuthUserFile /etc/passwordfilename
AuthGroupFile /dev/null
AuthName "My Site Security Group"
AuthType Basic
<Limit GET>
order deny,allow
require valid-user
</Limit>

The AuthUserFile will be the location on your sme server of the htaccess password file. You can choose whichever name and location you want, but the password file SHOULD NOT be placed in a publicly accessible area ie NOT in web site folders. Note that this file is created using the htpasswd command (see steps later).

The AuthName can be any name you want.

The rest of the details are basic and can be amended to suit your particular requirements.


Warning.png Warning:
Please choose your AuthUserFile password file name carefully so that it does not correspond with existing filenames. Do not name the file passwd as that filename already exists, and you will overwrite the original system file and make your server inaccessible. Choose a meaningful name like ibaypasswords or similar.


Creating the template fragment

For any of the examples below, you will create one or more custom template fragments, edit them to meet your requirements, expand the httpd.conf file, and restart the web server. Take the following steps:

First, create the directory for your template fragments, if it doesn't already exist:

[root@e-smith ~]# mkdir -p /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf

The -p flag will create any intermediate directories, if they don't already exist. If this directory already exists, the command will return without an error.

Then, change to the template directory and create a new template fragment, with the name of your choice:

 [root@e-smith ~]# cd /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf
 [root@e-smith httpd.conf]# nano -w 50AddSecureIbayFolder

Edit the file to include the text from one of the examples below, or any other directives that are appropriate for your installation. The -w flag to nano disables word wrap, so nano will not insert line breaks on long lines. Once you are finished editing the file, press Ctrl-X to exit, and Y to save. Then

 [root@e-smith httpd.conf]# expand-template /etc/httpd/conf/httpd.conf
 [root@e-smith httpd.conf]# service httpd-e-smith restart

Your web server is now restarted with your custom settings in place. You should test them to ensure the function as intended.

Examples

Basic layout of fragment for a redirect rewrite directive

Create a custom httpd.conf template fragment that looks like this (replace with appropriate details)

<Directory /home/e-smith/files/ibays/youribay/html>
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} base64_encode[^(]*\([^)]*\) [OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
...
</Directory>

Authentication against a user password file

Using the htaccess file contents example from above, and assuming we want to secure an ibay subfolder called /home/e-smith/files/ibays/ibayname/html/foldername/subfoldername

edit the fragment file to contain the following (ensure there is an empty line at the end)

<Directory /home/e-smith/files/ibays/ibayname/html/foldername/subfoldername>
AuthUserFile /etc/passwordfilename
AuthGroupFile /dev/null
AuthName "My Site Security Group"
AuthType Basic
<Limit GET>
order deny,allow
require valid-user
</Limit>
</Directory>


Important.png Note:
in according with bugzilla:7871 and bugzilla:7890 the following apache modules are loaded by default in the SME8 and also in the future release of SME9.
auth_basic
authn_file,
authz_groupfile

there is no longer the requirement to add these by using a custom template 20LoadModule55


Password file creation

Now you need to create the password file, change to the location you want the password file in

cd /etc

then do

htpasswd -c passwordfilename user1

then you will be asked to enter the password

and then asked to confirm the password

The user name and password will be encoded into the password file

To add a second user and password do

htpasswd passwordfilename user2

then you will be asked to enter the password

and then asked to confirm the password

To add a third user and password do

htpasswd passwordfilename user3

then you will be asked to enter the password

and then asked to confirm the password

and so on.

You should only use the -c switch when entering the first user.

If you use the -c switch when entering additional user details you will overwrite the password file completely and only have the one user entry there.

Authentication against all sme users

Determine the contents of your .htacess file to be used in the fragment, as mentioned previously. The contents shown below will suffice for standard situations.

Assuming we want to secure an ibay subfolder called /home/e-smith/files/ibays/ibayname/html/foldername/subfoldername

edit the fragment file to contain the following (ensure there is an empty line at the end)

<Directory /home/e-smith/files/ibays/ibayname/html/foldername/subfoldername>
AuthName "My Site Security Group"
AuthType Basic
AuthExternal pwauth
<Limit GET>
order deny,allow
require valid-user
</Limit>
</Directory>


Important.png Note:
the "valid-user" setting will allow any valid sme user to gain access


  • With SME9 you have to slightly modified the code due to the new authentication authnz_external_module
<Directory /home/e-smith/files/ibays/ibayname/html/foldername/subfoldername>
AuthName "My Site Security Group"
AuthBasicProvider external
AuthType Basic
AuthExternal pwauth
<Limit GET>
order deny,allow
require valid-user
</Limit>
</Directory>


Important.png Note:
in according with bugzilla:7871 and bugzilla:7890 the following apache modules are loaded by default in the SME8 and also in the future release of SME9.
auth_basic
authn_file,
authz_groupfile

there is no longer the requirement to add these by using a custom template 20LoadModule55


Authentication against specified sme users

Determine the contents of your .htacess file to be used in the fragment, as mentioned previously. The contents shown below will suffice for standard situations.

Assuming we want to secure an ibay subfolder called /home/e-smith/files/ibays/ibayname/html/foldername/subfoldername

edit the fragment file to contain the following (ensure there is an empty line at the end)

<Directory /home/e-smith/files/ibays/ibayname/html/foldername/subfoldername>
AuthName "My Site Security Group"
AuthType Basic
AuthExternal pwauth
<Limit GET>
order deny,allow
require user admin smeusername1 smeusername2 smeusername3 smeusername4
</Limit>
</Directory>


Important.png Note:
where admin, smeusername1, smeusername2 etc are valid users on the sme server


  • With SME9 you have to slightly modified the code due to the new authentication authnz_external_module
<Directory /home/e-smith/files/ibays/ibayname/html/foldername/subfoldername>
AuthName "My Site Security Group"
AuthBasicProvider external
AuthType Basic
AuthExternal pwauth
<Limit GET>
order deny,allow
require user admin smeusername1 smeusername2 smeusername3 smeusername4
</Limit>
</Directory>


Important.png Note:
in according with bugzilla:7871 and bugzilla:7890 the following apache modules are loaded by default in the SME8 and also in the future release of SME9.
auth_basic
authn_file,
authz_groupfile

there is no longer the requirement to add these by using a custom template 20LoadModule55


Authentication against groups

  • Unixgroup

You have to download a plugin of pwauth to authenticate unix group in SME Server 8 : http://code.google.com/p/pwauth/ For SME Server 9 a nfr is raised see bugzilla:3690

wget http://pwauth.googlecode.com/files/pwauth-2.3.10.tar.gz
tar xvzf pwauth-2.3.10.tar.gz
cp pwauth-2.3.10/unixgroup /usr/lib/httpd/modules/
chown root:www /usr/lib/httpd/modules/unixgroup
chmod 750 /usr/lib/httpd/modules/unixgroup

We need to create a new fragment

nano /etc/e-smith/templates/etc/httpd/conf/httpd.conf/35-group-auth

{
       $OUT .= "     AddExternalGroup unixgroup /usr/lib/httpd/modules/unixgroup\n";
       $OUT .= "     SetExternalGroupMethod unixgroup environment\n";
}

[root@sme8 ~]# expand-template /etc/httpd/conf/httpd.conf
[root@sme8 ~]# sv t /service/httpd-e-smith
[root@sme8 ~]# sv s /service/httpd-e-smith


After that you are able to check for group membership using following code in .htaccess-Files: (be sure that you are allowed to "AllowOverride AuthConfig" in your directory-rule from apache.

   AuthName "mySite"
   AuthType Basic
   AuthExternal pwauth
   GroupExternal unixgroup
   Require group mygroup
   Satisfy all

mygroup must be a valid group on your server. After that you are able to check for group-membership. Use this syntax if you have several group : group1 group 2 group 3

If you want to allow groups and certain users you can do like this.

   AuthName "mySite"
   AuthType Basic
   AuthExternal pwauth
   GroupExternal unixgroup
   AuthzUserAuthoritative off
   Require group group1 group2 group3
   Require user admin pierre paul
   Satisfy all
  • With SME9 you have to slightly modified the code due to the new authentication authnz_external_module
   AuthName "mySite"
   AuthType Basic
   AuthBasicProvider external
   AuthExternal pwauth
   GroupExternal unixgroup
   AuthzUserAuthoritative off
   Require group group1 group2 group3
   Require user admin pierre paul
   Satisfy all


  • Forum's references

Two methods are outlined in this forum post

http://forums.contribs.org/index.php/topic,38959.msg177967.html#msg177967

One method solves this by expanding the group to all members in it and adding them to the required user directive, see

http://forums.contribs.org/index.php/topic,38959.msg177464.html#msg177464

The other method solves this by using the unixgroup check script, see

http://forums.contribs.org/index.php/topic,38959.msg177967.html#msg177967

Testing

Now you can test the web site access.

Carry out appropriate testing to ensure the directives used are working.

For rewrites check that the correct site is resolved.

For auth, firstly ensure you have created the actual web site folder or subfolder, and then browse to your newly secured location ie

www.yourdomain.com/ibayname/foldername/subfoldername

You will be asked for a user Id and password.

Enter any combination that is allowed by your configuration to gain access, ie is in your password file, is any sme user, or is a specfied sme user.

Deletion procedure

To undo any changes you make using this method, do the following, replacing filenames with those actually used

rm /etc/passwordfilename
rm /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/50AddSecureIbayFolder
rm /etc/e-smith/templates/etc/httpd/conf/httpd.conf/35-group-auth 
expand-template /etc/httpd/conf/httpd.conf
sv t /service/httpd-e-smith
sv s /service/httpd-e-smith

Using a .htaccess file to configure htaccess requirements - not recommended

These instructions are added here for general interest. Users should heed recommendations in this article & instead use custom templates where possible to achieve the same end result.

The alternative commonly used method of implementing access controls or custom directives on a Linux-based server is to create a file called .htaccess in the directory you want to control, and include your instructions in that file.

To allow users to independently change web access controls (where this is permitted by the system administrator), .htaccess can be enabled for an ibay on SME server using the following commands:

db accounts setprop ibayname AllowOverride All
expand-template /etc/httpd/conf/httpd.conf 
service httpd-e-smith restart

The screen will display

Restarting httpd-e-smith [ OK ]

AllowOverride can be set to values other than "All", and should be set as narrowly as possible to meet users' needs. Consult the Apache documentation for valid values of this parameter. This is only required if there is a legitimate need for system users to independently change web access controls. If this is enabled, the system administrator should regularly monitor the contents of .htaccess files to ensure security is not compromised.

Additional Information

See these resources for further information about creating and using htaccess. Much of the information is not directly applicable to the method outlined in this HOWTO, but it will assist in determining the contents of the custom template fragment (ie the directives to use).

http://httpd.apache.org/docs/current/howto/htaccess.html

http://www.freewebmasterhelp.com/tutorials/htaccess/

http://www.its.queensu.ca/network/policy/htaccess.shtml

http://www.washington.edu/computing/web/publishing/htaccess.html

http://www.htmlite.com/HTA003.php

http://www.cs.hmc.edu/qref/web/htaccess.html

For further information about custom templates see:

http://wiki.contribs.org/SME_Server:Documentation:Developers_Manual

Other References:

http://forums.contribs.org/index.php?topic=42190.0