Difference between revisions of "Htaccess"
m (Htaccess configuration moved to Htaccess: almost everything is a configuration page) |
RayMitchell (talk | contribs) (howto text added) |
||
Line 1: | Line 1: | ||
== htaccess configuration using custom templates == | == htaccess configuration using custom templates == | ||
+ | |||
+ | === Problem === | ||
+ | |||
+ | You want to implement secure authorised access to folders/subfolders in your sme server ibays. | ||
+ | |||
+ | The default settings in sme server allow you to secure the ibays using the Information Bay panel in server manager, by creating an ibay password which is used to allow authorised access to the ibay from the Internet, but this does not control access to individual folders. | ||
+ | |||
+ | === Solution === | ||
+ | |||
+ | The use of a .htaccess file and associated password file can control the security of subfolders within ibays by username and password. Htaccess is not enabled by default and .htaccess files are inherently exposed to the Internet and require the correct permissions to be applied to ensure that unauthorised access is not allowed, therefore creating a security risk. | ||
+ | |||
+ | The recommended way to implement .htaccess on a SME server, is to use custom templates, which are only under the control of the administrator and cannot be tampered with by anonymous Internet users. Using this method you do NOT need to install any contrib rpm. | ||
+ | |||
+ | === Procedure === | ||
+ | |||
+ | This method involves creating a httpd.conf custom template fragment with the required information. | ||
+ | |||
+ | Initially you will need to determine the contents of your .htacess file to be used in the fragment. Refer to the .htaccess web site links below for more details but a basic .htaccess file would contain the following: | ||
+ | |||
+ | AuthUserFile /etc/passwordfilename | ||
+ | |||
+ | AuthGroupFile /dev/null | ||
+ | |||
+ | AuthName "My Site Security Group" | ||
+ | |||
+ | AuthType Basic | ||
+ | |||
+ | <Limit GET> | ||
+ | |||
+ | order deny,allow | ||
+ | |||
+ | require valid-user | ||
+ | |||
+ | </Limit> | ||
+ | |||
+ | The AuthUserFile will be the location on your sme server of the htaccess password file. You can choose whichever name and location you want, but the password file SHOULD NOT be placed in a publicly accessible are ie NOT in web site folders. Note that this file is created using the htpasswd command (see steps later). | ||
+ | |||
+ | The AuthName can be any name you want. | ||
+ | |||
+ | The rest of the details are basic and can be amended to suit your particular requirements. The contents shown will suffice for standard situations. | ||
+ | |||
+ | ==== Custom template creation ==== | ||
+ | |||
+ | Next you need to create the custom template. | ||
+ | |||
+ | Log on to your server command prompt as root or with root privileges and do: | ||
+ | (assuming that it does not already exist) | ||
+ | |||
+ | mkdir -p /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf | ||
+ | |||
+ | Create a fragment with a name of your choice | ||
+ | |||
+ | cd /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf | ||
+ | pico -w 50AddSecureIbayFolder | ||
+ | |||
+ | |||
+ | Using the htaccess file contents example from above, and assuming we want to secure an ibay subfolder called | ||
+ | /home/e-smith/files/ibays/ibayname/html/foldername/subfoldername | ||
+ | |||
+ | edit the fragment file to contain the following | ||
+ | |||
+ | <Directory /home/e-smith/files/ibays/ibayname/html/foldername/subfoldername> | ||
+ | AuthUserFile /etc/passwordfilename | ||
+ | AuthGroupFile /dev/null | ||
+ | AuthName "My Site Security Group" | ||
+ | AuthType Basic | ||
+ | <Limit GET> | ||
+ | order deny,allow | ||
+ | require valid-user | ||
+ | </Limit> | ||
+ | </Directory> | ||
+ | |||
+ | then do | ||
+ | |||
+ | expand-template /etc/httpd/conf/httpd.conf | ||
+ | sv t /service/httpd-e-smith | ||
+ | |||
+ | It is recommedned practise to check that the service has started and is running, so do | ||
+ | sv t /service/httpd-e-smith | ||
+ | |||
+ | ==== Password file creation ==== | ||
+ | |||
+ | Now you need to create the password file, change to the location you want the password file in | ||
+ | |||
+ | cd /etc | ||
+ | |||
+ | then do | ||
+ | |||
+ | htpasswd -c passwordfilename user1 | ||
+ | |||
+ | then you will be asked to enter the password | ||
+ | |||
+ | and then asked to confirm the password | ||
+ | |||
+ | The user name and password will be encoded into the password file | ||
+ | |||
+ | To add a second user and password do | ||
+ | |||
+ | htpasswd passwordfilename user2 | ||
+ | |||
+ | then you will be asked to enter the password | ||
+ | |||
+ | and then asked to confirm the password | ||
+ | |||
+ | To add a third user and password do | ||
+ | |||
+ | htpasswd passwordfilename user3 | ||
+ | |||
+ | then you will be asked to enter the password | ||
+ | |||
+ | and then asked to confirm the password | ||
+ | |||
+ | and so on. | ||
+ | |||
+ | You should only use the -c switch when entering the first user. | ||
+ | |||
+ | If you use the -c switch when entering additional user details you will overwrite the password file completely and only have the one user entry there. | ||
+ | |||
+ | === Testing === | ||
+ | |||
+ | Now you can test the web site access. | ||
+ | |||
+ | Ensure you have created the actual web site folder or subfolder, and then browse to your newly secured location ie | ||
+ | |||
+ | www./yourdomain.com/ibayname/foldername/subfoldername | ||
+ | |||
+ | You will be asked for a user Id and password. | ||
+ | |||
+ | Enter any combination that is in your password file to gain access. | ||
+ | |||
+ | === Deletion procedure === | ||
+ | |||
+ | To delete or reverse any changes you make using this method, do the following, replacing filenames with those actually used | ||
+ | |||
+ | rm /etc/passwordfilename | ||
+ | rm /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf 50AddSecureIbayFolder | ||
+ | expand-template /etc/httpd/conf/httpd.conf | ||
+ | sv t /service/httpd-e-smith | ||
+ | |||
+ | It is recommended practise to check that the service did actually restart and is running, with | ||
+ | sv s /service/httpd-e-smith | ||
+ | |||
+ | === Additional Information === | ||
+ | |||
+ | See these resources for further information about creating and using htaccess although much of that information is not applicable to the method outlined in this HOWTO. | ||
+ | |||
+ | It will assist you to determine the contents of the htaccess file that will be placed into the custom template fragment. | ||
+ | |||
+ | http://www.freewebmasterhelp.com/tutorials/htaccess/ | ||
+ | |||
+ | http://www.its.queensu.ca/network/policy/htaccess.shtml | ||
+ | |||
+ | http://www.washington.edu/computing/web/publishing/htaccess.html | ||
+ | |||
+ | http://www.htmlite.com/HTA003.php | ||
+ | |||
+ | http://www.cs.hmc.edu/qref/web/htaccess.html | ||
+ | |||
+ | For further information about custom templates see: | ||
+ | |||
+ | http://wiki.contribs.org/SME_Server:Documentation:Developers_Manual | ||
+ | |||
+ | === Old Howto === | ||
This is a link to an earlier Howto that is still applicable to sme7.x | This is a link to an earlier Howto that is still applicable to sme7.x | ||
Line 11: | Line 174: | ||
sv t /service/httpd-e-smith | sv t /service/httpd-e-smith | ||
sv s /service/httpd-e-smith | sv s /service/httpd-e-smith | ||
− | |||
− | |||
---- | ---- | ||
[[Category:Howto]] | [[Category:Howto]] |
Revision as of 03:45, 30 October 2007
htaccess configuration using custom templates
Problem
You want to implement secure authorised access to folders/subfolders in your sme server ibays.
The default settings in sme server allow you to secure the ibays using the Information Bay panel in server manager, by creating an ibay password which is used to allow authorised access to the ibay from the Internet, but this does not control access to individual folders.
Solution
The use of a .htaccess file and associated password file can control the security of subfolders within ibays by username and password. Htaccess is not enabled by default and .htaccess files are inherently exposed to the Internet and require the correct permissions to be applied to ensure that unauthorised access is not allowed, therefore creating a security risk.
The recommended way to implement .htaccess on a SME server, is to use custom templates, which are only under the control of the administrator and cannot be tampered with by anonymous Internet users. Using this method you do NOT need to install any contrib rpm.
Procedure
This method involves creating a httpd.conf custom template fragment with the required information.
Initially you will need to determine the contents of your .htacess file to be used in the fragment. Refer to the .htaccess web site links below for more details but a basic .htaccess file would contain the following:
AuthUserFile /etc/passwordfilename
AuthGroupFile /dev/null
AuthName "My Site Security Group"
AuthType Basic
<Limit GET>
order deny,allow
require valid-user
</Limit>
The AuthUserFile will be the location on your sme server of the htaccess password file. You can choose whichever name and location you want, but the password file SHOULD NOT be placed in a publicly accessible are ie NOT in web site folders. Note that this file is created using the htpasswd command (see steps later).
The AuthName can be any name you want.
The rest of the details are basic and can be amended to suit your particular requirements. The contents shown will suffice for standard situations.
Custom template creation
Next you need to create the custom template.
Log on to your server command prompt as root or with root privileges and do: (assuming that it does not already exist)
mkdir -p /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf
Create a fragment with a name of your choice
cd /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf pico -w 50AddSecureIbayFolder
Using the htaccess file contents example from above, and assuming we want to secure an ibay subfolder called /home/e-smith/files/ibays/ibayname/html/foldername/subfoldername
edit the fragment file to contain the following
<Directory /home/e-smith/files/ibays/ibayname/html/foldername/subfoldername> AuthUserFile /etc/passwordfilename AuthGroupFile /dev/null AuthName "My Site Security Group" AuthType Basic <Limit GET> order deny,allow require valid-user </Limit> </Directory>
then do
expand-template /etc/httpd/conf/httpd.conf sv t /service/httpd-e-smith
It is recommedned practise to check that the service has started and is running, so do
sv t /service/httpd-e-smith
Password file creation
Now you need to create the password file, change to the location you want the password file in
cd /etc
then do
htpasswd -c passwordfilename user1
then you will be asked to enter the password
and then asked to confirm the password
The user name and password will be encoded into the password file
To add a second user and password do
htpasswd passwordfilename user2
then you will be asked to enter the password
and then asked to confirm the password
To add a third user and password do
htpasswd passwordfilename user3
then you will be asked to enter the password
and then asked to confirm the password
and so on.
You should only use the -c switch when entering the first user.
If you use the -c switch when entering additional user details you will overwrite the password file completely and only have the one user entry there.
Testing
Now you can test the web site access.
Ensure you have created the actual web site folder or subfolder, and then browse to your newly secured location ie
www./yourdomain.com/ibayname/foldername/subfoldername
You will be asked for a user Id and password.
Enter any combination that is in your password file to gain access.
Deletion procedure
To delete or reverse any changes you make using this method, do the following, replacing filenames with those actually used
rm /etc/passwordfilename rm /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf 50AddSecureIbayFolder expand-template /etc/httpd/conf/httpd.conf sv t /service/httpd-e-smith
It is recommended practise to check that the service did actually restart and is running, with
sv s /service/httpd-e-smith
Additional Information
See these resources for further information about creating and using htaccess although much of that information is not applicable to the method outlined in this HOWTO.
It will assist you to determine the contents of the htaccess file that will be placed into the custom template fragment.
http://www.freewebmasterhelp.com/tutorials/htaccess/
http://www.its.queensu.ca/network/policy/htaccess.shtml
http://www.washington.edu/computing/web/publishing/htaccess.html
http://www.htmlite.com/HTA003.php
http://www.cs.hmc.edu/qref/web/htaccess.html
For further information about custom templates see:
http://wiki.contribs.org/SME_Server:Documentation:Developers_Manual
Old Howto
This is a link to an earlier Howto that is still applicable to sme7.x http://mirror.contribs.org/smeserver/contribs/rmitchell/smeserver/howto/htaccess%20configuration%20with%20custom%20templates%20HOWTO%20for%20sme%20server.htm
The Howto refers to a deprecated command /etc/e-smith/events/actions/restart-httpd-graceful
Instead of the above, please use the following commands to restart & check the httpd-e-smith service
sv t /service/httpd-e-smith sv s /service/httpd-e-smith