Difference between revisions of "Htaccess"
RayMitchell (talk | contribs) (deleted section - moved) |
RayMitchell (talk | contribs) (text) |
||
Line 3: | Line 3: | ||
=== Problem === | === Problem === | ||
− | '''.htaccess files are disabled by default''' on SME Server, and | + | A system administrator wants to implement custom restrictions or directives for a web-accessible directory on a SME Server, but as '''.htaccess files are disabled by default''' on SME Server, and the enabling of them is not generally recommended, then another method is required. |
− | + | These controls may include limiting access to a specified range of IP addresses, enabling the Apache rewrite engine (and specifying rewrite rules), requiring a password to access a subdirectory of an ibay, and numerous other possibilities. | |
− | |||
− | These include limiting access to a specified range of IP addresses, enabling the Apache rewrite engine (and specifying rewrite rules), | ||
=== Solution === | === Solution === |
Revision as of 02:14, 10 November 2014
htaccess configuration using custom templates
Problem
A system administrator wants to implement custom restrictions or directives for a web-accessible directory on a SME Server, but as .htaccess files are disabled by default on SME Server, and the enabling of them is not generally recommended, then another method is required.
These controls may include limiting access to a specified range of IP addresses, enabling the Apache rewrite engine (and specifying rewrite rules), requiring a password to access a subdirectory of an ibay, and numerous other possibilities.
Solution
The recommended way to implement custom access controls or web server directives on an SME server is to add those controls to the main web server configuration file using custom template fragments. This method allows the system administrator to keep control of the web server security settings, and ensures that other system users will not inadvertently (or deliberately) compromise the web server's security.
The Apache web server documentation recommends avoiding use of .htaccess files when possible, for both performance and security reasons.
Various examples are shown in this article, which include how to implement secure authorised access to folders/subfolders in your SME Server ibays. The default settings in SME Server allow you to secure the ibays using the Information Bay panel in server manager, by creating an ibay password which is used to allow authorised access to the ibay from the Internet, but this does not control access to individual folders.
Using custom templates to configure htaccess requirements
Determining contents of htaccess fragment
This method involves creating a httpd.conf custom template fragment with the required information.
Initially you will need to determine the contents of your .htacess file to be used in the fragment. Refer to the .htaccess web site links below for more details. A basic .htaccess file designed for user authorisation purposes, may contain the following (see specific examples in following sections):
AuthUserFile /etc/passwordfilename AuthGroupFile /dev/null AuthName "My Site Security Group" AuthType Basic <Limit GET> order deny,allow require valid-user </Limit>
The AuthUserFile will be the location on your sme server of the htaccess password file. You can choose whichever name and location you want, but the password file SHOULD NOT be placed in a publicly accessible area ie NOT in web site folders. Note that this file is created using the htpasswd command (see steps later).
The AuthName can be any name you want.
The rest of the details are basic and can be amended to suit your particular requirements.
Examples
Example 1 - Basic layout of fragment for a redirect rewrite directive
Create a custom httpd.conf template fragment that looks like this (replace with appropriate details)
<Directory /home/e-smith/files/ibays/youribay/html> RewriteEngine On RewriteRule whatever ... </Directory>
Then
expand-template /etc/httpd/conf/httpd.conf service httpd-e-smith restart
Example 2 - authentication against a user password file
Determine the contents of your .htacess file to be used in the fragment, as mentioned previously. The contents shown below will suffice for standard situations.
Custom template creation
Next you need to create the custom template.
Log on to your server command prompt as root or with root privileges and do: (assuming that it does not already exist)
mkdir -p /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf
Create a fragment with a name of your choice
cd /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf nano -w 50AddSecureIbayFolder
Using the htaccess file contents example from above, and assuming we want to secure an ibay subfolder called /home/e-smith/files/ibays/ibayname/html/foldername/subfoldername
edit the fragment file to contain the following (ensure there is an empty line at the end)
<Directory /home/e-smith/files/ibays/ibayname/html/foldername/subfoldername> AuthUserFile /etc/passwordfilename AuthGroupFile /dev/null AuthName "My Site Security Group" AuthType Basic <Limit GET> order deny,allow require valid-user </Limit> </Directory>
save by ctrl+x
Password file creation
Now you need to create the password file, change to the location you want the password file in
cd /etc
then do
htpasswd -c passwordfilename user1
then you will be asked to enter the password
and then asked to confirm the password
The user name and password will be encoded into the password file
To add a second user and password do
htpasswd passwordfilename user2
then you will be asked to enter the password
and then asked to confirm the password
To add a third user and password do
htpasswd passwordfilename user3
then you will be asked to enter the password
and then asked to confirm the password
and so on.
You should only use the -c switch when entering the first user.
If you use the -c switch when entering additional user details you will overwrite the password file completely and only have the one user entry there.
Example 3 - authentication against all sme users
Determine the contents of your .htacess file to be used in the fragment, as mentioned previously. The contents shown below will suffice for standard situations.
Custom template creation
mkdir -p /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf cd /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf nano -w 50AddSecureIbayFolder
Assuming we want to secure an ibay subfolder called /home/e-smith/files/ibays/ibayname/html/foldername/subfoldername
edit the fragment file to contain the following (ensure there is an empty line at the end)
<Directory /home/e-smith/files/ibays/ibayname/html/foldername/subfoldername> AuthName "My Site Security Group" AuthType Basic AuthExternal pwauth <Limit GET> order deny,allow require valid-user </Limit> </Directory>
- With SME9 you have to slightly modified the code due to the new authentication authnz_external_module
<Directory /home/e-smith/files/ibays/ibayname/html/foldername/subfoldername> AuthName "My Site Security Group" AuthBasicProvider external AuthType Basic AuthExternal pwauth <Limit GET> order deny,allow require valid-user </Limit> </Directory>
Example 4 - authentication against specified sme users
Determine the contents of your .htacess file to be used in the fragment, as mentioned previously. The contents shown below will suffice for standard situations.
Custom template creation
mkdir -p /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf cd /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf nano -w 50AddSecureIbayFolder
Assuming we want to secure an ibay subfolder called /home/e-smith/files/ibays/ibayname/html/foldername/subfoldername
edit the fragment file to contain the following (ensure there is an empty line at the end)
<Directory /home/e-smith/files/ibays/ibayname/html/foldername/subfoldername> AuthName "My Site Security Group" AuthType Basic AuthExternal pwauth <Limit GET> order deny,allow require user admin smeusername1 smeusername2 smeusername3 smeusername4 </Limit> </Directory>
- With SME9 you have to slightly modified the code due to the new authentication authnz_external_module
<Directory /home/e-smith/files/ibays/ibayname/html/foldername/subfoldername> AuthName "My Site Security Group" AuthBasicProvider external AuthType Basic AuthExternal pwauth <Limit GET> order deny,allow require user admin smeusername1 smeusername2 smeusername3 smeusername4 </Limit> </Directory>
Example 4 - authentication against groups
- Unixgroup
You have to download a plugin of pwauth to authenticate unix group in SME Server 8 : http://code.google.com/p/pwauth/
For SME Server 9 a nfr is raised see bugzilla:3690
wget http://pwauth.googlecode.com/files/pwauth-2.3.10.tar.gz tar xvzf pwauth-2.3.10.tar.gz cp pwauth-2.3.10/unixgroup /usr/lib/httpd/modules/ chown root:www /usr/lib/httpd/modules/unixgroup chmod 750 /usr/lib/httpd/modules/unixgroup
We need to create a new fragment
nano /etc/e-smith/templates/etc/httpd/conf/httpd.conf/35-group-auth
{ $OUT .= " AddExternalGroup unixgroup /usr/lib/httpd/modules/unixgroup\n"; $OUT .= " SetExternalGroupMethod unixgroup environment\n"; }
[root@sme8 ~]# expand-template /etc/httpd/conf/httpd.conf [root@sme8 ~]# sv t /service/httpd-e-smith [root@sme8 ~]# sv s /service/httpd-e-smith
After that you are able to check for group membership using following code in .htaccess-Files: (be sure that you are allowed to "AllowOverride AuthConfig" in your directory-rule from apache.
AuthName "mySite" AuthType Basic AuthExternal pwauth GroupExternal unixgroup Require group mygroup Satisfy all
mygroup must be a valid group on your server. After that you are able to check for group-membership. Use this syntax if you have several group : group1 group 2 group 3
If you want to allow groups and certain users you can do like this.
AuthName "mySite" AuthType Basic AuthExternal pwauth GroupExternal unixgroup AuthzUserAuthoritative off Require group group1 group2 group3 Require user admin pierre paul Satisfy all
- With SME9 you have to slightly modified the code due to the new authentication authnz_external_module
AuthName "mySite" AuthType Basic AuthBasicProvider external AuthExternal pwauth GroupExternal unixgroup AuthzUserAuthoritative off Require group group1 group2 group3 Require user admin pierre paul Satisfy all
- Forum's references
Two methods are outlined in this forum post
http://forums.contribs.org/index.php/topic,38959.msg177967.html#msg177967
One method solves this by expanding the group to all members in it and adding them to the required user directive, see
http://forums.contribs.org/index.php/topic,38959.msg177464.html#msg177464
The other method solves this by using the unixgroup check script, see
http://forums.contribs.org/index.php/topic,38959.msg177967.html#msg177967
Testing
Now you can test the web site access.
Ensure you have created the actual web site folder or subfolder, and then browse to your newly secured location ie
www./yourdomain.com/ibayname/foldername/subfoldername
You will be asked for a user Id and password.
Enter any combination that is allowed by your configuration to gain access, ie is in your password file, is any sme user, or is a specfied sme user.
Deletion procedure
To undo any changes you make using this method, do the following, replacing filenames with those actually used
rm /etc/passwordfilename rm /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/50AddSecureIbayFolder rm /etc/e-smith/templates/etc/httpd/conf/httpd.conf/35-group-auth expand-template /etc/httpd/conf/httpd.conf sv t /service/httpd-e-smith sv s /service/httpd-e-smith
Using a .htaccess file on SME server - not recommended
These instructions are added here for general interest. Users should heed recommendations in this article & instead use custom templates where possible to achieve the same end result.
The alternative commonly used method of implementing access controls or custom directives on a Linux-based server is to create a file called .htaccess in the directory you want to control, and include your instructions in that file.
To allow users to independently change web access controls (where this is permitted by the system administrator), .htaccess can be enabled for an ibay on SME server using the following commands:
db accounts setprop ibayname AllowOverride All expand-template /etc/httpd/conf/httpd.conf service httpd-e-smith restart
The screen will display
Restarting httpd-e-smith [ OK ]
AllowOverride can be set to values other than "All", and should be set as narrowly as possible to meet users' needs. Consult the Apache documentation for valid values of this parameter. This is only required if there is a legitimate need for system users to independently change web access controls. If this is enabled, the system administrator should regularly monitor the contents of .htaccess files to ensure security is not compromised.
Additional Information
See these resources for further information about creating and using htaccess although much of that information is not applicable to the method outlined in this HOWTO.
It will assist you to determine the contents of the htaccess file that will be placed into the custom template fragment.
http://www.freewebmasterhelp.com/tutorials/htaccess/
http://www.its.queensu.ca/network/policy/htaccess.shtml
http://www.washington.edu/computing/web/publishing/htaccess.html
http://www.htmlite.com/HTA003.php
http://www.cs.hmc.edu/qref/web/htaccess.html
For further information about custom templates see:
http://wiki.contribs.org/SME_Server:Documentation:Developers_Manual
Other References:
http://forums.contribs.org/index.php?topic=42190.0