147
edits
Changes
From SME Server
Jump to navigationJump to search→Solution: Clarified reasoning for template fragment vs htaccess, linked to apache documentation, documented enabling htaccess if necessary (and why it might be necessary)
=== Solution ===
=== Solution ===
The use of a .htaccess file and associated password file can control the security of subfolders within ibays by username and password. Htaccess is not enabled by default and .htaccess files are inherently exposed to the Internet and require the correct permissions to be applied to ensure that unauthorised access is not allowed, therefore creating a security risk.
The most common method of implementing access controls or custom directives on a Linux-based server is to create a file called .htaccess in the directory you want to control, and include your instructions in that file. The alternative is to add the instructions to the web server's main configuration file. The [http://httpd.apache.org/docs/current/howto/htaccess.html Apache web server documentation] recommends avoiding use of .htaccess files when possible, for both performance and security reasons. Therefore, '''.htaccess files are disabled by default''' on SME Server, and should not be enabled unless you have a need for your users to independently change web access controls.
The recommended way to implement .htaccess on a SME server, is to use custom templates, which are only under the control of the administrator and cannot be tampered with by anonymous Internet users. Using this method you do NOT need to install any contrib rpm.
The recommended way to implement custom access controls or web server directives on an SME server is to add those controls to the main web server configuration file using custom template fragments. This method allows the system administrator to keep control of the web server security settings, and ensures that other system users will not inadvertently (or deliberately) compromise the web server's security.
If users need to be able to independently change web access controls, and the system administrator is willing to permit this, .htaccess can be enabled for an ibay using the following commands:
[root@e-smith httpd.conf]# '''db accounts setprop ibayname AllowOverride All'''
[root@e-smith httpd.conf]# '''expand-template /etc/httpd/conf/httpd.conf'''
[root@e-smith httpd.conf]# '''service httpd-e-smith restart'''
Restarting httpd-e-smith [ OK ]
Again, this is only recommended if there is a legitimate need for system users to independently change web access controls. If this is enabled, the system administrator should regularly monitor the contents of .htaccess files to ensure security is not compromised.
==== Determining contents of htaccess fragment ====
==== Determining contents of htaccess fragment ====
