Difference between revisions of "Talk:Htaccess"

From SME Server
Jump to navigationJump to search
(Replaced content with "resolved")
 
Line 1: Line 1:
 
resolved
 
resolved
--[[User:Stephdl|Stephdl]] ([[User talk:Stephdl|talk]]) 13:27, 2 October 2013 (MDT)
 
 
== htaccess configuration using custom templates ==
 
 
=== Problem ===
 
 
You want to implement secure authorised access to folders/subfolders in your sme server ibays.
 
 
The default settings in sme server allow you to secure the ibays using the Information Bay panel in server manager, by creating an ibay password which is used to allow authorised access to the ibay from the Internet, but this does not control access to individual folders.
 
 
=== Solution ===
 
 
The use of a .htaccess file and associated password file can control the security of subfolders within ibays by username and password. Htaccess is not enabled by default and .htaccess files are inherently exposed to the Internet and require the correct permissions to be applied to ensure that unauthorised access is not allowed, therefore creating a security risk.
 
 
The recommended way to implement .htaccess on a SME server, is to use custom templates, which are only under the control of the administrator and cannot be tampered with by anonymous Internet users. Using this method you do NOT need to install any contrib rpm.
 
 
 
==== Determining contents of htaccess fragment ====
 
 
This method involves creating a httpd.conf custom template fragment with the required information.
 
 
Initially you will need to determine the contents of your .htacess file to be used in the fragment. Refer to the .htaccess web site links below for more details but a basic .htaccess file would contain the following (see specific examples in following sections):
 
 
AuthUserFile /etc/passwordfilename
 
 
AuthGroupFile /dev/null
 
 
AuthName "My Site Security Group"
 
 
AuthType Basic
 
 
<Limit GET>
 
 
order deny,allow
 
 
require valid-user
 
 
</Limit>
 
 
The AuthUserFile will be the location on your sme server of the htaccess password file. You can choose whichever name and location you want, but the password file SHOULD NOT be placed in a publicly accessible area ie NOT in web site folders. Note that this file is created using the htpasswd command (see steps later).
 
 
The AuthName can be any name you want.
 
 
The rest of the details are basic and can be amended to suit your particular requirements.
 
 
 
{{Warning box|Please choose your AuthUserFile password file name carefully so that it does not correspond with existing filenames. Do not name the file passwd as that filename already exists, and you will overwrite the original system file and make your server inaccessible. Choose a meaningful name like ibaypasswords or similar.}}
 
 
==== Procedure - authentication against a user password file ====
 
 
Determine the contents of your .htacess file to be used in the fragment, as mentioned previously.
 
The contents shown below will suffice for standard situations.
 
 
===== Custom template creation =====
 
 
Next you need to create the custom template.
 
 
Log on to your server command prompt as root or with root privileges and do:
 
(assuming that it does not already exist)
 
 
mkdir -p /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf
 
 
Create a fragment with a name of your choice
 
 
cd /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf
 
nano -w 50AddSecureIbayFolder
 
 
 
Using the htaccess file contents example from above, and assuming we want to secure an ibay subfolder called
 
/home/e-smith/files/ibays/ibayname/html/foldername/subfoldername
 
 
edit the fragment file to contain the following (ensure there is an empty line at the end)
 
 
<Directory /home/e-smith/files/ibays/ibayname/html/foldername/subfoldername>
 
AuthUserFile /etc/passwordfilename
 
AuthGroupFile /dev/null
 
AuthName "My Site Security Group"
 
AuthType Basic
 
<Limit GET>
 
order deny,allow
 
require valid-user
 
</Limit>
 
</Directory>
 
 
save by ctrl+x
 
 
{{Note box|Since with SME Server 8.0 it lacks some apache modules to authenticate users, we have to  add them manually.}}
 
nano /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/20LoadModule55
 
 
  #---- added for use of htaccess ----
 
{
 
    $OUT .= load_modules(qw(
 
auth_basic
 
authn_file
 
authz_groupfile
 
));
 
}
 
 
save by ctrl+x and then do
 
 
expand-template /etc/httpd/conf/httpd.conf
 
sv t /service/httpd-e-smith
 
 
It is recommended practise to check that the service has started and is running, so do
 
sv s /service/httpd-e-smith
 
 
===== Password file creation =====
 
 
Now you need to create the password file, change to the location you want the password file in
 
 
cd /etc
 
 
then do
 
 
htpasswd -c passwordfilename user1
 
 
then you will be asked to enter the password
 
 
and then asked to confirm the password
 
 
The user name and password will be encoded into the password file
 
 
To add a second user and password do
 
 
htpasswd passwordfilename user2
 
 
then you will be asked to enter the password
 
 
and then asked to confirm the password
 
 
To add a third user and password do
 
 
htpasswd passwordfilename user3
 
 
then you will be asked to enter the password
 
 
and then asked to confirm the password
 
 
and so on.
 
 
You should only use the -c switch when entering the first user.
 
 
If you use the -c switch when entering additional user details you will overwrite the password file completely and only have the one user entry there.
 
 
 
==== Procedure - authentication against all sme users ====
 
 
Determine the contents of your .htacess file to be used in the fragment, as mentioned previously.
 
The contents shown below will suffice for standard situations.
 
 
===== Custom template creation =====
 
 
mkdir -p /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf
 
cd /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf
 
nano -w 50AddSecureIbayFolder
 
 
Assuming we want to secure an ibay subfolder called
 
/home/e-smith/files/ibays/ibayname/html/foldername/subfoldername
 
 
edit the fragment file to contain the following (ensure there is an empty line at the end)
 
 
<Directory /home/e-smith/files/ibays/ibayname/html/foldername/subfoldername>
 
AuthName "My Site Security Group"
 
AuthType Basic
 
AuthExternal pwauth
 
<Limit GET>
 
order deny,allow
 
require valid-user
 
</Limit>
 
</Directory>
 
 
(the "valid-user" setting will allow any valid sme user to gain access)
 
 
{{Note box|Since with SME Server 8.0 it lacks some apache modules to authenticate users, we have to  add them manually.}}
 
nano /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/20LoadModule55
 
 
  #---- added for use of htaccess ----
 
{
 
    $OUT .= load_modules(qw(
 
auth_basic
 
authn_file
 
authz_groupfile
 
));
 
}
 
 
save by ctrl+x and then do
 
 
expand-template /etc/httpd/conf/httpd.conf
 
sv t /service/httpd-e-smith
 
sv s /service/httpd-e-smith
 
 
==== Procedure - authentication against specified sme users ====
 
 
Determine the contents of your .htacess file to be used in the fragment, as mentioned previously.
 
The contents shown below will suffice for standard situations.
 
 
===== Custom template creation =====
 
 
mkdir -p /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf
 
cd /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf
 
nano -w 50AddSecureIbayFolder
 
 
Assuming we want to secure an ibay subfolder called
 
/home/e-smith/files/ibays/ibayname/html/foldername/subfoldername
 
 
edit the fragment file to contain the following (ensure there is an empty line at the end)
 
 
<Directory /home/e-smith/files/ibays/ibayname/html/foldername/subfoldername>
 
AuthName "My Site Security Group"
 
AuthType Basic
 
AuthExternal pwauth
 
<Limit GET>
 
order deny,allow
 
require user admin smeusername1 smeusername2 smeusername3 smeusername4
 
</Limit>
 
</Directory>
 
 
(where admin, smeusername1, smeusername2 etc are valid users on the sme server)
 
 
{{Note box|Since with SME Server 8.0 it lacks some apache modules to authenticate users, we have to  add them manually.}}
 
nano /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/20LoadModule55
 
 
  #---- added for use of htaccess ----
 
{
 
    $OUT .= load_modules(qw(
 
auth_basic
 
authn_file
 
authz_groupfile
 
));
 
}
 
 
save by ctrl+x and then do
 
 
expand-template /etc/httpd/conf/httpd.conf
 
sv t /service/httpd-e-smith
 
sv s /service/httpd-e-smith
 
 
==== Procedure - authentication against groups ====
 
 
Two methods are outlined in this forum post
 
 
http://forums.contribs.org/index.php/topic,38959.msg177967.html#msg177967
 
 
One method solves this by expanding the group to all members in it and adding them to the required user directive, see
 
 
http://forums.contribs.org/index.php/topic,38959.msg177464.html#msg177464
 
 
The other method solves this by using the unixgroup check script, see
 
 
http://forums.contribs.org/index.php/topic,38959.msg177967.html#msg177967
 
 
=== Testing ===
 
 
Now you can test the web site access.
 
 
Ensure you have created the actual web site folder or subfolder, and then browse to your newly secured location ie
 
 
www./yourdomain.com/ibayname/foldername/subfoldername
 
 
You will be asked for a user Id and password.
 
 
Enter any combination that is allowed by your configuration to gain access, ie is in your password file, is any sme user, or is a specfied sme user.
 
 
=== Deletion procedure ===
 
 
To undo any changes you make using this method, do the following, replacing filenames with those actually used
 
 
rm /etc/passwordfilename
 
rm /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/50AddSecureIbayFolder
 
rm /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/20LoadModule55
 
expand-template /etc/httpd/conf/httpd.conf
 
sv t /service/httpd-e-smith
 
sv s /service/httpd-e-smith
 
 
=== Additional Information ===
 
 
See these resources for further information about creating and using htaccess although much of that information is not applicable to the method outlined in this HOWTO.
 
 
It will assist you to determine the contents of the htaccess file that will be placed into the custom template fragment.
 
 
http://www.freewebmasterhelp.com/tutorials/htaccess/
 
 
http://www.its.queensu.ca/network/policy/htaccess.shtml
 
 
http://www.washington.edu/computing/web/publishing/htaccess.html
 
 
http://www.htmlite.com/HTA003.php
 
 
http://www.cs.hmc.edu/qref/web/htaccess.html
 
 
For further information about custom templates see:
 
 
http://wiki.contribs.org/SME_Server:Documentation:Developers_Manual
 
 
Other References:
 
 
http://forums.contribs.org/index.php?topic=42190.0
 
 
 
----
 
[[Category:Howto]]
 

Latest revision as of 21:59, 6 October 2013

resolved