go to  ForumEasy.com   
JavaPro  
 
 
   Home  |  MyForum  |  FAQ  |  Archive    You are not logged in. [Login] or [Register]  
Forum Home » Amazon AWS » How to protect Apache web resources
Email To Friend  |   Set Alert To This Topic Rewarding Points Availabe: 0 (What's this) New Topic  |   Post Reply
Author Topic: How to protect Apache web resources
AwsEC2
member
offline   
 
posts: 39
joined: 08/28/2012
from: CA
  posted on: 09/11/2012 06:44:45 PM    Edit  |   Quote  |   Report 
How to protect Apache web resources
Protecting resource on the web is something that most admin will have to do at one point or another. Whether the content is personal or under construction, there comes a time when that content must only be accessed by authorized users. The Apache web server allows two ways to achieve this purpose:
  • One way is placing the access rules in an external file (.htaccess) which resides directly inside the protected directory.
  • The other way is placing the access rules inside directory dicretives of configuration file httpd.conf or conf.d/*.conf

    •  Profile | Reply Points Earned: 0
    AwsEC2
    member
    offline   
     
    posts: 39
    joined: 08/28/2012
    from: CA
      posted on: 09/11/2012 07:33:06 PM    Edit  |   Quote  |   Report 
    Protect Apache web resources with .htaccess & .htpasswd
    .htaccess

    The .htaccess file is ACLs in simple text file placed in the directory you want the contents of the file to affect. The rules in the .htaccess file will be enforced on whatever directory it is in and all sub-directories as well, as in SubEntry ACLs

    Sample .htaccess file for most cases:
    $ cat /home/ec2-user/example2.com/.htaccess

AuthType basic
AuthName "Ooops! Protected Resource ..."
AuthUserFile /home/ec2-user/example2.com/.htpasswd
Require valid-user


    Sample .htaccess file for a more complicated case:
    $ cat /home/ec2-user/example2.com/.htaccess

## ACCESS INSTRUCTION LIST ###
AuthType basic
AuthName "Ooops! Temporarily Under Construction ..."
AuthUserFile /home/ec2-user/example2.com/.htpasswd
AuthUserFile /home/ec2-user/example2.com/.htpasswd  # multiple location
AuthGroupFile /dev/null      # optional
Require John                 # password prompt for John
Require valid-user           # password prompt for everyone else from AuthUserFile
Order Deny,Allow
Deny from all
Allow from 192.168.64.5      # Your, the developers IP address
Allow from w3.org            # css/xhtml check jigsaw.w3.org/css-validator/
Allow from googlebot.com     # Allows google to crawl your pages
Satisfy Any                  # no password required if host/ip is Allowed



    .htpasswd

    The .htpasswd file is the second part of the affair. The .htpasswd file is also a simple text file which contains username/password pairs. The password will be stored in encrypted form and the username will be in plaintext.

    Format: 
    <username>:<encrypted_password>


    Sample .htpasswd file:
    john:a5MfE987hgwbg
Lauren:98qiJH6hjkp4K


    Troubleshooting:
  • The username in .htpasswd is case-sensitive. John and john are two different users.
  • Make sure the permissions on the .htaccess and .htpasswd files are set so that Apache can read them.
    chmod 0644 .htaccess
chmod 0644 .htpasswd

  • .htaccess files can be completely ignored by Apache if the administrators opt it with an AllowOverride None directive. In other words, .htaccess files work only if your web administrators allow the following settings:
    AllowOverride AuthConfig

    or
    AllowOverride All

    •  Profile | Reply Points Earned: 0
    AwsEC2
    member
    offline   
     
    posts: 39
    joined: 08/28/2012
    from: CA
      posted on: 09/11/2012 08:01:21 PM    Edit  |   Quote  |   Report 
    Protect Apache web resources with directive defined in configuration file
    Alternatively, if you are administrator, you can place any access rules inside the directory directive in the configuration file /etc/httpd/conf/httpd.conf or /etc/httpd/conf.d/*.conf.

    Sample directive defined in /etc/httpd/conf/httpd.conf:
    <Directory /usr/local/awstats/wwwroot/cgi-bin>
    AuthType Basic
    AuthName "AWStats - Web, FTP, and Mail Statistics"
    AuthUserFile /usr/local/awstats/wwwroot/.awstats.pwd
    Require valid-user
</Directory>


    Sample directive defined in file under /etc/httpd/conf.d:
    $ cat /etc/httpd/conf.d/awstats.conf
<Directory /usr/local/awstats/wwwroot/cgi-bin>
    AuthType Basic
    AuthName "AWStats - Web, FTP, and Mail Statistics"
    AuthUserFile /usr/local/awstats/wwwroot/.awstats.pwd
    Require valid-user
</Directory>


     Profile | Reply Points Earned: 0
    AwsEC2
    member
    offline   
     
    posts: 39
    joined: 08/28/2012
    from: CA
      posted on: 09/11/2012 08:26:39 PM    Edit  |   Quote  |   Report 
    htpasswd Command
    You can manage user and password pairs by utility command 'htpasswd':

    Syntax:
    htpasswd [-c] <.htpasswd> <user_name>


    Here the option '-c' stands for '-create' to create a new file.

    Example:
    # htpasswd -c /usr/local/awstats/wwwroot/.awstats.pwd John
New password: ***
Re-type new password: ***
Adding password for user John


     Profile | Reply Points Earned: 0

     
    Powered by ForumEasy © 2003-2005, All Rights Reserved. | Privacy Policy | Terms of Use
     
    Get your own forum today. It's easy and free.