|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
|
RE: [Plug] Restricting Web Access
|
Beyond that, you should never place the password files in the document
root. They could be downloaded and even if not cracked, it would give
anyone a list of valid names to try. I usually put them in a
subdirectory under the config dir. You should also limit gets on the
.htaccess files. Personally I'd rather not have them looked at either.
Mental
--
"If they takeaway the pr0n, the net will stagnate...who's gonna need
bandwidth then? I mean...why do you think they went from 16 to
256 colors? for reading? I think not!" --Kyle Burton
On Tue, 9 Nov 1999, Young, Geoffrey S. wrote:
> I think your problem is with AuthUserFile. From the apache docs:
>
> The AuthUserFile directive sets the name of a textual file
> containing the list of users and passwords for user authentication. Filename
> is the path to the user file. If it is not absolute (i.e., if it doesn't
> begin with a slash), it is treated as relative to the ServerRoot.
>
> Thus /thefold/.htpasswd is looking for /thefold/.htpasswd, not
> /home/httpd/html/thefold/.htpasswd, which is probably what you mean?
>
> maybe?
>
> HTH
>
> --Geoff
>
> BTW, in way of introductions, I've been following the list for a while but
> haven't made it out to a meeting yet - hopefully, there will be a first time
> one of these days ;) Anywaym, howdy.
>
>
>
> > -----Original Message-----
> > From: Nicolai Rosen [SMTP:laktar@hotmail.com]
> > Sent: Tuesday, November 09, 1999 12:31 AM
> > To: plug@lists.nothinbut.net
> > Subject: [Plug] Restricting Web Access
> >
> > I'm trying to restrict access to a directory
> > http://laktar.dyndns.org/thefold/ on my computer. I've got Apache 1.3.3
> > running from inetd on a RH5.2 installation.
> >
> > I've done a little looking around and asking people and I can't figure out
> >
> > what's wrong with my setup. The URL which is sometimes up is
> > http://laktar.dyndns.org/thefold/ but when I go there I get an
> > Authorization
> > Failed message. The login/pass combination is thefold/thefold. Here are
> > some
> > relevant files.
> >
> >
> >
> > /home/httpd/html/thefold/.htaccess:
> > AuthUserFile /thefold/.htpasswd
> > AuthGroupFile /dev/null
> > AuthName ByPassword
> > AuthType Basic
> >
> > <Limit GET>
> > require user thefold
> > </Limit>
> >
> >
> >
> > /home/httpd/html/thefold/.htpasswd:
> > thefold:kBmkGCbudswxc
> >
> >
> >
> > /etc/httpd/conf/access.conf:
> > ##
> > ## access.conf -- Apache HTTP server configuration file
> > ##
> >
> > # access.conf: Global access configuration
> > # Online docs at http://www.apache.org/
> >
> > # This file defines server settings which affect which types of services
> > # are allowed, and in what circumstances.
> >
> > # Each directory to which Apache has access, can be configured with
> > respect
> > # to which services and features are allowed and/or disabled in that
> > # directory (and its subdirectories).
> >
> > # Originally by Rob McCool
> >
> > # First, we configure the "default" to be a very restrictive set of
> > # permissions.
> >
> > # <Directory />
> > # Options None
> > # AllowOverride None
> > # </Directory>
> >
> > # Note that from this point forward you must specifically allow
> > # particular features to be enabled - so if something's not working as
> > # you might expect, make sure that you have specifically enabled it
> > # below.
> >
> > # This should be changed to whatever you set DocumentRoot to.
> >
> > <Directory /home/httpd/html>
> >
> > # This may also be "None", "All", or any combination of "Indexes",
> > # "Includes", "FollowSymLinks", "ExecCGI", or "MultiViews".
> >
> > # Note that "MultiViews" must be named *explicitly* --- "Options All"
> > # doesn't give it to you.
> >
> > Options Indexes Includes FollowSymLinks
> >
> > # This controls which options the .htaccess files in directories can
> > # override. Can also be "All", or any combination of "Options",
> > "FileInfo",
> > # "AuthConfig", and "Limit"
> >
> > AllowOverride All
> >
> > # Controls who can get stuff from this server.
> >
> > order allow,deny
> > allow from all
> >
> > </Directory>
> >
> > # /home/httpd/cgi-bin should be changed to whatever your ScriptAliased
> > # CGI directory exists, if you have that configured.
> >
> > <Directory /home/httpd/cgi-bin>
> > AllowOverride None
> > Options ExecCGI
> > </Directory>
> >
> > # Allow server status reports, with the URL of
> > http://servername/server-status
> > # Change the ".your_domain.com" to match your domain to enable.
> >
> > #<Location /server-status>
> > #SetHandler server-status
> >
> > #order deny,allow
> > #deny from all
> > #allow from .your_domain.com
> > #</Location>
> >
> > # There have been reports of people trying to abuse an old bug from
> > pre-1.1
> > # days. This bug involved a CGI script distributed as a part of Apache.
> > # By uncommenting these lines you can redirect these attacks to a logging
> > # script on phf.apache.org. Or, you can record them yourself, using the
> > script
> > # support/phf_abuse_log.cgi.
> >
> > #<Location /cgi-bin/phf*>
> > #deny from all
> > #ErrorDocument 403 http://phf.apache.org/phf_abuse_log.cgi
> > #</Location>
> >
> > # You may place any other directories or locations you wish to have
> > # access information for after this one.
> >
> > ______________________________________________________
> > Get Your Private, Free Email at http://www.hotmail.com
> >
> > _______________________________________________
> > Plug maillist - Plug@lists.nothinbut.net
> > http://lists.nothinbut.net/mail/listinfo/plug
>
> _______________________________________________
> Plug maillist - Plug@lists.nothinbut.net
> http://lists.nothinbut.net/mail/listinfo/plug
>
_______________________________________________
Plug maillist - Plug@lists.nothinbut.net
http://lists.nothinbut.net/mail/listinfo/plug
|
|