RE: [Plug] Restricting Web Access

Young, Geoffrey S. on Tue, 9 Nov 1999 09:04:10 -0500 (EST)

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

RE: [Plug] Restricting Web Access

From: "Young, Geoffrey S." <younggs@acwilm.com>

To: "'plug@lists.nothinbut.net'" <plug@lists.nothinbut.net>

Subject: RE: [Plug] Restricting Web Access

Date: Tue, 9 Nov 1999 09:01:12 -0500

Cc: "'laktar@hotmail.com'" <laktar@hotmail.com>, "'mental@neverlight.com'" <mental@neverlight.com>

Reply-to: plug@lists.nothinbut.net

Sender: plug-admin@lists.nothinbut.net

Yeah... Being a perl guy, I own inclination would be to integrate mod_perl with Apache then write a PerlAuthenHandler to verify the user against a database - far more secure, I would think. Also an interesting project if you are just getting into Apache :) --Geoff > -----Original Message----- > From: Mental [SMTP:mental@neverlight.com] > Sent: Tuesday, November 09, 1999 8:44 AM > To: 'plug@lists.nothinbut.net' > Cc: 'laktar@hotmail.com' > Subject: RE: [Plug] Restricting Web Access > > Beyond that, you should never place the password files in the document > root. They could be downloaded and even if not cracked, it would give > anyone a list of valid names to try. I usually put them in a > subdirectory under the config dir. You should also limit gets on the > .htaccess files. Personally I'd rather not have them looked at either. > > > > Mental > -- > "If they takeaway the pr0n, the net will stagnate...who's gonna need > bandwidth then? I mean...why do you think they went from 16 to > 256 colors? for reading? I think not!" --Kyle Burton > > > On Tue, 9 Nov 1999, Young, Geoffrey S. wrote: > > > I think your problem is with AuthUserFile. From the apache docs: > > > > The AuthUserFile directive sets the name of a textual file > > containing the list of users and passwords for user authentication. > Filename > > is the path to the user file. If it is not absolute (i.e., if it doesn't > > begin with a slash), it is treated as relative to the ServerRoot. > > > > Thus /thefold/.htpasswd is looking for /thefold/.htpasswd, not > > /home/httpd/html/thefold/.htpasswd, which is probably what you mean? > > > > maybe? > > > > HTH > > > > --Geoff > > > > BTW, in way of introductions, I've been following the list for a while > but > > haven't made it out to a meeting yet - hopefully, there will be a first > time > > one of these days ;) Anywaym, howdy. > > > > > > > > > -----Original Message----- > > > From: Nicolai Rosen [SMTP:laktar@hotmail.com] > > > Sent: Tuesday, November 09, 1999 12:31 AM > > > To: plug@lists.nothinbut.net > > > Subject: [Plug] Restricting Web Access > > > > > > I'm trying to restrict access to a directory > > > http://laktar.dyndns.org/thefold/ on my computer. I've got Apache > 1.3.3 > > > running from inetd on a RH5.2 installation. > > > > > > I've done a little looking around and asking people and I can't figure > out > > > > > > what's wrong with my setup. The URL which is sometimes up is > > > http://laktar.dyndns.org/thefold/ but when I go there I get an > > > Authorization > > > Failed message. The login/pass combination is thefold/thefold. Here > are > > > some > > > relevant files. > > > > > > > > > > > > /home/httpd/html/thefold/.htaccess: > > > AuthUserFile /thefold/.htpasswd > > > AuthGroupFile /dev/null > > > AuthName ByPassword > > > AuthType Basic > > > > > > <Limit GET> > > > require user thefold > > > </Limit> > > > > > > > > > > > > /home/httpd/html/thefold/.htpasswd: > > > thefold:kBmkGCbudswxc > > > > > > > > > > > > /etc/httpd/conf/access.conf: > > > ## > > > ## access.conf -- Apache HTTP server configuration file > > > ## > > > > > > # access.conf: Global access configuration > > > # Online docs at http://www.apache.org/ > > > > > > # This file defines server settings which affect which types of > services > > > # are allowed, and in what circumstances. > > > > > > # Each directory to which Apache has access, can be configured with > > > respect > > > # to which services and features are allowed and/or disabled in that > > > # directory (and its subdirectories). > > > > > > # Originally by Rob McCool > > > > > > # First, we configure the "default" to be a very restrictive set of > > > # permissions. > > > > > > # <Directory /> > > > # Options None > > > # AllowOverride None > > > # </Directory> > > > > > > # Note that from this point forward you must specifically allow > > > # particular features to be enabled - so if something's not working as > > > # you might expect, make sure that you have specifically enabled it > > > # below. > > > > > > # This should be changed to whatever you set DocumentRoot to. > > > > > > <Directory /home/httpd/html> > > > > > > # This may also be "None", "All", or any combination of "Indexes", > > > # "Includes", "FollowSymLinks", "ExecCGI", or "MultiViews". > > > > > > # Note that "MultiViews" must be named *explicitly* --- "Options All" > > > # doesn't give it to you. > > > > > > Options Indexes Includes FollowSymLinks > > > > > > # This controls which options the .htaccess files in directories can > > > # override. Can also be "All", or any combination of "Options", > > > "FileInfo", > > > # "AuthConfig", and "Limit" > > > > > > AllowOverride All > > > > > > # Controls who can get stuff from this server. > > > > > > order allow,deny > > > allow from all > > > > > > </Directory> > > > > > > # /home/httpd/cgi-bin should be changed to whatever your ScriptAliased > > > # CGI directory exists, if you have that configured. > > > > > > <Directory /home/httpd/cgi-bin> > > > AllowOverride None > > > Options ExecCGI > > > </Directory> > > > > > > # Allow server status reports, with the URL of > > > http://servername/server-status > > > # Change the ".your_domain.com" to match your domain to enable. > > > > > > #<Location /server-status> > > > #SetHandler server-status > > > > > > #order deny,allow > > > #deny from all > > > #allow from .your_domain.com > > > #</Location> > > > > > > # There have been reports of people trying to abuse an old bug from > > > pre-1.1 > > > # days. This bug involved a CGI script distributed as a part of > Apache. > > > # By uncommenting these lines you can redirect these attacks to a > logging > > > # script on phf.apache.org. Or, you can record them yourself, using > the > > > script > > > # support/phf_abuse_log.cgi. > > > > > > #<Location /cgi-bin/phf*> > > > #deny from all > > > #ErrorDocument 403 http://phf.apache.org/phf_abuse_log.cgi > > > #</Location> > > > > > > # You may place any other directories or locations you wish to have > > > # access information for after this one. > > > > > > ______________________________________________________ > > > Get Your Private, Free Email at http://www.hotmail.com > > > > > > _______________________________________________ > > > Plug maillist - Plug@lists.nothinbut.net > > > http://lists.nothinbut.net/mail/listinfo/plug > > > > _______________________________________________ > > Plug maillist - Plug@lists.nothinbut.net > > http://lists.nothinbut.net/mail/listinfo/plug > > > > > _______________________________________________ > Plug maillist - Plug@lists.nothinbut.net > http://lists.nothinbut.net/mail/listinfo/plug _______________________________________________ Plug maillist - Plug@lists.nothinbut.net http://lists.nothinbut.net/mail/listinfo/plug

Prev by Date: Re: [Plug] Topic for next month's PLUG meeting

Next by Date: Re: [Plug] Topic for next month's PLUG meeting

Previous by thread: RE: [Plug] Restricting Web Access

Next by thread: [Plug] Virtual Server Help needed

Index(es):

Date

Thread