[PLUG] Comprehending password protection on an Apache webserver

George Langford, Sc.D. on Thu, 20 Jun 2002 17:00:38 +0200

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[PLUG] Comprehending password protection on an Apache webserver

From: "George Langford, Sc.D." <amenex@amenex.com>

To: plug@lists.phillylinux.org

Subject: [PLUG] Comprehending password protection on an Apache webserver

Date: Thu, 20 Jun 2002 11:01:21 -0700

Reply-to: plug@lists.phillylinux.org

Sender: plug-admin@lists.phillylinux.org

Hello ! Been trying to password protect a group of directories on my webpage, www.amenex.com. I write reports to various clients, and some of them are too big to E-mail, so I'm planning to post them under the "_private" directory there. I've managed to find a way of keeping browsers out with the file .htaccess placed in the "_private" directory: Options -Indexes AuthUserFile /dev/null AuthGroupFile /dev/null AuthName "Amenex Private Files" AuthType Basic <Limit GET> order deny,allow deny from all allow from voicenet.com somewhere.com </Limit> The above coding fails when I replace "voicenet.com" with "amenex.com" and I suspect that's because I didn't provide any sort of translation between the domain name and its IP address[es] which are 207.103.43.11 and 207.103.43.10. I'd like to know how to accomplish this with .htaccess and (presumably) NSlookup: http://cc-www.uia.ac.be/ds/nslookup.html for "somewhere" domain names. Incidentally, NSlookup returns "lweb1-nvhost.voicenet.com" for amenex.com's first IP address and "lweb0-nvhost.voicenet.com" for the second. But when I change the "allow from" line in .htaccess above to: allow from lweb1-nvhost.voicenet.com lweb0-nvhost.voicenet.com I, too, get the "access denied' screen. Sigh .... BTW, when I enter the URL (and the "allow from" line in .htaccess includes voicenet.com): http://www.amenex.com/_private/ I get to see the index.html file; folks from outside voicenet.com see an "access denied" screen. That's fine. I'll need to add my clients' ISP names when I'm ready to let them into the _private directory, of course. Do my concatenations of "somewhere.com" above and "Someone" below satisfy that need ? When I try to limit access more specifically to the subdirectories called generically, "report01" etc., I run into a brick wall. Here's my present best guess of the .htaccess file to go in the "report01" protected directory in which I have concatenated "Someone" as an implied question: AuthType Basic AuthName "WebSite Security" AuthUserFile /usr/local/etc/httpd/htdocs/amenex/_private/report01/.htpasswd require valid-user Langford Someone Voicenet tells me that the full path for AuthUserFile should be: AuthUserFile /usr/local/etc/httpd/htdocs/<domain>/<protected>/.htpasswd where <domain> is my [?] domain name stripped of the .com, etc. and <protected> is the name of the protected directory. I have trouble understanding this, as there is no "amenex" directory in the path that I see. When I use CuteFTP to examine my website, the next level below htdocs contains all the files and directories that comprise the amenex.com website. There just isn't any "amenex" directory. If I substitute my "official" Voicenet user ID for "amenex", that doesn't work, either. The concept of "encryption" also puzzles me. When I look at the username:password file in my Linux PC, I see a multi- character gobbledegook word that in no way resembles what I actually type for my password when I go to root. When I enter a password in the password encryption script that Voicenet provides at vam.voicenet.com, it returns just such a gobbledegook string of characters which I am supposed to copy and paste into my .htpasswd file (placed at Voicenet's insistence [?] in the "protected" directory as indicated above). What's the password now - the "password" which I typed into the encryption script, or "gobbledegook" which is what goes into the .htpasswd file ? My guess is "gobbledegook" which makes me wonder - the only thing encrypted about my password is that it's not any word in the dictionary and would be hard to crack by brute force but easy to sniff during transmission. At any rate, there's something about my .htaccess file that prevents me from accessing the protected "report01" directory whether I type "password" or "gobbledegook" at the prompt provided by Voicenet's security engine. I'm using Netscape 4.7[2?] with java turned off for security reasons; the PC is running W98; Voicenet is using Apache to administer amenex.com: Apache/1.3.23 Server at www.amenex.com Port 80 Thanks for reading this far. Best regards, George Langford amenex@amenex.com http://www.amenex.com/ http://www.georgesbasement.com/ ______________________________________________________________________ Philadelphia Linux Users Group - http://www.phillylinux.org Announcements-http://lists.phillylinux.org/mail/listinfo/plug-announce General Discussion - http://lists.phillylinux.org/mail/listinfo/plug

Follow-Ups:

Re: [PLUG] Comprehending password protection on an Apache webserver
From: Paul <paul@dpagin.net>

Prev by Date: [PLUG] ping

Next by Date: Re: [PLUG] ping

Previous by thread: Re: [PLUG] ping

Next by thread: Re: [PLUG] Comprehending password protection on an Apache webserver

Index(es):

Date

Thread