IPOWERWEB.com

 Affordable, reliable
web hosting solutions
Call IPOWERWEB Today at 1-888-511-HOST Chat with an IPOWERWEB representative LIVE!
24/7x365 service - Live Technical Support

Domain Name Registration
web hosting services
cheap web hosting
IPOWERWEB help section
contact IPOWERWEB
testimonials for best hosting
affordable web hosting
IPOWERWEB web hosting
IPOWERWEB accolades
best domain prices


Web Hosting Money Back Guarantee
home build profit promote manage

Restricting Access to Directories Using Apache 1.3

Home > Build > Backend

By Drew Schatt

Everyone wants, at one time or another, to restrict access to certain directories that are present in their Web space. If you’re using Apache 1.3 or above, it’s really quite easy to do, while still providing a large amount of flexibility.

The first thing to do is make certain your Apache configuration allows the Override privilege on the directory you need to password protect. The way to check this is to look for an AllowOverride in the httpd.conf server configuration for that directory.

An example from our server configuration is:

  • <Directory /www/stats/>
  • Options FollowSymLinks Includes AllowOverride AuthConfig FileInfo Limit Indexes
  • <Limit GET>
  • order allow,deny
  • allow from all
  • </Limit>
  • </Directory

The important line here is the AllowOverride line, which tells the server what options to allow us to change. The default, if this option isn't present, is “AllowOverride All.” The other choices for AllowOverride are: AuthConfig (which allows use of the authorization directives), FileInfo (which allows use of the directives controlling document types), Indexes (which allows use of the directives controlling directory indexing), Limit (which allows use of the directives controlling host access), Options (which allows use of the directives controlling specific directory features), and None (in which case the server doesn't read the .htaccess file at all). For our company, since we have strict policies regarding the mixing of executable code and HTML, we don't allow our developers to use the options commands, as it would allow those designers to designate a particular directory as executable regardless of location. For the most part, unless you want other people making changes to your server, you can typically use "AllowOverride All" and just not use the options you don’t wish to use.

Another important directive in the httpd.conf file is the AccessFileName directive. This directive controls the name of the file in which Apache looks for overriding information about access to a directory. The default is "AccessFileName .htaccess", and it is probably best to leave it unchanged; that’s because the default httpd.conf contains additional directives to prevent unauthorized people from viewing any file that starts with a name beginning with .ht.

Now we're ready to actually begin protecting a directory. By default, you should have an executable in the bin directory of your Apache installation named htpasswd. This command allows you to create, manage, and delete usernames from the files Apache can read. Apache (and htpasswd) stores the usernames in plain text, and the passwords use a one-way encryption scheme, so you can't get the unencrypted password from the encrypted text. To check the password, Apache takes the password that the user gives, encrypts it, and compares the encrypted text. If they match, the user is allowed in. If they don't, the user is not allowed access. If you’re using Unix, the default command to create a file and a username/password combination might be: "/usr/local/apache/bin/htpasswd -c /www/stats/.htpasswd schatt." That command creates a new file (the -c option--only use it the first time) and adds an entry for the user schatt, with the encrypted password it would receive from the following prompts. Please note that the .htpasswd file does not have to be in the same directory you’re password protecting, although the .htaccess file does. Also, if you wish to password protect subdirectories of a directory, you will need to have additional copies of .htaccess files in each of those directories; otherwise, anyone who could guess a subdirectory name would be able to access that directory.

One can also organize users into groups, so you could have many different directories. You could even have a group of different users allowed into different subdirectories. In our example, that would be in the .htgroup file; and the format for the file is the groupname, a colon, and then a comma-separated list of users in that group and present in the password file (in our example, the /www/stats/.htpasswd file).

Below is an sample .htaccess file. An explanation of all of the options not already covered will follow the sample:

  • AuthUserFile /www/stats/.htpasswd
  • AuthGroupFile /www/stats/.htgroup
  • AuthName "Drew's House of Protected Style"
  • AuthType Basic
  • <Limit GET POST PUT>
  • order deny,allow
  • deny from all
  • allow from schatt.com
  • allow from drew.schatt.com
  • allow from 207.247.127.235
  • allow from 207.16.26
  • require group mp3
  • require valid-user
  • satisfy any
  • </Limit>

The AuthUserFile directive tells Apache which file to open to look for the username and encrypted password combinations. If you have multiple .htaccess files, all of them could share the same AuthUserFile line, so you would only have to add users in one place to give them access to several different directories. If you’re only going to be restricting access based on IP address or hostname, you do not need to have this option present.

The AuthGroupFile directive tells Apache which file to look in to check a user's group memberships. This is only necessary if you are using groups to control access to directories. Please note that this can also be achieved with different .htpasswd files in each directory. It really only makes sense to use this option if you have a large number of directories to protect, and you wish to only add users in one place (see the above note about AuthUserFile).

The AuthName directive is displayed to the user and lets them know which username and password they should use. In this example, the user would know that they need to use the username and password that allow access to "Drew's House of Protected Style," which would, presumably, mean something to the user. An important note: If you wish to have the user prompted only once, then using the same AuthName string will reuse the same username and password as they originally used to authenticate.

The AuthType Basic line is necessary, although Basic is the only type currently supported (which is why there are no other options right now).

The Limit section tells Apache what type of restrictions is being changed. If the server configuration already contained a definition for the type being listed, it would be overridden by the changes in the .htaccess file. By extension, if the server configuration only contained a definition for PUT, and you defined a definition for GET, then any GET requests would be handled by your definition and any PUTs would be handled by the server configuration definition. The three options in the Limit section are GET, which handles GET requests (getting text pages or images); PUT, which handles PUT requests (file uploads); and POST, which is typically used for CGI's or executable content. The section must be closed with a </Limit> directive at the end of the section. Multiple identical restrictions can be applied at once by specifying the methods to be restricted as in the example; or separate Limit sections could be specified, one for each method.

The order deny,allow line tells the server the order in which to apply the deny and allow rules. I usually prefer to use deny,allow, since I usually exclude everything but specific entries. I think deny,allow gives me more flexibility. This way I can, say, deny all from the company where I work and only allow my address access to my online resume, instead of trying to craft a deny rule that applies to all the company addresses but mine (which would be necessary if the order were reversed for the same result).

The deny from all directive tells it to deny everything. Because of the order command above it, however, the server knows to apply the allow rules after this one. This does mean everything not specifically allowed will be denied, though.

The different allow from lines show (in order) access from all machines in a domain, access from a particular hostname (or subdomain), access from a particular IP address, and access from a range of IP addresses. For security's sake, it is important to note that the domain name and hostname may only perform a reverse lookup, so any intruder aware of what domains were allowed and in control of their reverse DNS could gain access by modifying their reverse DNS entries. The same effect can be gained, however, by doing a DNS lookup yourself and entering the addresses or address range that should be allowed in the .htacces file.

The require group line basically requires that the user have a username and password that validate, and that are also present in the correct group in the group file.

The require valid-user line is only satisfied if the user supplies a username and password that are present in the file mentioned in the AuthUserFile directive.

The satisfy any line has only one other option, which is all. This option tells Apache how many of the require and allow lines must be satisfied to grant access. With “any,” if the user satisfies any of the conditions they are granted access. With “all,” the user must satisfy the allow restriction (from one of the allowed addresses) and the user or group restrictions.

References:

1.The Apache Software Foundation (http://www.apache.org)

2.Apache Directives Documentation(http://www.apache.org/docs-1.2/mod/directives.html)


ggg
 
home | products | about us | help center | testimonials | press room | contact us
affiliates | careers | domain names | web hosting | site map

Copyright © 1999-2007 IPOWER, Inc. Read our Terms and Conditions. All rights reserved.