1 / 56

Web Site Access Control Using the Apache Web Server

Web Site Access Control Using the Apache Web Server. Instructor: Joseph DiVerdi, Ph.D., M.B.A. Restricting Access. There are several ways of restricting access to documents on a Web site: User Authentication By a supplied username-password pair Restrict documents on an individual basis

celine
Download Presentation

Web Site Access Control Using the Apache Web Server

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Web Site Access Control Using the Apache Web Server Instructor: Joseph DiVerdi, Ph.D., M.B.A.

  2. Restricting Access • There are several ways of restricting access to documents on a Web site: • User Authentication • By a supplied username-password pair • Restrict documents on an individual basis • Host Authentication • By the client's hostname or IP address • Restrict documents to use within a company • Anonymous Authentication • By a supplied email address

  3. Restricting Access • User Authentication • By a supplied username-password pair

  4. Setting Up User Authentication • Two steps: • Create a file containing the usernames & passwords • The user database file • Typically .htpasswd • Tell the server what resources are to be protected & which users are allowed to access them • The access control file • Required .htaccess

  5. Example Directory

  6. Protected Example Directory

  7. Setting Up User Authentication • First Step • Create User Database

  8. User Database • A list of users & passwords is placed in a file • The file consists of username-password pairs • Username & password separated by a colon diverdi:$1$z4vPLmm.$rsmBYUCSAdMu8VQr5 • Usernames are stored as plain text • Passwords are stored as encrypted text • Same scheme used for Linux OS passwords • File's name is Webmaster's choice • Most often .htpasswd

  9. User Database • .htpasswd File Contents diverdi:$1$z4vPLmm.$rsmBYUCSAdMu8VQr5 student:$1$w52WGe/x$P2Gbl6PI64b4smgXk admin:$1$fxc/AJ.B$MJUSiGYeaOnrfYw3T instructor:$1$eO94BVjf$dt401B8ffXCe0BBGCp user:$1$rCzDxDR6$CWAWi7cjN0kfM

  10. Creating the User Database • Usernames & passwords cannot be simply typed into the database • The passwords are stored in an encrypted format • The program htpasswd is used to add create a user file & to add or modify users • htpasswd is a C program that is supplied with the Apache distribution • Automatically stores passwords in the necessary encrypted format

  11. Creating the User Database • Create a new file: /users/diverdi/.htpasswd • Add the username: alice htpasswd -c /users/diverdi/.htpasswd alice • The -c argument means create new file • Program asks for a password for username

  12. Modifying the User Database • More users can be added to an existing file • Use same command without the -c argument • Add the username bob htpasswd /users/diverdi/.htpasswd bob

  13. Setting Up User Authentication • Second Step • Create Access Control File(s)

  14. Access Control File • Control is performed on per-directory basis • With a selected directory protected • And all its subdirectories! • Control File is placed in the selected directory • Named .htaccess • You must use name selected by Site Admin • Directives are placed in the file • Specify various controls

  15. Special Side Note • Apache configuration must be set up to permit User Authentication • Controlled by AuthConfig override directive • Controlled by Site Administrator or Webmaster • Ask nicely & the Site Administrator will configure Apache appropriately • Or just do it yourself

  16. Access Control File Format • .htaccess File Contents AuthType Basic AuthName dungeon AuthUserFile /users/diverdi/.htpasswd require valid-user

  17. Access Control File Format • AuthType directive tells the server what protocol is to be used for authentication • Currently, Basic is the only method available • Digest authentication will provide more security than the Basic authentication • Available on Server • Not yet widely supported on Browsers

  18. Access Control File Format • AuthName specifies a realm name • A realm is a container for a particular area • Several different controlled areas are created using different realms • Think of several different locked rooms • Some rooms are on the same key • Some rooms are on different keys • The realms determine which keys they are on

  19. Access Control File Format • AuthUserFile tells the server the location of the user database file • required • AuthGroupFile, is a similar directive used to tell the server the location of a groups file • Not required

  20. Access Control File Format • The remaining directives permit fine access control using several different methods • To permit access by anyusername in the user database the following directive is used: require valid-user

  21. Access Control File Format • .htaccess File Contents AuthType Basic AuthName "Secret Space" AuthUserFile /users/diverdi/.htpasswd require valid-user

  22. Access Control File Format • To permit access by particular username(s) in the user database the following directive is used: require user alice carol • All other users are denied access to this realm • Even those with the correct password

  23. Protected Directory

  24. Multiple Directories

  25. Protected Directories

  26. Access Control File Format • Sales .htaccess File Contents AuthType Basic AuthName SaleSpace AuthUserFile /users/diverdi/.htpasswd require user alice carol • HR .htaccess File Contents AuthType Basic AuthName "Human Resources" AuthUserFile /users/diverdi/.htpasswd require user bob dave

  27. Protected Directories

  28. Problems... • However, as the number of usernames grows • Maintenance becomes more tedious • Every time some joins or leaves the organization • Modify some number of .htaccess files • require user user1 user2 ... user4358 • OK to administer organization of 25 • With 10% per year turnover • Not OK for 1000 • Yuck!

  29. Using Groups • Solution: use a group database

  30. Using Groups • The group usage is similar to standard Linux: • A user can be a member of any number of groups • Various groups must be defined • Create a Group Database • Access control file(s) must be adjusted • To point to Group Database • To permit group access

  31. Setting Up Group Usage • First Step • Create Group Database

  32. Group Database • A list of group names & users in a file • The file consists of lines • Starting with a group name followed by • A space-separated list of users in that group sales: alice carol dave fiona HR: bob edward georgina henry • All plain text • File's name is Webmaster's choice • Most often .htgroup

  33. Creating a Group Database • Usernames & passwords can be simply typed into the database • Everything is plain text • Use your favorite FTP editing tool • Woo-Hoo!

  34. Creating a Group Database

  35. Group Database • .htgroup File Contents sales: alice carol dave fiona HR: bob edward georgina henry • Ensure that each username appears in the .htpasswd file • No error is flagged but users can't get in

  36. Special Side Note • The maximum line length in a group file is • 8,192 characters • It takes a lot to get that many but it is possible • Average of ten characters per username • Limit of eight hundred per group • It is possible • You can have the same group name on several different lines • Just use as many as necessary

  37. Access Control File Format • The AuthGroupFile directive is used to tell the server the location of the group file AuthType Basic AuthName salespace AuthUserFile /users/diverdi/.htpasswd AuthGroupFile /users/diverdi/.htgroup

  38. Access Control File • To permit access to any user in the group salespeoplethe require directive is used: AuthType Basic AuthName salespace AuthUserFile /users/diverdi/.htpasswd AuthGroupFile /users/diverdi/.htgroup require group sales

  39. Using Groups • Multiple groups can be identified • require user can also be included • Any match can access the realm AuthType Basic AuthName salespace AuthUserFile /users/diverdi/.htpasswd AuthGroupFile /users/diverdi/.htgroup require group salespeople require user sales_manager • Of course the user sales_manager must be defined in user database

  40. Protection With Groups

  41. Access Control File Format • Sales .htaccess File Contents AuthType Basic AuthName salespace AuthUserFile /users/diverdi/.htpasswd AuthGroupFile /users/diverdi/.htgroup require group salespeople • HR .htaccess File Contents AuthType Basic AuthName "Human Resources" AuthUserFile /users/diverdi/.htpasswd AuthGroupFile /users/diverdi/.htgroup require group HR

  42. Restricting Access • Host Authentication • By the client's hostname or IP address • Restrict documents to use within a company

  43. Access Control Files • .htaccess File Contents AuthType Basic AuthName dungeon Order Deny,Allow Deny from all Allow from frii.net • Note that all the usual auth filename directives need not be present

  44. Allow Directive • The allow directive affects which hosts can access an area of the server • Access can be controlled by • Hostname • IP Address • IP Address range • Other characteristics of the client request • Captured in environment variables

  45. Allow Directive • Allow the identified hosts • Syntax allow from all allow from xtrsystems.com allow from woody.xtrsystems.com allow from 216.125.34.201 allow from 216.125.34.201/255.255.255.240 • The from is absolutely required • all means anyone • xtrsystems.com means all in that domain • woody.xtrsystems.com means all in that domain • 216.125.34.201 means that IP address • IP address subnet

  46. Deny Directive • Deny the identified hosts • Syntax deny from all deny from xtrsystems.com deny from woody.xtrsystems.com deny from 216.125.34.201 deny from 216.125.34.201/255.255.255.240 • The from is absolutely required • all means anyone • xtrsystems.com means all in that domain • woody.xtrsystems.com means all in that domain • 216.125.34.201 means that IP address • IP address subnet

  47. Combining Rules • Consider the following directives allow from woody.xtrsystems.com deny from all • Access is notpermitted from any computer • Access is permitted from woody.xtrsystems.com • Hmmm, which directive takes precedence? • The order directive settles this question

  48. Order Directive • Order directive controls • Default access state • All which is not permitted is proscribed • All which is not proscribed is permitted • Order in which deny & allow are evaluated • Syntax Order Deny,Allow Order Allow,Deny • Note that there are no spaces near comma

  49. Order Directive Order Deny,Allow • Access is allowed by default • Client will be allowed access to the server • If either test is true • Does match a allow directive or • Does not match an deny directive Order Deny,Allow Allow from xtrsystems.com Deny from all • Allows xtrsystems.com • Excludes all others

  50. Order Directive Order Allow,Deny • Access is denied by default • Client will be denied access to the server • If either test is true • Does not match a allow directive or • Does match an deny directive Order Allow,Deny Allow from xtrsystems.com Deny from all • Excludes everyone

More Related