Many sites are interested in limiting the scope of the information that they distribute with their Web servers. This may be because a Web server is used by an organization to distribute both internal data, such as employee handbooks or phone books, and external data, such as how to reach the organization's headquarters by mass transit. To provide for this requirement, many Web servers have a system for restricting access to Web documents.
Most servers support two primary techniques for controlling access to files and directories:
Each of these techniques has advantages and disadvantages. Restricting to IP address is relatively simple within an organization, although it leaves you open to attacks based on "IP spoofing." Using hostnames, instead of IP addresses, further opens your server to the risk of DNS spoofing. And usernames and passwords, unless you use a server and clients that support encryption, are sent in the clear over the network.
Of these three techniques, restricting access to people who present properly signed certificates is probably the most secure, provided that you trust your certification authority. (See below.)
The NCSA server allows you to place all of your global access restrictions in a single file called conf/access.conf. Alternatively, you can place the restrictions in each directory using the name specified by the AccessFileName in the configuration file conf/srm.conf . The per-directory default file name is .htaccess , but you can change this name if you wish.
Whether you choose to use many access files or a single file is up to you. It is certainly more convenient to have a file in each directory. It also makes it easier to move directories within your Web server, as you do not need to update the master access control file. Furthermore, you do not need to restart your server whenever you make a change to the access control list - the server will notice that there is a new .htaccess file, and behave appropriately.
On the other hand, having an access file in each directory means that there are more files that you need to check to see whether the directories are protected or not. There is also a bug with some Web servers that allows the access file to be directly fetched (see the Note below). As a result, most Web professionals recommend against per-directory access control files.
<Directory /nsa/manual> <Limit GET> order deny,allow deny from all allow from .nsa.mil </Limit> </Directory>
If you are using the per-directory access control, do not include the <Directory> and </Directory> tags. For example:
<Limit GET> order deny,allow deny from all allow from .nsa.mil </Limit>
# AccessFileName: The name of the file to look for in each directory # for access control information. AccessFileName .ap
stooges: larry moe curley
Hosts in the allow and deny statements may be any of the following:
For example, if you wish to restrict access to a directory's files to everyone on the subnet 204.17.195.*, you could add the following lines to your access.conf file:
<Directory /usr/local/etc/httpd/htdocs/special> <Limit GET POST> order deny,allow deny from all allow from 204.17.195 </Limit> </Directory>
If you then wanted to allow only the authenticated users beth and simson to access the files, and only when they are on subnet 204.17.195, you could add these lines:
AuthType Basic AuthName The-T-Directory AuthUserFile /tmp/auth <Limit GET POST> order deny,allow deny from all allow from 204.17.195 require user simson beth </Limit>
Of course, the first three lines could as easily go in the server's access.conf file.
If you wish to allow the users beth and simson to access the files from anywhere on the Internet, provided that they type the correct username and password, try this:
# ./htpasswd -c /usr/local/etc/httpd/pw/auth simsong Adding password for simsong. New password: foo1234 Re-type new password: foo1234 #
You can add additional users and passwords with the htpasswd program. When you add additional users, do not use the -c option, or you will erase all of the users who are currently in the file:
# ./htpasswd /usr/local/etc/httpd/pw/auth beth Adding password for beth. New password: luvsim Re-type new password: luvsim #
The password file is similar, but not identical, to the standard /etc/passwd file:
# cat /usr/local/etc/httpd/pw/auth simsong:ZdZ2f8MOeVcNY beth:ukJTIFYWHKwtA #
Because the Web server uses crypt ( ) -style passwords, it is important that the password file be inaccessible to normal users on the server (and to users over the Web) to prevent an ambitious attacker from trying to guess passwords using a program such as Crack .