Apache Security on RH 7.2
Results 1 to 7 of 7

Thread: Apache Security on RH 7.2

  1. #1
    Senior Member
    Join Date
    Aug 2002
    Posts
    651

    Apache Security on RH 7.2

    I have recently embarked on configuring an Apache Web server on an RH 7.2 box. I have successfully configured and started it, but I am having trouble with configuring some sort of authentication with it. Below, you will find my attempt at setting up Basic Authentication in the main server file. Pardon my ignorance, but I seem to be having trouble understanding the documentation. I also tried creating a .htaccess file in the htdocs directory called apacheweb.htaccess with the very same information below starting with the AuthType and ending with Require user... I have done research to see if I could clear this up, but I have been unsuccessful. Now, I figured it was time to ask you Apache security gurus out there - although I'm sure this will be an easy one for you guys. I think that I am forgetting something really simple! How frustrating!

    # Each directory to which Apache has access, can be configured with respect
    # to which services and features are allowed and/or disabled in that
    # directory (and its subdirectories).
    #
    # First, we configure the "default" to be a very restrictive set of
    # permissions.
    #
    <Directory />
    Options FollowSymLinks
    AllowOverride None
    </Directory>

    <Directory "/usr/local/apache/htdocs">
    AuthType Basic
    AuthName "For Authorized Users Only"
    AuthUserFile /usr/local/apache/passwd/passwords
    Require user username username username username
    </Directory>
    Opinions are like holes - everybody\'s got\'em.

    Smile

  2. #2
    Hi mom!
    Join Date
    Aug 2001
    Posts
    1,103
    wait, the .htaccess-file should be called just that: .htaccess It's not a surfix, it's the entire filename. But first things first. Start by creating a so-called password file:

    To create the password file, use the htpasswd utility that came with Apache. This will be located in the bin directory of wherever you installed Apache. For example, it will probably be located at /usr/local/apache/bin/htpasswd if you installed Apache from source.

    To create the file, type:

    htpasswd -c /usr/local/apache/passwd/passwords username

    htpasswd will ask you for the password, and then ask you to type it again to confirm it:

    # htpasswd -c /usr/local/apache/passwd/passwords rbowen
    New password: mypassword
    Re-type new password: mypassword
    Adding password for user rbowen

    Note that in the example shown, a password file is being created containing a user called rbowen, and this password file is being placed in the location /usr/local/apache/passwd/passwords. You will substitute the location, and the username, which you want to use to start your password file.

    If htpasswd is not in your path, you will have to type the full path to the file to get it to run. That is, in the example above, you would replace htpasswd with /usr/local/apache/bin/htpasswd

    The -c flag is used only when you are creating a new file. After the first time, you will omit the -c flag, when you are adding new users to an already-existing password file.

    htpasswd /usr/local/apache/passwd/passwords sungo

    The example just shown will add a user named sungo to a password file which has already been created earlier. As before, you will be asked for the password at the command line, and then will be asked to confirm the password by typing it again.

    Caution: Be very careful when you add new users to an existing password file that you don't use the -c flag by mistake. Using the -c flag will create a new password file, even if you already have an existing file of that name. That is, it will remove the contents of the file that is there, and replace it with a new file containing only the one username which you were adding.

    The password is stored in the password file in encrypted form, so that users on the system will not be able to read the file and immediately determine the passwords of all the users. Nevertheless, you should store the file in as secure a location as possible, with whatever minimum permissions on the file so that the web server itself can read the file. For example, if your server is configured to run as user nobody and group nogroup, then you should set permissions on the file so that only the webserver can read the file and only root can write to it:

    chown root.nogroup /usr/local/apache/passwd/passwords
    chmod 640 /usr/local/apache/passwd/passwords
    After you did this (and make sure you don't save your password-file in a public place, as stated above) you tell your webserver to use that file. There are two ways of doing this: either you use a file called ".htaccess" in the directory you wish to protect, or you edit httpd.conf (your main configuration-file). Let's use .htaccess for now.

    Create a new document, called .htaccess in the directory you wish to protect. In that file, typ this:

    AuthType Basic
    AuthName "By Invitation Only"
    AuthUserFile /usr/local/apache/passwd/passwords
    Make sure that you adjust the part I colored blue. It should point to the password-file you created earlier.

    Finally, add one more line to .htaccess (choose one, don't add both lines!)

    If you want to grant access to every user for which you created a password in your password-file, add the next line:

    Require valid-user
    If you want to grant access to but a few users, use this:

    Require user t2k2 guus
    Again, change the names in blue. In this example, I used both your name and mine, but these should reflect a couple of users you created in your password-file. You can add or remove users if you want, offcourse.

    That's it. Save the file, reload the page in your browser, and you'll be prompted for a password. You should be able to figure stuff out from here. Good luck, let me know if it worked
    I wish to express my gratitude to the people of Italy. Thank you for inventing pizza.

  3. #3
    Senior Member
    Join Date
    Aug 2002
    Posts
    651
    Ok, I didn't know that the file should actually be called ".htaccess", but when I do Require valid-user, I get the "Page cannot be displayed in my browser. However, if I list the usernames, I can get to the site, but there is no authentication dialog box. Weird???...help please. I even tried stopping and starting apache, even though the documentation says that .htaccess files become effective immediately. It still doesn't work.
    Opinions are like holes - everybody\'s got\'em.

    Smile

  4. #4
    Hi mom!
    Join Date
    Aug 2001
    Posts
    1,103
    Errr, any chance I could have a look at your configuration? icq, msn, pm me ...
    I wish to express my gratitude to the people of Italy. Thank you for inventing pizza.

  5. #5
    Senior Member
    Join Date
    Aug 2002
    Posts
    651
    FYI, gang, we were still unable to get this one resolved so far. Any suggestions would be greatly appreciated.
    Opinions are like holes - everybody\'s got\'em.

    Smile

  6. #6
    Senior Member
    Join Date
    Aug 2002
    Posts
    651
    I got this working using port 8080 serving docs out of /usr/local/apache/htdocs, but there appears to be another webserver/port running at port 80 serving docs out of /var/www/html. Are there actually two webservers installed? I would like to use the default port 80, but I have not yet figured out how to get the Basic Authentication to work. I ended up allowing .htaccess to override in the main server config file. The setting was AuthConfig, but the default was None. After I changed this, it worked like a champ for port 8080, but I have not yet figured out how to get it going for port 80. Any help would be appreciated.

    Thanks.



    Edit: I have figured some sort of "workaround" for this by setting an additional port/address for apache to listen to. The line goes like this:

    Listen xxx.xxx.xxx.xxx:80

    After I restarted apache, it worked great. I'm still a bit confused as to why there were two "servers" running. Oh well, it works. If there is anyone with some insight into this, you can post to this thread or PM me with ideas.

    t2k2
    Opinions are like holes - everybody\'s got\'em.

    Smile

  7. #7
    Senior Member
    Join Date
    Aug 2002
    Posts
    651
    Ok, before anyone gets upset or annoyed by my posting another reply to this, I want to let you know that it was because I had passed the amount of time allowed to edit a post. This is why I had to post a separate thread. I just wanted to let you guys know that I found that a second webserver was running and serving docs out of the /var/www/html directory. Apparently, an earlier version of Apache uses this directory, so I uninstalled it and configured my main installation to listen to port 80 as well. Everything is "ALL GOOD" now. I hope that someone other than myself learned from my stupid mistake! I know I'm still a rookie with Linux, but I'm learning fast. Wish me luck. Take care.

    t2k2
    Opinions are like holes - everybody\'s got\'em.

    Smile

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides