Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Web Site Access Control Using the Apache Web Server Instructor: Joseph.

Slides:



Advertisements
Similar presentations
RP Designs Semi-Custom e-Commerce Package. Overview RP Designs semi- custom e-commerce package is a complete website solution. Visitors can browse a catalog.
Advertisements

Enabling Secure Internet Access with ISA Server
Firewall Simulation Teaching Information Security Using: Visualization Tools, Case Studies, and Hands-on Exercises May 23, 2012.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
Protecting Documents on the Web Friday Tech Briefing Timely Info for Power Users and Stanford's Technology Support Community Mark Branom ITSS Technology.
Access control and user management in Apache
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.
Apache Access Controls. Ways to control Allow/Deny access control –By IP –By domain name Password –Apache managed passwords –Realms.
Access control and user management in Apache 1WUCM1.
11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW  Create and manage file system shares and work.
Apache : Installation, Configuration, Basic Security Presented by, Sandeep K Thopucherela, ECE Department.
SSL (Secure Socket Layer) and Secure Web Pages Rob Sodders, University of Florida CIS4930 “Advanced Web Design” Spring 2004
APACHE SERVER By Innovationframes.com »
1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.
Introduction to JavaScript Form Verification - Fort Collins, CO Copyright © XTR Systems, LLC Verifying Submitted Form Data with JavaScript Instructor:
Linux Operations and Administration
Web Technology – Web Server Setup : Chris Uriarte Meeting 4: Advanced Topics, Continued: Securing the Apache Server and Apache Performance Tuning Rutgers.
11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW Create and manage file system shares and work with.
Copyright © Texas Education Agency, All rights reserved.1 Web Technologies Web Administration.
Webmaster Overview Fort Collins, CO Copyright © XTR Systems, LLC Webmaster Overview Instructor: Joseph DiVerdi, Ph.D., MBA.
The University of Akron Summit College Business Technology Dept.
Class 8Intro to Databases Authentication and Security Note: What we discuss in class today covers moderate to low security. Before you involve yourself.
Copyright © cs-tutorial.com. Introduction to Web Development In 1990 and 1991,Tim Berners-Lee created the World Wide Web at the European Laboratory for.
Forms Authentication, Users, Roles, Membership Svetlin Nakov Telerik Corporation
An introduction to Apache. Different Types of Web Servers Apache is the default web server for may Unix servers. IIS is Microsoft’s default web server.
McGraw-Hill/Irwin The O’Leary Series © 2002 The McGraw-Hill Companies, Inc. All rights reserved. Microsoft Excel 2002 Lab 4 Using Solver, Linking Workbooks,
VsFTP in Linux. Introduction to FTP The File Transfer Protocol (FTP) is used as one of the most common means of copying files between servers over the.
XHTML Introductory1 Linking and Publishing Basic Web Pages Chapter 3.
Microsoft Internet Information Services 5.0 (IIS) By: Edik Magardomyan Fozi Abdurhman Bassem Albaiady Vince Serobyan.
Robinson_CIS_285_2005 HTML FORMS CIS 285 Winter_2005 Instructor: Mary Robinson.
CSU - DCE Internet Security... Privacy Overview - Fort Collins, CO Copyright © XTR Systems, LLC Setting Up & Using a Site Security Policy Instructor:
Course ILT Internet/intranet support Unit objectives Use the Internet Information Services snap-in to manage IIS, Web sites, virtual directories, and WebDAV.
Set 13: Web Servers (configuration and security) (Chapter 21) IT452 Advanced Web and Internet Systems.
Understanding Linux Directories Fort Collins, CO Copyright © XTR Systems, LLC Understanding the Linux Directory Structure Instructor: Joseph DiVerdi, Ph.D.,
User authentication, passwords
Database-Driven Web Sites, Second Edition1 Chapter 5 WEB SERVERS.
FTP Server and FTP Commands By Nanda Ganesan, Ph.D. © Nanda Ganesan, All Rights Reserved.
Managing Groups, Folders, Files and Security Local Domain local Global Universal Objects Folders Permissions Inheritance Access Control List NTFS Permissions.
Chapter 13 Users, Groups Profiles and Policies. Learning Objectives Understand Windows XP Professional user accounts Understand the different types of.
Chapter 8 Cookies And Security JavaScript, Third Edition.
Simplify and Strengthen Security with Oracle Application Server Allan L Haensgen Senior Principal Instructor Oracle Corporation Session id:
10.1 Silberschatz, Galvin and Gagne ©2005 Operating System Principles 10.4 File System Mounting A file system must be mounted before it can be accessed.
Chapter 9: SHARING FILE SYSTEM RESOURCES1 CHAPTER OVERVIEW  Create and manage file system shares and work with share permissions.  Use NTFS file system.
Apache Security Travis Jeffries. Introduction Authentication and Authorization Strict Access Methods Defending against Attacks Bad CGI Programs Apache.
1 Administering Shared Folders Understanding Shared Folders Planning Shared Folders Sharing Folders Combining Shared Folder Permissions and NTFS Permissions.
Securing the Apache Server and Apache Performance Tuning 1.
CSU - DEO Introduction to CGI - Fort Collins, CO Copyright © XTR Systems, LLC Introduction to the Common Gateway Interface (CGI) Instructor: Joseph DiVerdi,
Chapter 10: Rights, User, and Group Administration.
A Little Bit About Cookies Fort Collins, CO Copyright © XTR Systems, LLC A Little Bit About Cookies Instructor: Joseph DiVerdi, Ph.D., M.B.A.
Sessions, Cookies, &.htaccess IT 210. Procedural Issues  Quiz #3 Today!  Homework #3 Due Friday at midnight UML for Lab 4  Withdraw Deadline is Wed,
MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4.
CITA 310 Section 9 Securing the Web Environment (Textbook Chapter 10)
Creating a Remotely-Hosted Web Site Fort Collins, CO Copyright © XTR Systems, LLC Creating Your First Remotely-Hosted Web Site Instructor: Joseph DiVerdi,
1 Chapter Overview Creating Web Sites and FTP Sites Creating Virtual Directories Managing Site Security Troubleshooting IIS.
Authentication Names and Passwords Names and Passwords Also can use Groups Also can use Groups Webmaster can “require” authentication Webmaster can “require”
Web Technology – Web Server Setup : Chris Uriarte Meeting 4: Advanced Topics, Continued: Securing the Apache Server and Apache Performance Tuning Rutgers.
FTP COMMANDS OBJECTIVES. General overview. Introduction to FTP server. Types of FTP users. FTP commands examples. FTP commands in action (example of use).
Webmaster II Introductions - Fort Collins, CO Copyright © XTR Systems, LLC Introduction to Webmaster II Instructor: Joseph DiVerdi, Ph.D., MBA.
Hostway Confidential & Proprietary Introduction to Web Hosting.
CSU - DCE Introduction to CSS CSS URLs - Fort Collins, CO Copyright © XTR Systems, LLC Cascading Style Sheets - Specifying URLs Instructor: Joseph.
Introduction to Server Side Includes Fort Collins, CO Copyright © XTR Systems, LLC Introduction to Server Side Includes (SSI) Instructor: Joseph DiVerdi,
CITA 310 Section 4 Apache Configuration (Selected Topics from Textbook Chapter 6)
1 Web Technologies Website Publishing/Going Live! Copyright © Texas Education Agency, All rights reserved.
CSU - DCE Webmaster I HTML & URLs - Fort Collins, CO Copyright © XTR Systems, LLC Designing Web Sites With HTML - Using Effective Links Instructor:
Server Performance, Scaling, Reliability and Configuration Norman White.
19 Copyright © 2008, Oracle. All rights reserved. Security.
Authentication & .htaccess
Enhanced Web Site Design Stanford University Continuing Studies CS 22
Configuring Internet-related services
Presentation transcript:

Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Web Site Access Control Using the Apache Web Server Instructor: Joseph DiVerdi, Ph.D., M.B.A.

Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Restricting Access There are several ways of restricting access to documents on a Web site: User Authentication –By a supplied username-password pair Restrict documents on an individual basis Host Authentication –By the client's hostname or IP address Restrict documents to use within a company Anonymous Authentication –By a supplied address

Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Restricting Access User Authentication –By a supplied username-password pair

Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Setting Up User Authentication Two steps: –Create a file containing the usernames & passwords The user database file –Typically.htpasswd –Tell the server what resources are to be protected & which users are allowed to access them The access control file –Required.htaccess

Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Example Directory

Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Protected Example Directory

Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Setting Up User Authentication First Step –Create User Database

Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC User Database A list of users & passwords is placed in a file The file consists of username-password pairs –Username & password separated by a colon diverdi:$1$z4vPLmm.$rsmBYUCSAdMu8VQr5 Usernames are stored as plain text Passwords are stored as encrypted text –Same scheme used for Linux OS passwords File's name is Webmaster's choice –Most often.htpasswd

Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC User Database.htpasswd File Contents diverdi:$1$z4vPLmm.$rsmBYUCSAdMu8VQr5 student:$1$w52WGe/x$P2Gbl6PI64b4smgXk admin:$1$fxc/AJ.B$MJUSiGYeaOnrfYw3T instructor:$1$eO94BVjf$dt401B8ffXCe0BBGCp user:$1$rCzDxDR6$CWAWi7cjN0kfM

Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Creating the User Database Usernames & passwords cannot be simply typed into the database –The passwords are stored in an encrypted format The program htpasswd is used to add create a user file & to add or modify users –htpasswd is a C program that is supplied with the Apache distribution –Automatically stores passwords in the necessary encrypted format

Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Creating the User Database Create a new file: /users/diverdi/.htpasswd Add the username: alice htpasswd -c /users/diverdi/.htpasswd alice –The -c argument means create new file Program asks for a password for username

Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Modifying the User Database More users can be added to an existing file –Use same command without the -c argument Add the username bob htpasswd /users/diverdi/.htpasswd bob

Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Setting Up User Authentication Second Step –Create Access Control File(s)

Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Access Control File Control is performed on per-directory basis –With a selected directory protected And all its subdirectories! Control File is placed in the selected directory –Named.htaccess –You must use name selected by Site Admin Directives are placed in the file –Specify various controls

Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Special Side Note Apache configuration must be set up to permit User Authentication –Controlled by AuthConfig override directive –Controlled by Site Administrator or Webmaster Ask nicely & the Site Administrator will configure Apache appropriately Or just do it yourself

Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Access Control File Format.htaccess File Contents AuthType Basic AuthName dungeon AuthUserFile /users/diverdi/.htpasswd require valid-user

Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Access Control File Format AuthType directive tells the server what protocol is to be used for authentication Currently, Basic is the only method available Digest authentication will provide more security than the Basic authentication –Available on Server –Not yet widely supported on Browsers

Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Access Control File Format AuthName specifies a realm name –A realm is a container for a particular area –Several different controlled areas are created using different realms –Think of several different locked rooms Some rooms are on the same key Some rooms are on different keys The realms determine which keys they are on

Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Access Control File Format AuthUserFile tells the server the location of the user database file –required AuthGroupFile, is a similar directive used to tell the server the location of a groups file –Not required

Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Access Control File Format The remaining directives permit fine access control using several different methods To permit access by any username in the user database the following directive is used: require valid-user

Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Access Control File Format.htaccess File Contents AuthType Basic AuthName "Secret Space" AuthUserFile /users/diverdi/.htpasswd require valid-user

Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Access Control File Format To permit access by particular username(s) in the user database the following directive is used: require user alice carol All other users are denied access to this realm –Even those with the correct password

Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Protected Directory

Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Multiple Directories

Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Protected Directories

Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Access Control File Format Sales.htaccess File Contents AuthType Basic AuthName SaleSpace AuthUserFile /users/diverdi/.htpasswd require user alice carol HR.htaccess File Contents AuthType Basic AuthName "Human Resources" AuthUserFile /users/diverdi/.htpasswd require user bob dave

Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Protected Directories

Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Problems... However, as the number of usernames grows –Maintenance becomes more tedious –Every time some joins or leaves the organization Modify some number of.htaccess files require user user1 user2... user4358 OK to administer organization of 25 –With 10% per year turnover Not OK for 1000 Yuck!

Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Using Groups Solution: use a group database

Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Using Groups The group usage is similar to standard Linux: –A user can be a member of any number of groups Various groups must be defined –Create a Group Database Access control file(s) must be adjusted –To point to Group Database –To permit group access

Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Setting Up Group Usage First Step –Create Group Database

Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Group Database A list of group names & users in a file The file consists of lines –Starting with a group name followed by –A space-separated list of users in that group sales: alice carol dave fiona HR: bob edward georgina henry All plain text File's name is Webmaster's choice –Most often.htgroup

Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Creating a Group Database Usernames & passwords can be simply typed into the database –Everything is plain text –Use your favorite FTP editing tool Woo-Hoo!

Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Creating a Group Database

Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Group Database.htgroup File Contents sales: alice carol dave fiona HR: bob edward georgina henry Ensure that each username appears in the.htpasswd file –No error is flagged but users can't get in

Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Special Side Note The maximum line length in a group file is –8,192 characters It takes a lot to get that many but it is possible –Average of ten characters per username Limit of eight hundred per group –It is possible You can have the same group name on several different lines –Just use as many as necessary

Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Access Control File Format The AuthGroupFile directive is used to tell the server the location of the group file AuthType Basic AuthName salespace AuthUserFile /users/diverdi/.htpasswd AuthGroupFile /users/diverdi/.htgroup

Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Access Control File To permit access to any user in the group salespeople the require directive is used: AuthType Basic AuthName salespace AuthUserFile /users/diverdi/.htpasswd AuthGroupFile /users/diverdi/.htgroup require group sales

Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Using Groups Multiple groups can be identified require user can also be included Any match can access the realm AuthType Basic AuthName salespace AuthUserFile /users/diverdi/.htpasswd AuthGroupFile /users/diverdi/.htgroup require group salespeople require user sales_manager Of course the user sales_manager must be defined in user database

Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Protection With Groups

Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Access Control File Format Sales.htaccess File Contents AuthType Basic AuthName salespace AuthUserFile /users/diverdi/.htpasswd AuthGroupFile /users/diverdi/.htgroup require group salespeople HR.htaccess File Contents AuthType Basic AuthName "Human Resources" AuthUserFile /users/diverdi/.htpasswd AuthGroupFile /users/diverdi/.htgroup require group HR

Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Restricting Access Host Authentication –By the client's hostname or IP address Restrict documents to use within a company

Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Access Control Files.htaccess File Contents AuthType Basic AuthName dungeon Order Deny,Allow Deny from all Allow from frii.net Note that all the usual auth filename directives need not be present

Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Allow Directive The allow directive affects which hosts can access an area of the server Access can be controlled by –Hostname –IP Address –IP Address range –Other characteristics of the client request Captured in environment variables

Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Allow Directive Allow the identified hosts Syntax allow from all allow from xtrsystems.com allow from woody.xtrsystems.com allow from allow from / The from is absolutely required all means anyone xtrsystems.com means all in that domain woody.xtrsystems.com means all in that domain means that IP address IP address subnet

Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Deny Directive Deny the identified hosts Syntax deny from all deny from xtrsystems.com deny from woody.xtrsystems.com deny from deny from / The from is absolutely required all means anyone xtrsystems.com means all in that domain woody.xtrsystems.com means all in that domain means that IP address IP address subnet

Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Combining Rules Consider the following directives allow from woody.xtrsystems.com deny from all –Access is not permitted from any computer –Access is permitted from woody.xtrsystems.com Hmmm, which directive takes precedence? –The order directive settles this question

Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Order Directive Order directive controls –Default access state All which is not permitted is proscribed All which is not proscribed is permitted –Order in which deny & allow are evaluated Syntax Order Deny,Allow Order Allow,Deny Note that there are no spaces near comma

Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Order Directive Order Deny,Allow Access is allowed by default Client will be allowed access to the server –If either test is true Does match a allow directive or Does not match an deny directive Order Deny,Allow Allow from xtrsystems.com Deny from all Allows xtrsystems.com Excludes all others

Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Order Directive Order Allow,Deny Access is denied by default Client will be denied access to the server –If either test is true Does not match a allow directive or Does match an deny directive Order Allow,Deny Allow from xtrsystems.com Deny from all Excludes everyone

Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Order Directive Order Allow,Deny Access is denied by default Client will be denied access to the server –If either test is true Does not match a allow directive or Does match an deny directive Order Allow,Deny Allow from all Deny from xtrsystems.com Excludes xtrsystems.com Allows all others

Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Access Control Files.htaccess File Contents AuthType Basic AuthName dungeon Order Deny,Allow Deny from all Allow from frii.net Note that all the usual auth filename directives need not be present

Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Combined User and Host.htccess File Contents AuthType Basic AuthName secret AuthUserFile /users/diverdi/.htpasswd require valid-user order deny,allow deny from all allow from xtrsystems.com satisfy all Both tests must be true for access –Valid username-password pair and –In xtrsystems.com domain

Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Combined User or Host.htccess File Contents AuthType Basic AuthName secret AuthUserFile /users/diverdi/.htpasswd require valid-user order deny,allow deny from all allow from xtrsystems.com satisfy any Either test must be true for access –Valid username-password pair or –In xtrsystems.com domain

Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Restricting Access Anonymous Access –By a supplied username-password pair Webmaster selected username –"anonymous" –"guest" –none Webmaster selected password – address – address (validated) –none

Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Anonymous Access.htccess File Contents AuthType Basic AuthName dungeon require valid-user Anonymous anonymous guest Authorative_NoUserID off Anonymous_MustGive on Anonymous_Verify on Anonymous_Authoritative on

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.