Presentation is loading. Please wait.

Presentation is loading. Please wait.

Apache Access Controls. Ways to control Allow/Deny access control –By IP –By domain name Password –Apache managed passwords –Realms.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Apache Access Controls. Ways to control Allow/Deny access control –By IP –By domain name Password –Apache managed passwords –Realms."— Presentation transcript:

1 Apache Access Controls

2 Ways to control Allow/Deny access control –By IP –By domain name Password –Apache managed passwords –Realms

3 Allow / Deny Control

4 Allow Deny Order Three basic directives –Order –Allow and Deny directives Order states which to process first (regardless of physical order) Subsequent directives provide exceptions Define by IP or domain name –Reverse dns must be working for dns restriction Easiest to see with examples

5 Default Rules ALLOW DENY Deny is the default DENY ALLOW Allow is the default

6 Example 1 Order deny,allow Deny from all Allow from dev.example.com Default is to allow, so lack of a rule says to allow access Search through the file and apply all deny directives first Begin by denying everyone Later directives provide exceptions, so anyone from dev.example.com WILL be allowed access Only dev.example.com allowed!

7 Example 2 Order allow,deny Allow from cnu.edu Deny from pcs.cnu.edu Default is to deny, so lack of a rule says to deny access Search through the file and apply all allow directives first Begin by allowing all cnu.edu Later directives provide exceptions, so anyone from pcs.cnu.edu will be denied access xyz.cnu.edu -> allowed abc.pcs.cnu.edu -> denied abc.com -> denied (default)

8 Example 3 Order allow,deny Allow from cnu.edu Allow 216.17.28 Allow 139.117.0.0/255.255.0.0 Deny from pcs.cnu.edu Default is to deny, so lack of a rule says to deny access Search through the file and apply all allow directives first Begin by allowing all cnu.edu and Various subnets Later directives provide exceptions, so anyone from pcs.cnu.edu will be denied access xyz.cnu.edu -> allowed abc.pcs.cnu.edu -> denied abc.com -> denied (default) 217.17.38.17 ->not allowed (in 38 not 28) 139.117.2.1 -> allowed (if one of those IPs are from the “pcs” domain-> deny)

9 Password Control

10 Controlling access via passwords Not the system password Internally managed password files Files can be located anywhere Each directory will dictate which file to use for authentication Can be managed by the individual if the sys admin allows.

11 Steps to use passwords 1.Create a user and password entry in the password file of your choosing 2.Associate the password file with a directory (, file or location) 3.Indicate whether you want encrypted or plain text exchange 4.Further restrict the set of users (more than what is in the file) if desired

12 Example {Directory /home/dgame/www/private} AuthType Basic AuthName "Restricted Files“ AuthUserFile /usr/local/any/where/passwords Require user dgame {/Directory} # htpasswd -c /usr/local/any/where/passwords dgame New password: mypassword Re-type new password: mypassword Adding password for user dgame # 1. Create password in file 3. Select plain text password exchange 2. Associate file with directory 4. Restrict users (here to only allow dgame)

13 Create a password # htpasswd -c /usr/local/any/where/passwords dgame New password: mypassword Re-type new password: mypassword Adding password for user dgame # htpasswd is probably in /usr/local/apache/bin This is a utility available for password creation. Use the –c option to create the file the first time, but after that do not include the –c so that the new password will be appended Inclusion of multiple password files can create a management problem One file can be used to manage many directories but should be placed in a location separate from the protected directory. Must be readable by the web server Each user would likely have his/her own file

14 Associate with a directory {Directory /home/dgame/www/private} … {/Directory} Refer to the instructions on –Directory –Directory match –Files –Files match –Location –Location match This will help detemine where to put this specification If for a user, one can also manage by using.htaccess files for providing specifications.

15 Example.htaccess AuthName "Test: Password Required" AuthUserFile /home/dgame/wwwpassfile Require user justthisuser

16 Password authentication BrowserServer mypassword OR #45%werR8234 Client must be able to support the encrypted approach All clients can’t Use either AuthType Basic AuthType Digest

17 Restricting Users Require user dgame bsmith Only these two users can access the directory regardless of what is in the password file. Require valid-user Any user in the password file can be accepted. Require group facultygroup administrativegroup Any user in the listed groups can be accepted. Must have a file to define groups AuthGroupFile /home/mygroups Text file formatted as: mygroup: billy mary bob sally

18 Realms Define part of the prompt for the user Any other part of the system in the same realm will automatically test the previous password. Not sure if realm prompt managed by client or server {Directory /home/dgame/www/private} AuthType Basic AuthName “Test: Password Required“ AuthUserFile /usr/local/any/where/passwords Require user dgame {/Directory}

19 Example {Directory /home/dgame/www/private} AuthType Basic AuthName “Test: Password Required“ AuthUserFile /usr/local/any/where/passwords Require user dgame {/Directory} BUT IT’S MORE THAN THAT!

20 How I think it works BrowserServer 1. AuthName “Test: Password Required“ 2. Check List of old Name/pass And send If already authorized 3a. Send if already authorized user 3b.1. Prompt user (shown in previous overhead) 3b.2. Send prompt response or

21 More sophisticated Password Management Use dbmanage utility Provides convenient hooks to interact with applications in different languages dbm formats vary some but libraries are widely available Use AuthDBMUserFile directive

22 Unix Permissions The web server runs as a user, typically not root. Assume that it is “http”. Remove general read permissions from the protected directory. If you do not, anyone who has an account on the machine can “cd” to it and view files. Determine the GROUP of http and set your files to be in that group. Give that group general read permissions.

23 Example {dgame@puritan:~ } cd www {dgame@puritan:~/www } ls -l test total 2 -rwxr-x--- 1 dgame nobody 260 Feb 9 11:09 home.html {dgame@puritan:~/www } cd test {dgame@puritan:~/www/test } ls -l total 2 -rwxr-x--- 1 dgame nobody 260 Feb 9 11:09 home.html {dgame@puritan:~/www/test } On our Hunter Creech network, the web server runs as “nobody”. The nobody user is also in the “nobody” group. These files and directories are modified to be in the nobody group. Also notice work permissions as none.

Download ppt "Apache Access Controls. Ways to control Allow/Deny access control –By IP –By domain name Password –Apache managed passwords –Realms."

Similar presentations

Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
Protecting Documents on the Web Friday Tech Briefing Timely Info for Power Users and Stanford's Technology Support Community Mark Branom ITSS Technology.

Protecting Documents on the Web Friday Tech Briefing Timely Info for Power Users and Stanford's Technology Support Community Mark Branom ITSS Technology.
Jump to first page Unix Commands Monica Stoica Jump to first page Introduction to Unix n Unix was born in 1969 at Bell Laboratories, a research subdivision.

Jump to first page Unix Commands Monica Stoica Jump to first page Introduction to Unix n Unix was born in 1969 at Bell Laboratories, a research subdivision.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Access control and user management in Apache

Access control and user management in Apache
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.

1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.
Samba Integrating SMB file systems with UNIX. Samba Provides a file server compatible with Windows 9x and NT.. SMB Can function in NETBIOS name browsing.

Samba Integrating SMB file systems with UNIX. Samba Provides a file server compatible with Windows 9x and NT.. SMB Can function in NETBIOS name browsing.
DNS Domain Name Service america.pcs.cnu.edu->137.155.2.10.

DNS Domain Name Service america.pcs.cnu.edu->
Access control and user management in Apache 1WUCM1.

Access control and user management in Apache 1WUCM1.
11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW  Create and manage file system shares and work.

11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW  Create and manage file system shares and work.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Apache : Installation, Configuration, Basic Security Presented by, Sandeep K Thopucherela, ECE Department.

Apache : Installation, Configuration, Basic Security Presented by, Sandeep K Thopucherela, ECE Department.
SSL (Secure Socket Layer) and Secure Web Pages Rob Sodders, University of Florida CIS4930 “Advanced Web Design” Spring 2004

SSL (Secure Socket Layer) and Secure Web Pages Rob Sodders, University of Florida CIS4930 “Advanced Web Design” Spring 2004
WebReport/400 TCP/IP Configuration Presented by Kisco Information Systems.

WebReport/400 TCP/IP Configuration Presented by Kisco Information Systems.
Installing a New Windows Server 2008 Domain Controller in a New Windows Server 2008 R2.

Installing a New Windows Server 2008 Domain Controller in a New Windows Server 2008 R2.
APACHE SERVER By Innovationframes.com »

APACHE SERVER By Innovationframes.com »
4-1 PSe_4Konf.503 EAGLE Getting Started and Configuration.

4-1 PSe_4Konf.503 EAGLE Getting Started and Configuration.
Linux Operations and Administration

Linux Operations and Administration
Web Technology – Web Server Setup : Chris Uriarte Meeting 4: Advanced Topics, Continued: Securing the Apache Server and Apache Performance Tuning Rutgers.

Web Technology – Web Server Setup : Chris Uriarte Meeting 4: Advanced Topics, Continued: Securing the Apache Server and Apache Performance Tuning Rutgers.

Similar presentations

Ads by Google