Presentation is loading. Please wait.

Presentation is loading. Please wait.

Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Web Site Access Control Using the Apache Web Server Instructor: Joseph.

Published byClarissa Hoover Modified over 8 years ago

Similar presentations

Presentation on theme: "Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Web Site Access Control Using the Apache Web Server Instructor: Joseph."— Presentation transcript:

1 Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Web Site Access Control Using the Apache Web Server Instructor: Joseph DiVerdi, Ph.D., M.B.A.

2 Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Restricting Access There are several ways of restricting access to documents on a Web site: User Authentication –By a supplied username-password pair Restrict documents on an individual basis Host Authentication –By the client's hostname or IP address Restrict documents to use within a company Anonymous Authentication –By a supplied email address

3 Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Restricting Access User Authentication –By a supplied username-password pair

4 Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Setting Up User Authentication Two steps: –Create a file containing the usernames & passwords The user database file –Typically.htpasswd –Tell the server what resources are to be protected & which users are allowed to access them The access control file –Required.htaccess

5 Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Example Directory

6 Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Protected Example Directory

7 Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Setting Up User Authentication First Step –Create User Database

8 Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC User Database A list of users & passwords is placed in a file The file consists of username-password pairs –Username & password separated by a colon diverdi:$1$z4vPLmm.$rsmBYUCSAdMu8VQr5 Usernames are stored as plain text Passwords are stored as encrypted text –Same scheme used for Linux OS passwords File's name is Webmaster's choice –Most often.htpasswd

9 Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC User Database.htpasswd File Contents diverdi:$1$z4vPLmm.$rsmBYUCSAdMu8VQr5 student:$1$w52WGe/x$P2Gbl6PI64b4smgXk admin:$1$fxc/AJ.B$MJUSiGYeaOnrfYw3T instructor:$1$eO94BVjf$dt401B8ffXCe0BBGCp user:$1$rCzDxDR6$CWAWi7cjN0kfM

10 Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Creating the User Database Usernames & passwords cannot be simply typed into the database –The passwords are stored in an encrypted format The program htpasswd is used to add create a user file & to add or modify users –htpasswd is a C program that is supplied with the Apache distribution –Automatically stores passwords in the necessary encrypted format

11 Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Creating the User Database Create a new file: /users/diverdi/.htpasswd Add the username: alice htpasswd -c /users/diverdi/.htpasswd alice –The -c argument means create new file Program asks for a password for username

12 Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Modifying the User Database More users can be added to an existing file –Use same command without the -c argument Add the username bob htpasswd /users/diverdi/.htpasswd bob

13 Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Setting Up User Authentication Second Step –Create Access Control File(s)

14 Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Access Control File Control is performed on per-directory basis –With a selected directory protected And all its subdirectories! Control File is placed in the selected directory –Named.htaccess –You must use name selected by Site Admin Directives are placed in the file –Specify various controls

15 Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Special Side Note Apache configuration must be set up to permit User Authentication –Controlled by AuthConfig override directive –Controlled by Site Administrator or Webmaster Ask nicely & the Site Administrator will configure Apache appropriately Or just do it yourself

16 Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Access Control File Format.htaccess File Contents AuthType Basic AuthName dungeon AuthUserFile /users/diverdi/.htpasswd require valid-user

17 Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Access Control File Format AuthType directive tells the server what protocol is to be used for authentication Currently, Basic is the only method available Digest authentication will provide more security than the Basic authentication –Available on Server –Not yet widely supported on Browsers

18 Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Access Control File Format AuthName specifies a realm name –A realm is a container for a particular area –Several different controlled areas are created using different realms –Think of several different locked rooms Some rooms are on the same key Some rooms are on different keys The realms determine which keys they are on

19 Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Access Control File Format AuthUserFile tells the server the location of the user database file –required AuthGroupFile, is a similar directive used to tell the server the location of a groups file –Not required

20 Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Access Control File Format The remaining directives permit fine access control using several different methods To permit access by any username in the user database the following directive is used: require valid-user

21 Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Access Control File Format.htaccess File Contents AuthType Basic AuthName "Secret Space" AuthUserFile /users/diverdi/.htpasswd require valid-user

22 Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Access Control File Format To permit access by particular username(s) in the user database the following directive is used: require user alice carol All other users are denied access to this realm –Even those with the correct password

23 Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Protected Directory

24 Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Multiple Directories

25 Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Protected Directories

26 Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Access Control File Format Sales.htaccess File Contents AuthType Basic AuthName SaleSpace AuthUserFile /users/diverdi/.htpasswd require user alice carol HR.htaccess File Contents AuthType Basic AuthName "Human Resources" AuthUserFile /users/diverdi/.htpasswd require user bob dave

27 Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Protected Directories

28 Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Problems... However, as the number of usernames grows –Maintenance becomes more tedious –Every time some joins or leaves the organization Modify some number of.htaccess files require user user1 user2... user4358 OK to administer organization of 25 –With 10% per year turnover Not OK for 1000 Yuck!

29 Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Using Groups Solution: use a group database

30 Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Using Groups The group usage is similar to standard Linux: –A user can be a member of any number of groups Various groups must be defined –Create a Group Database Access control file(s) must be adjusted –To point to Group Database –To permit group access

31 Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Setting Up Group Usage First Step –Create Group Database

32 Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Group Database A list of group names & users in a file The file consists of lines –Starting with a group name followed by –A space-separated list of users in that group sales: alice carol dave fiona HR: bob edward georgina henry All plain text File's name is Webmaster's choice –Most often.htgroup

33 Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Creating a Group Database Usernames & passwords can be simply typed into the database –Everything is plain text –Use your favorite FTP editing tool Woo-Hoo!

34 Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Creating a Group Database

35 Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Group Database.htgroup File Contents sales: alice carol dave fiona HR: bob edward georgina henry Ensure that each username appears in the.htpasswd file –No error is flagged but users can't get in

36 Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Special Side Note The maximum line length in a group file is –8,192 characters It takes a lot to get that many but it is possible –Average of ten characters per username Limit of eight hundred per group –It is possible You can have the same group name on several different lines –Just use as many as necessary

37 Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Access Control File Format The AuthGroupFile directive is used to tell the server the location of the group file AuthType Basic AuthName salespace AuthUserFile /users/diverdi/.htpasswd AuthGroupFile /users/diverdi/.htgroup

38 Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Access Control File To permit access to any user in the group salespeople the require directive is used: AuthType Basic AuthName salespace AuthUserFile /users/diverdi/.htpasswd AuthGroupFile /users/diverdi/.htgroup require group sales

39 Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Using Groups Multiple groups can be identified require user can also be included Any match can access the realm AuthType Basic AuthName salespace AuthUserFile /users/diverdi/.htpasswd AuthGroupFile /users/diverdi/.htgroup require group salespeople require user sales_manager Of course the user sales_manager must be defined in user database

40 Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Protection With Groups

41 Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Access Control File Format Sales.htaccess File Contents AuthType Basic AuthName salespace AuthUserFile /users/diverdi/.htpasswd AuthGroupFile /users/diverdi/.htgroup require group salespeople HR.htaccess File Contents AuthType Basic AuthName "Human Resources" AuthUserFile /users/diverdi/.htpasswd AuthGroupFile /users/diverdi/.htgroup require group HR

42 Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Restricting Access Host Authentication –By the client's hostname or IP address Restrict documents to use within a company

43 Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Access Control Files.htaccess File Contents AuthType Basic AuthName dungeon Order Deny,Allow Deny from all Allow from frii.net Note that all the usual auth filename directives need not be present

44 Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Allow Directive The allow directive affects which hosts can access an area of the server Access can be controlled by –Hostname –IP Address –IP Address range –Other characteristics of the client request Captured in environment variables

45 Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Allow Directive Allow the identified hosts Syntax allow from all allow from xtrsystems.com allow from woody.xtrsystems.com allow from 216.125.34.201 allow from 216.125.34.201/255.255.255.240 The from is absolutely required all means anyone xtrsystems.com means all in that domain woody.xtrsystems.com means all in that domain 216.125.34.201 means that IP address IP address subnet

46 Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Deny Directive Deny the identified hosts Syntax deny from all deny from xtrsystems.com deny from woody.xtrsystems.com deny from 216.125.34.201 deny from 216.125.34.201/255.255.255.240 The from is absolutely required all means anyone xtrsystems.com means all in that domain woody.xtrsystems.com means all in that domain 216.125.34.201 means that IP address IP address subnet

47 Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Combining Rules Consider the following directives allow from woody.xtrsystems.com deny from all –Access is not permitted from any computer –Access is permitted from woody.xtrsystems.com Hmmm, which directive takes precedence? –The order directive settles this question

48 Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Order Directive Order directive controls –Default access state All which is not permitted is proscribed All which is not proscribed is permitted –Order in which deny & allow are evaluated Syntax Order Deny,Allow Order Allow,Deny Note that there are no spaces near comma

49 Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Order Directive Order Deny,Allow Access is allowed by default Client will be allowed access to the server –If either test is true Does match a allow directive or Does not match an deny directive Order Deny,Allow Allow from xtrsystems.com Deny from all Allows xtrsystems.com Excludes all others

50 Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Order Directive Order Allow,Deny Access is denied by default Client will be denied access to the server –If either test is true Does not match a allow directive or Does match an deny directive Order Allow,Deny Allow from xtrsystems.com Deny from all Excludes everyone

51 Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Order Directive Order Allow,Deny Access is denied by default Client will be denied access to the server –If either test is true Does not match a allow directive or Does match an deny directive Order Allow,Deny Allow from all Deny from xtrsystems.com Excludes xtrsystems.com Allows all others

52 Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Access Control Files.htaccess File Contents AuthType Basic AuthName dungeon Order Deny,Allow Deny from all Allow from frii.net Note that all the usual auth filename directives need not be present

53 Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Combined User and Host.htccess File Contents AuthType Basic AuthName secret AuthUserFile /users/diverdi/.htpasswd require valid-user order deny,allow deny from all allow from xtrsystems.com satisfy all Both tests must be true for access –Valid username-password pair and –In xtrsystems.com domain

54 Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Combined User or Host.htccess File Contents AuthType Basic AuthName secret AuthUserFile /users/diverdi/.htpasswd require valid-user order deny,allow deny from all allow from xtrsystems.com satisfy any Either test must be true for access –Valid username-password pair or –In xtrsystems.com domain

55 Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Restricting Access Anonymous Access –By a supplied username-password pair Webmaster selected username –"anonymous" –"guest" –none Webmaster selected password –email address –email address (validated) –none

56 Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Anonymous Access.htccess File Contents AuthType Basic AuthName dungeon require valid-user Anonymous anonymous guest Authorative_NoUserID off Anonymous_MustGiveEmail on Anonymous_VerifyEmail on Anonymous_Authoritative on

Download ppt "Web Site Access Control with Apache Fort Collins, CO Copyright © XTR Systems, LLC Web Site Access Control Using the Apache Web Server Instructor: Joseph."

Similar presentations

RP Designs Semi-Custom e-Commerce Package. Overview RP Designs semi- custom e-commerce package is a complete website solution. Visitors can browse a catalog.

RP Designs Semi-Custom e-Commerce Package. Overview RP Designs semi- custom e-commerce package is a complete website solution. Visitors can browse a catalog.
Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Firewall Simulation Teaching Information Security Using: Visualization Tools, Case Studies, and Hands-on Exercises May 23, 2012.

Firewall Simulation Teaching Information Security Using: Visualization Tools, Case Studies, and Hands-on Exercises May 23, 2012.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
Protecting Documents on the Web Friday Tech Briefing Timely Info for Power Users and Stanford's Technology Support Community Mark Branom ITSS Technology.

Protecting Documents on the Web Friday Tech Briefing Timely Info for Power Users and Stanford's Technology Support Community Mark Branom ITSS Technology.
Access control and user management in Apache

Access control and user management in Apache
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.

1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.
Apache Access Controls. Ways to control Allow/Deny access control –By IP –By domain name Password –Apache managed passwords –Realms.

Apache Access Controls. Ways to control Allow/Deny access control –By IP –By domain name Password –Apache managed passwords –Realms.
Access control and user management in Apache 1WUCM1.

Access control and user management in Apache 1WUCM1.
11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW  Create and manage file system shares and work.

11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW  Create and manage file system shares and work.
Apache : Installation, Configuration, Basic Security Presented by, Sandeep K Thopucherela, ECE Department.

Apache : Installation, Configuration, Basic Security Presented by, Sandeep K Thopucherela, ECE Department.
SSL (Secure Socket Layer) and Secure Web Pages Rob Sodders, University of Florida CIS4930 “Advanced Web Design” Spring 2004

SSL (Secure Socket Layer) and Secure Web Pages Rob Sodders, University of Florida CIS4930 “Advanced Web Design” Spring 2004
APACHE SERVER By Innovationframes.com »

APACHE SERVER By Innovationframes.com »
1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.

1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.
Introduction to JavaScript Form Verification - Fort Collins, CO Copyright © XTR Systems, LLC Verifying Submitted Form Data with JavaScript Instructor:

Introduction to JavaScript Form Verification - Fort Collins, CO Copyright © XTR Systems, LLC Verifying Submitted Form Data with JavaScript Instructor:
Linux Operations and Administration

Linux Operations and Administration
Web Technology – Web Server Setup : Chris Uriarte Meeting 4: Advanced Topics, Continued: Securing the Apache Server and Apache Performance Tuning Rutgers.

Web Technology – Web Server Setup : Chris Uriarte Meeting 4: Advanced Topics, Continued: Securing the Apache Server and Apache Performance Tuning Rutgers.
11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW Create and manage file system shares and work with.

11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW Create and manage file system shares and work with.
Copyright © Texas Education Agency, 2013. All rights reserved.1 Web Technologies Web Administration.

Copyright © Texas Education Agency, All rights reserved.1 Web Technologies Web Administration.
Webmaster Overview Fort Collins, CO Copyright © XTR Systems, LLC Webmaster Overview Instructor: Joseph DiVerdi, Ph.D., MBA.

Webmaster Overview Fort Collins, CO Copyright © XTR Systems, LLC Webmaster Overview Instructor: Joseph DiVerdi, Ph.D., MBA.

Similar presentations

Ads by Google