web site access control with apache fort collins, co copyright © xtr systems, llc web site access...
TRANSCRIPT
Web Site Access Control with ApacheFort Collins, CO
Copyright © XTR Systems, LLC
Web Site Access Control
Using theApache Web Server
Instructor: Joseph DiVerdi, Ph.D., M.B.A.
Web Site Access Control with ApacheFort Collins, CO
Copyright © XTR Systems, LLC
Restricting Access
• There are several ways of restricting access to documents on a Web site:
• User Authentication– By a supplied username-password pair
• Restrict documents on an individual basis
• Host Authentication– By the client's hostname or IP address
• Restrict documents to use within a company
• Anonymous Authentication– By a supplied email address
Web Site Access Control with ApacheFort Collins, CO
Copyright © XTR Systems, LLC
Restricting Access
• User Authentication– By a supplied username-password pair
Web Site Access Control with ApacheFort Collins, CO
Copyright © XTR Systems, LLC
Setting Up User Authentication
• Two steps:– Create a file containing the usernames &
passwords• The user database file
– Typically .htpasswd
– Tell the server what resources are to be protected & which users are allowed to access them
• The access control file– Required .htaccess
Web Site Access Control with ApacheFort Collins, CO
Copyright © XTR Systems, LLC
Example Directory
Web Site Access Control with ApacheFort Collins, CO
Copyright © XTR Systems, LLC
Protected Example Directory
Web Site Access Control with ApacheFort Collins, CO
Copyright © XTR Systems, LLC
Setting Up User Authentication
• First Step– Create User Database
Web Site Access Control with ApacheFort Collins, CO
Copyright © XTR Systems, LLC
User Database
• A list of users & passwords is placed in a file• The file consists of username-password pairs
– Username & password separated by a colondiverdi:$1$z4vPLmm.$rsmBYUCSAdMu8VQr5
• Usernames are stored as plain text• Passwords are stored as encrypted text
– Same scheme used for Linux OS passwords
• File's name is Webmaster's choice– Most often .htpasswd
Web Site Access Control with ApacheFort Collins, CO
Copyright © XTR Systems, LLC
User Database
• .htpasswd File Contents
diverdi:$1$z4vPLmm.$rsmBYUCSAdMu8VQr5
student:$1$w52WGe/x$P2Gbl6PI64b4smgXk
admin:$1$fxc/AJ.B$MJUSiGYeaOnrfYw3T
instructor:$1$eO94BVjf$dt401B8ffXCe0BBGCp
user:$1$rCzDxDR6$CWAWi7cjN0kfM
Web Site Access Control with ApacheFort Collins, CO
Copyright © XTR Systems, LLC
Creating the User Database
• Usernames & passwords cannot be simply typed into the database– The passwords are stored in an encrypted format
• The program htpasswd is used to add create a user file & to add or modify users– htpasswd is a C program that is supplied with the
Apache distribution– Automatically stores passwords in the necessary
encrypted format
Web Site Access Control with ApacheFort Collins, CO
Copyright © XTR Systems, LLC
Creating the User Database
• Create a new file: /users/diverdi/.htpasswd
• Add the username:alice
htpasswd -c /users/diverdi/.htpasswd alice
– The -c argument means create new file
• Program asks for a password for username
Web Site Access Control with ApacheFort Collins, CO
Copyright © XTR Systems, LLC
Modifying the User Database
• More users can be added to an existing file – Use same command without the -c argument
• Add the username bob
htpasswd /users/diverdi/.htpasswd bob
Web Site Access Control with ApacheFort Collins, CO
Copyright © XTR Systems, LLC
Setting Up User Authentication
• Second Step– Create Access Control File(s)
Web Site Access Control with ApacheFort Collins, CO
Copyright © XTR Systems, LLC
Access Control File
• Control is performed on per-directory basis – With a selected directory protected
• And all its subdirectories!
• Control File is placed in the selected directory– Named .htaccess – You must use name selected by Site Admin
• Directives are placed in the file– Specify various controls
Web Site Access Control with ApacheFort Collins, CO
Copyright © XTR Systems, LLC
Special Side Note
• Apache configuration must be set up to permit User Authentication– Controlled by AuthConfig override directive– Controlled by Site Administrator or Webmaster
• Ask nicely & the Site Administrator will configure Apache appropriately
• Or just do it yourself
Web Site Access Control with ApacheFort Collins, CO
Copyright © XTR Systems, LLC
Access Control File Format
• .htaccess File Contents
AuthType Basic
AuthName dungeon
AuthUserFile /users/diverdi/.htpasswd
require valid-user
Web Site Access Control with ApacheFort Collins, CO
Copyright © XTR Systems, LLC
Access Control File Format
• AuthType directive tells the server what protocol is to be used for authentication
• Currently, Basic is the only method available
• Digest authentication will provide more security than the Basic authentication– Available on Server– Not yet widely supported on Browsers
Web Site Access Control with ApacheFort Collins, CO
Copyright © XTR Systems, LLC
Access Control File Format
• AuthName specifies a realm name– A realm is a container for a particular area– Several different controlled areas are created
using different realms
– Think of several different locked rooms• Some rooms are on the same key• Some rooms are on different keys• The realms determine which keys they are on
Web Site Access Control with ApacheFort Collins, CO
Copyright © XTR Systems, LLC
Access Control File Format
• AuthUserFile tells the server the location of the user database file– required
• AuthGroupFile, is a similar directive used to tell the server the location of a groups file– Not required
Web Site Access Control with ApacheFort Collins, CO
Copyright © XTR Systems, LLC
Access Control File Format
• The remaining directives permit fine access control using several different methods
• To permit access by any username in the user database the following directive is used:
require valid-user
Web Site Access Control with ApacheFort Collins, CO
Copyright © XTR Systems, LLC
Access Control File Format
• .htaccess File Contents
AuthType Basic
AuthName "Secret Space"
AuthUserFile /users/diverdi/.htpasswd
require valid-user
Web Site Access Control with ApacheFort Collins, CO
Copyright © XTR Systems, LLC
Access Control File Format
• To permit access by particular username(s) in the user database the following directive is used:
require user alice carol
• All other users are denied access to this realm– Even those with the correct password
Web Site Access Control with ApacheFort Collins, CO
Copyright © XTR Systems, LLC
Protected Directory
Web Site Access Control with ApacheFort Collins, CO
Copyright © XTR Systems, LLC
Multiple Directories
Web Site Access Control with ApacheFort Collins, CO
Copyright © XTR Systems, LLC
Protected Directories
Web Site Access Control with ApacheFort Collins, CO
Copyright © XTR Systems, LLC
Access Control File Format
• Sales .htaccess File ContentsAuthType Basic
AuthName SaleSpace
AuthUserFile /users/diverdi/.htpasswd
require user alice carol
• HR .htaccess File ContentsAuthType Basic
AuthName "Human Resources"
AuthUserFile /users/diverdi/.htpasswd
require user bob dave
Web Site Access Control with ApacheFort Collins, CO
Copyright © XTR Systems, LLC
Protected Directories
Web Site Access Control with ApacheFort Collins, CO
Copyright © XTR Systems, LLC
Problems...
• However, as the number of usernames grows– Maintenance becomes more tedious– Every time some joins or leaves the organization
• Modify some number of .htaccess files• require user user1 user2 ... user4358
• OK to administer organization of 25 – With 10% per year turnover
• Not OK for 1000• Yuck!
Web Site Access Control with ApacheFort Collins, CO
Copyright © XTR Systems, LLC
Using Groups
• Solution: use a group database
Web Site Access Control with ApacheFort Collins, CO
Copyright © XTR Systems, LLC
Using Groups
• The group usage is similar to standard Linux: – A user can be a member of any number of groups
• Various groups must be defined– Create a Group Database
• Access control file(s) must be adjusted– To point to Group Database– To permit group access
Web Site Access Control with ApacheFort Collins, CO
Copyright © XTR Systems, LLC
Setting Up Group Usage
• First Step– Create Group Database
Web Site Access Control with ApacheFort Collins, CO
Copyright © XTR Systems, LLC
Group Database
• A list of group names & users in a file• The file consists of lines
– Starting with a group name followed by – A space-separated list of users in that group
sales: alice carol dave fiona
HR: bob edward georgina henry
• All plain text• File's name is Webmaster's choice
– Most often .htgroup
Web Site Access Control with ApacheFort Collins, CO
Copyright © XTR Systems, LLC
Creating a Group Database
• Usernames & passwords can be simply typed into the database– Everything is plain text– Use your favorite FTP editing tool
• Woo-Hoo!
Web Site Access Control with ApacheFort Collins, CO
Copyright © XTR Systems, LLC
Creating a Group Database
Web Site Access Control with ApacheFort Collins, CO
Copyright © XTR Systems, LLC
Group Database
• .htgroup File Contents
sales: alice carol dave fiona
HR: bob edward georgina henry
• Ensure that each username appears in the .htpasswd file– No error is flagged but users can't get in
Web Site Access Control with ApacheFort Collins, CO
Copyright © XTR Systems, LLC
Special Side Note
• The maximum line length in a group file is – 8,192 characters
• It takes a lot to get that many but it is possible
– Average of ten characters per username• Limit of eight hundred per group
– It is possible
• You can have the same group name on several different lines– Just use as many as necessary
Web Site Access Control with ApacheFort Collins, CO
Copyright © XTR Systems, LLC
Access Control File Format
• The AuthGroupFile directive is used to tell the server the location of the group file
AuthType Basic
AuthName salespace
AuthUserFile /users/diverdi/.htpasswd
AuthGroupFile /users/diverdi/.htgroup
Web Site Access Control with ApacheFort Collins, CO
Copyright © XTR Systems, LLC
Access Control File
• To permit access to any user in the group salespeople the require directive is used:
AuthType Basic
AuthName salespace
AuthUserFile /users/diverdi/.htpasswd
AuthGroupFile /users/diverdi/.htgroup
require group sales
Web Site Access Control with ApacheFort Collins, CO
Copyright © XTR Systems, LLC
Using Groups
• Multiple groups can be identified• require user can also be included• Any match can access the realm
AuthType Basic
AuthName salespace
AuthUserFile /users/diverdi/.htpasswd
AuthGroupFile /users/diverdi/.htgroup
require group salespeople
require user sales_manager
• Of course the user sales_manager must be defined in user database
Web Site Access Control with ApacheFort Collins, CO
Copyright © XTR Systems, LLC
Protection With Groups
Web Site Access Control with ApacheFort Collins, CO
Copyright © XTR Systems, LLC
Access Control File Format
• Sales .htaccess File ContentsAuthType Basic
AuthName salespace
AuthUserFile /users/diverdi/.htpasswd
AuthGroupFile /users/diverdi/.htgroup
require group salespeople
• HR .htaccess File ContentsAuthType Basic
AuthName "Human Resources"
AuthUserFile /users/diverdi/.htpasswd
AuthGroupFile /users/diverdi/.htgroup
require group HR
Web Site Access Control with ApacheFort Collins, CO
Copyright © XTR Systems, LLC
Restricting Access
• Host Authentication– By the client's hostname or IP address
• Restrict documents to use within a company
Web Site Access Control with ApacheFort Collins, CO
Copyright © XTR Systems, LLC
Access Control Files
• .htaccess File ContentsAuthType Basic
AuthName dungeon
Order Deny,Allow
Deny from all
Allow from frii.net
• Note that all the usual auth filename directives need not be present
Web Site Access Control with ApacheFort Collins, CO
Copyright © XTR Systems, LLC
Allow Directive
• The allow directive affects which hosts can access an area of the server
• Access can be controlled by – Hostname– IP Address– IP Address range– Other characteristics of the client request
• Captured in environment variables
Web Site Access Control with ApacheFort Collins, CO
Copyright © XTR Systems, LLC
Allow Directive
• Allow the identified hosts• Syntax
allow from all
allow from xtrsystems.com
allow from woody.xtrsystems.com
allow from 216.125.34.201
allow from 216.125.34.201/255.255.255.240
• The from is absolutely required
• all means anyone
• xtrsystems.com means all in that domain
• woody.xtrsystems.com means all in that domain
• 216.125.34.201 means that IP address
• IP address subnet
Web Site Access Control with ApacheFort Collins, CO
Copyright © XTR Systems, LLC
Deny Directive
• Deny the identified hosts• Syntax
deny from all
deny from xtrsystems.com
deny from woody.xtrsystems.com
deny from 216.125.34.201
deny from 216.125.34.201/255.255.255.240
• The from is absolutely required
• all means anyone
• xtrsystems.com means all in that domain
• woody.xtrsystems.com means all in that domain
• 216.125.34.201 means that IP address
• IP address subnet
Web Site Access Control with ApacheFort Collins, CO
Copyright © XTR Systems, LLC
Combining Rules
• Consider the following directivesallow from woody.xtrsystems.com
deny from all
– Access is not permitted from any computer – Access is permitted from woody.xtrsystems.com
• Hmmm, which directive takes precedence?– The order directive settles this question
Web Site Access Control with ApacheFort Collins, CO
Copyright © XTR Systems, LLC
Order Directive
• Order directive controls– Default access state
• All which is not permitted is proscribed• All which is not proscribed is permitted
– Order in which deny & allow are evaluated
• SyntaxOrder Deny,Allow
Order Allow,Deny
• Note that there are no spaces near comma
Web Site Access Control with ApacheFort Collins, CO
Copyright © XTR Systems, LLC
Order Directive
Order Deny,Allow
• Access is allowed by default• Client will be allowed access to the server
– If either test is true• Does match a allow directive
or• Does not match an deny directive
Order Deny,Allow
Allow from xtrsystems.com
Deny from all• Allows xtrsystems.com • Excludes all others
Web Site Access Control with ApacheFort Collins, CO
Copyright © XTR Systems, LLC
Order Directive
Order Allow,Deny
• Access is denied by default• Client will be denied access to the server
– If either test is true• Does not match a allow directive
or• Does match an deny directive
Order Allow,Deny
Allow from xtrsystems.com
Deny from all• Excludes everyone
Web Site Access Control with ApacheFort Collins, CO
Copyright © XTR Systems, LLC
Order Directive
Order Allow,Deny
• Access is denied by default• Client will be denied access to the server
– If either test is true• Does not match a allow directive
or• Does match an deny directive
Order Allow,Deny
Allow from all
Deny from xtrsystems.com• Excludes xtrsystems.com • Allows all others
Web Site Access Control with ApacheFort Collins, CO
Copyright © XTR Systems, LLC
Access Control Files
• .htaccess File ContentsAuthType Basic
AuthName dungeon
Order Deny,Allow
Deny from all
Allow from frii.net
• Note that all the usual auth filename directives need not be present
Web Site Access Control with ApacheFort Collins, CO
Copyright © XTR Systems, LLC
Combined User and Host
• .htccess File ContentsAuthType Basic
AuthName secret
AuthUserFile /users/diverdi/.htpasswd
require valid-user
order deny,allow
deny from all
allow from xtrsystems.com
satisfy all
• Both tests must be true for access– Valid username-password pair and– In xtrsystems.com domain
Web Site Access Control with ApacheFort Collins, CO
Copyright © XTR Systems, LLC
Combined User or Host
• .htccess File ContentsAuthType Basic
AuthName secret
AuthUserFile /users/diverdi/.htpasswd
require valid-user
order deny,allow
deny from all
allow from xtrsystems.com
satisfy any
• Either test must be true for access– Valid username-password pair or– In xtrsystems.com domain
Web Site Access Control with ApacheFort Collins, CO
Copyright © XTR Systems, LLC
Restricting Access
• Anonymous Access– By a supplied username-password pair
• Webmaster selected username– "anonymous"
– "guest"
– none
• Webmaster selected password– email address
– email address (validated)
– none
Web Site Access Control with ApacheFort Collins, CO
Copyright © XTR Systems, LLC
Anonymous Access
• .htccess File ContentsAuthType Basic
AuthName dungeon
require valid-user
Anonymous anonymous guest
Authorative_NoUserID off
Anonymous_MustGiveEmail on
Anonymous_VerifyEmail on
Anonymous_Authoritative on