web site access control with apache fort collins, co copyright © xtr systems, llc web site access...

Web Site Access Control with ApacheFort Collins, CO

Copyright © XTR Systems, LLC

Web Site Access Control

Using theApache Web Server

Instructor: Joseph DiVerdi, Ph.D., M.B.A.



Restricting Access

• There are several ways of restricting access to documents on a Web site:

• User Authentication– By a supplied username-password pair

• Restrict documents on an individual basis

• Host Authentication– By the client's hostname or IP address

• Restrict documents to use within a company

• Anonymous Authentication– By a supplied email address



Restricting Access

• User Authentication– By a supplied username-password pair



Setting Up User Authentication

• Two steps:– Create a file containing the usernames &

passwords• The user database file

– Typically .htpasswd

– Tell the server what resources are to be protected & which users are allowed to access them

• The access control file– Required .htaccess



Example Directory



Protected Example Directory




• First Step– Create User Database



User Database

• A list of users & passwords is placed in a file• The file consists of username-password pairs

– Username & password separated by a colondiverdi:$1$z4vPLmm.$rsmBYUCSAdMu8VQr5

• Usernames are stored as plain text• Passwords are stored as encrypted text

– Same scheme used for Linux OS passwords

• File's name is Webmaster's choice– Most often .htpasswd



User Database

• .htpasswd File Contents

diverdi:$1$z4vPLmm.$rsmBYUCSAdMu8VQr5

student:$1$w52WGe/x$P2Gbl6PI64b4smgXk

admin:$1$fxc/AJ.B$MJUSiGYeaOnrfYw3T

instructor:$1$eO94BVjf$dt401B8ffXCe0BBGCp

user:$1$rCzDxDR6$CWAWi7cjN0kfM



Creating the User Database

• Usernames & passwords cannot be simply typed into the database– The passwords are stored in an encrypted format

• The program htpasswd is used to add create a user file & to add or modify users– htpasswd is a C program that is supplied with the

Apache distribution– Automatically stores passwords in the necessary

encrypted format



Creating the User Database

• Create a new file: /users/diverdi/.htpasswd

• Add the username:alice

htpasswd -c /users/diverdi/.htpasswd alice

– The -c argument means create new file

• Program asks for a password for username



Modifying the User Database

• More users can be added to an existing file – Use same command without the -c argument

• Add the username bob

htpasswd /users/diverdi/.htpasswd bob




• Second Step– Create Access Control File(s)



Access Control File

• Control is performed on per-directory basis – With a selected directory protected

• And all its subdirectories!

• Control File is placed in the selected directory– Named .htaccess – You must use name selected by Site Admin

• Directives are placed in the file– Specify various controls



Special Side Note

• Apache configuration must be set up to permit User Authentication– Controlled by AuthConfig override directive– Controlled by Site Administrator or Webmaster

• Ask nicely & the Site Administrator will configure Apache appropriately

• Or just do it yourself



Access Control File Format

• .htaccess File Contents

AuthType Basic

AuthName dungeon

AuthUserFile /users/diverdi/.htpasswd

require valid-user




• AuthType directive tells the server what protocol is to be used for authentication

• Currently, Basic is the only method available

• Digest authentication will provide more security than the Basic authentication– Available on Server– Not yet widely supported on Browsers




• AuthName specifies a realm name– A realm is a container for a particular area– Several different controlled areas are created

using different realms

– Think of several different locked rooms• Some rooms are on the same key• Some rooms are on different keys• The realms determine which keys they are on




• AuthUserFile tells the server the location of the user database file– required

• AuthGroupFile, is a similar directive used to tell the server the location of a groups file– Not required




• The remaining directives permit fine access control using several different methods

• To permit access by any username in the user database the following directive is used:

require valid-user




• .htaccess File Contents

AuthType Basic

AuthName "Secret Space"


require valid-user




• To permit access by particular username(s) in the user database the following directive is used:

require user alice carol

• All other users are denied access to this realm– Even those with the correct password



Protected Directory



Multiple Directories



Protected Directories




• Sales .htaccess File ContentsAuthType Basic

AuthName SaleSpace


require user alice carol

• HR .htaccess File ContentsAuthType Basic

AuthName "Human Resources"


require user bob dave



Protected Directories



Problems...

• However, as the number of usernames grows– Maintenance becomes more tedious– Every time some joins or leaves the organization

• Modify some number of .htaccess files• require user user1 user2 ... user4358

• OK to administer organization of 25 – With 10% per year turnover

• Not OK for 1000• Yuck!



Using Groups

• Solution: use a group database



Using Groups

• The group usage is similar to standard Linux: – A user can be a member of any number of groups

• Various groups must be defined– Create a Group Database

• Access control file(s) must be adjusted– To point to Group Database– To permit group access



Setting Up Group Usage

• First Step– Create Group Database



Group Database

• A list of group names & users in a file• The file consists of lines

– Starting with a group name followed by – A space-separated list of users in that group

sales: alice carol dave fiona

HR: bob edward georgina henry

• All plain text• File's name is Webmaster's choice

– Most often .htgroup



Creating a Group Database

• Usernames & passwords can be simply typed into the database– Everything is plain text– Use your favorite FTP editing tool

• Woo-Hoo!



Creating a Group Database



Group Database

• .htgroup File Contents

sales: alice carol dave fiona

HR: bob edward georgina henry

• Ensure that each username appears in the .htpasswd file– No error is flagged but users can't get in



Special Side Note

• The maximum line length in a group file is – 8,192 characters

• It takes a lot to get that many but it is possible

– Average of ten characters per username• Limit of eight hundred per group

– It is possible

• You can have the same group name on several different lines– Just use as many as necessary




• The AuthGroupFile directive is used to tell the server the location of the group file

AuthType Basic

AuthName salespace


AuthGroupFile /users/diverdi/.htgroup



Access Control File

• To permit access to any user in the group salespeople the require directive is used:

AuthType Basic

AuthName salespace



require group sales



Using Groups

• Multiple groups can be identified• require user can also be included• Any match can access the realm

AuthType Basic

AuthName salespace



require group salespeople

require user sales_manager

• Of course the user sales_manager must be defined in user database



Protection With Groups




• Sales .htaccess File ContentsAuthType Basic

AuthName salespace



require group salespeople

• HR .htaccess File ContentsAuthType Basic

AuthName "Human Resources"



require group HR



Restricting Access

• Host Authentication– By the client's hostname or IP address

• Restrict documents to use within a company



Access Control Files

• .htaccess File ContentsAuthType Basic

AuthName dungeon

Order Deny,Allow

Deny from all

Allow from frii.net

• Note that all the usual auth filename directives need not be present



Allow Directive

• The allow directive affects which hosts can access an area of the server

• Access can be controlled by – Hostname– IP Address– IP Address range– Other characteristics of the client request

• Captured in environment variables



Allow Directive

• Allow the identified hosts• Syntax

allow from all

allow from xtrsystems.com

allow from woody.xtrsystems.com

allow from 216.125.34.201

allow from 216.125.34.201/255.255.255.240

• The from is absolutely required

• all means anyone

• xtrsystems.com means all in that domain

• woody.xtrsystems.com means all in that domain

• 216.125.34.201 means that IP address

• IP address subnet



Deny Directive

• Deny the identified hosts• Syntax

deny from all

deny from xtrsystems.com

deny from woody.xtrsystems.com

deny from 216.125.34.201

deny from 216.125.34.201/255.255.255.240

• The from is absolutely required

• all means anyone

• xtrsystems.com means all in that domain

• woody.xtrsystems.com means all in that domain

• 216.125.34.201 means that IP address

• IP address subnet



Combining Rules

• Consider the following directivesallow from woody.xtrsystems.com

deny from all

– Access is not permitted from any computer – Access is permitted from woody.xtrsystems.com

• Hmmm, which directive takes precedence?– The order directive settles this question



Order Directive

• Order directive controls– Default access state

• All which is not permitted is proscribed• All which is not proscribed is permitted

– Order in which deny & allow are evaluated

• SyntaxOrder Deny,Allow

Order Allow,Deny

• Note that there are no spaces near comma



Order Directive

Order Deny,Allow

• Access is allowed by default• Client will be allowed access to the server

– If either test is true• Does match a allow directive

or• Does not match an deny directive

Order Deny,Allow

Allow from xtrsystems.com

Deny from all• Allows xtrsystems.com • Excludes all others



Order Directive

Order Allow,Deny

• Access is denied by default• Client will be denied access to the server

– If either test is true• Does not match a allow directive

or• Does match an deny directive

Order Allow,Deny

Allow from xtrsystems.com

Deny from all• Excludes everyone



Order Directive

Order Allow,Deny

• Access is denied by default• Client will be denied access to the server

– If either test is true• Does not match a allow directive

or• Does match an deny directive

Order Allow,Deny

Allow from all

Deny from xtrsystems.com• Excludes xtrsystems.com • Allows all others



Access Control Files

• .htaccess File ContentsAuthType Basic

AuthName dungeon

Order Deny,Allow

Deny from all

Allow from frii.net

• Note that all the usual auth filename directives need not be present



Combined User and Host

• .htccess File ContentsAuthType Basic

AuthName secret


require valid-user

order deny,allow

deny from all


satisfy all

• Both tests must be true for access– Valid username-password pair and– In xtrsystems.com domain



Combined User or Host


AuthName secret


require valid-user

order deny,allow

deny from all


satisfy any

• Either test must be true for access– Valid username-password pair or– In xtrsystems.com domain



Restricting Access

• Anonymous Access– By a supplied username-password pair

• Webmaster selected username– "anonymous"

– "guest"

– none

• Webmaster selected password– email address

– email address (validated)

– none



Anonymous Access


AuthName dungeon

require valid-user

Anonymous anonymous guest

Authorative_NoUserID off

Anonymous_MustGiveEmail on

Anonymous_VerifyEmail on

Anonymous_Authoritative on

web site access control with apache fort collins, co copyright © xtr systems, llc web site access...

Documents