[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-developers] .htaccess file not listed in directory

Subject: RE: [cobalt-developers] .htaccess file not listed in directory
From: Will W <will911@xxxxxxxxx>
Date: Thu Apr 26 06:04:59 2001
List-id: Discussion Forum for developers on Cobalt Networks products <cobalt-developers.list.cobalt.com>

Thanks a lot for the info...gave me a good start.

Really appreciate it.
Will

------Original Message------
From: "Gilbert, Mark" <MGilbert@xxxxxxxxx>
To: "'cobalt-developers@xxxxxxxxxxxxxxx'" <cobalt-developers@xxxxxxxxxxxxxxx>
Sent: April 18, 2001 5:03:17 PM GMT
Subject: RE: [cobalt-developers] .htaccess file not listed in directory

Will:

These are instructions that I've compiled through my own tinkering and
reading.  This should provide you a good start with using .htaccess files to
secure a site.  Please don't take these as gospel though.  I've seen dozens
of different ways to implement .htaccess security - I've just found this
procedure to work for my applications:

Hope they help!

*********************************************
There are two main types of security that will be described here - security
for a virtual site, and security for a user under a virtual site.  There are
only a couple of differences between the two procedures, and these will be
discussed below.

For both procedures, you will make a modification to the access.conf file on
the box.  To do this:

1)	Telnet into the box as "admin"
2)	Perform a "su root" to change to the "root" account, and log in a
second time.
3)	Run "pico /etc/httpd/conf/access.conf" file.
4)	Scroll down to find the line that says "AllowOverride All", and
change it to "AllowOverride AuthConfig".
5)	Use Ctrl-X to exit the file, save your changes, and overwrite the
existing file.
6)	Restart the Apache web server (so that the changes take effect) with
the command "/etc/rc.d/init.d/httpd restart".

Both types of security require at least two files to be created on the box.
One is the ".htaccess" file (note the leading period).  This file is placed
in the directory that you want to secure.  Simply placing this file in the
directory will force all users visiting that part of the site for the first
time to authenticate.  If they supply a correct username and password, they
will be allowed to pass.  If they fail to supply a valid account three times
in a row, they will be sent to an Authentication Failure page.  This file is
typically created with the pico editor.

The second file can be named anything, but typically is called ".htpasswd"
(note the leading period).  This stores the usernames and associated
passwords (stored encrypted) that have access to the directory being
secured.  This file is typically created with a utility on the server -
/usr/sbin/htpasswd.  To create a new .htpasswd file, and add a user called
"granite" to it, run the following command:

prompt>/usr/sbin/htpasswd -c .htpasswd myusername

When you hit Enter, you will be prompted for the password (twice).  The "-c"
means create a new password file.  To add additional users to the same file,
run the same command, with the new user account, but drop the "-c" from the
command line.

The differences between the two types of security differ in the contents of
the above two files, where they need to be placed on the server, who owns
them, and their file permissions.  I will describe those now.

Virtual Sites
File: .htaccess
Location: directory to be secured
Owner: admin
File Permissions: 
Contents: 

AuthUserFile /home/sites/site1/webusers/.htpasswd
AuthName "My Secure Site"
AuthType Basic
<Limit GET>
require valid-user
</Limit

File: .htpasswd
Location: Outside of the web root for the site.
Owner: admin

The "AuthUserFile" directive in the .htaccess file tells Apache where to
look for the password file.  In this example,
/home/sites/site1/webusers/.htpasswd.  The "webusers" and "web" folders are
assumed to be on the same level in the directory structure.

Virtual Site Users
File: .htaccess
Location: directory to be secured
Owner: User
File Permissions: 777
Contents: 

AuthName "My Secure Site"
Authtype Basic
AuthUserFile /home/sites/home/users/.htpasswd2
AuthPAM_Enabled off
require valid-user

File: .htpasswd
Location: In the directory above the user's home directory.
Owner: User

Note the addition of the AuthPAM_Enabled directive in the .htaccess file.
This is the critical difference from the virtual site method.
*********************************************

Mark E. Gilbert
Granite Solutions

> -----Original Message-----
> From: Will W [mailto:will911@xxxxxxxxx]
> Sent: Wednesday, April 18, 2001 12:29 PM
> To: cobalt-developers@xxxxxxxxxxxxxxx
> Subject: Re: [cobalt-developers] .htaccess file not listed in 
> directory
> 
> 
> I am having real trouble securing a directory using 
> .htaccess, can I ask a huge favor by asking you what your 
> conf files look like because I've tried all different 
> variations and nothing seems to work. I am using the latest 
> version of Apache. Also could you tell me what you had to put 
> in the .htaccess files to make things work.
> 
> Thanks in advance.
> Will
> 
> ------Original Message------
> From: "flash" <bop@xxxxxxxxx>
> To: cobalt-developers@xxxxxxxxxxxxxxx
> Sent: April 18, 2001 12:33:37 PM GMT
> Subject: Re: [cobalt-developers] .htaccess file not listed in 
> directory
> 
> 
> ls -al  (in telnet)
> 
> you can exucute custom commands in cutftp
> you will have to read the doc's for the commands tho.
> 
> ----- Original Message -----
> From: "Dico Reyers" <dico@xxxxxxxxxxxxxxxx>
> To: <cobalt-developers@xxxxxxxxxxxxxxx>
> Sent: Wednesday, April 18, 2001 12:12 AM
> Subject: [cobalt-developers] .htaccess file not listed in directory
> 
> 
> > Hi there,
> >
> > I just secured a directory by placing a .htaccess file in 
> it and creating
> a
> > password file... however when I ftp in, I can't see the 
> .htaccess file or
> > .htpasswd file listed.  Also, I can't see either by 
> telneting in.  Is
> there
> > a way I can view these files?
> >
> > If I delete the directory, will it delete both these files?
> >
> > Thanks in advance,
> >
> > -dr
> >
> > _______________________________________________
> > cobalt-developers mailing list
> > cobalt-developers@xxxxxxxxxxxxxxx
> > http://list.cobalt.com/mailman/listinfo/cobalt-developers
> 
> _______________________________________________
> cobalt-developers mailing list
> cobalt-developers@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-developers
> 
> -----------------------------------------------
> FREE! The World's Best Email Address @email.com
> Reserve your name now at http://www.email.com
> 
> 
> _______________________________________________
> cobalt-developers mailing list
> cobalt-developers@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-developers
> 

_______________________________________________
cobalt-developers mailing list
cobalt-developers@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-developers

-----------------------------------------------
FREE! The World's Best Email Address @email.com
Reserve your name now at http://www.email.com

Prev by Date: RE: [cobalt-developers] Truncating oversized referrer field
Next by Date: Re: [cobalt-developers] RE: (cobalt-developers) Customize Admin Interface
Previous by thread: RE: [cobalt-developers] .htaccess file not listed in directory
Next by thread: [cobalt-developers] mysql idle connection timeout

Sun Cobalt Developers Message Index

Sun Cobalt Developers Thread Index