Andrew Hudson - Fedora™ Unleashed, 2008 edition

Allowing individual users to put web content on your server poses several important security risks. If you're operating a web server on the Internet rather than on a private network, you should read the WWW Security FAQ at http://www.w3.org/Security/Faq/ www-security-faq.html.

One of the simplest ways to limit access to website material is to restrict access to a specific group of users, based on IP addresses or hostnames. Apache uses the allowand denydirectives to accomplish this.

Both directives take an address expression as a parameter. The following list provides the possible values and use of the address expression:

► allcan be used to affect all hosts.

► A hostname or domain name, which can either be a partially or a fully qualified domain name; for example, test.gnulix.orgor gnulix.org.

► An IP address, which can be either full or partial; for example, 212.85.67or 212.85.67.66.

► A network/netmask pair, such as 212.85.67.0/255.255.255.0.

► A network address specified in classless inter-domain routing (CIDR) format; for example, 212.85.67.0/24. This is the CIDR notation for the same network and netmask that were used in the previous example.

If you have the choice, it's preferable to base your access control on IP addresses rather than hostnames. Doing so results in faster performance because no name lookup is necessary — the IP address of the client is included with each request.

You also can use allowand denyto provide or deny access to website material based on the presence or absence of a specific environment variable. For example, the following statement denies access to a request with a context that contains an environment variable named NOACCESS:

deny from env=NOACCESS

The default behavior of Apache is to apply all the denydirectives first and then check the allowdirectives. If you want to change this order, you can use the orderstatement. Apache might interpret the preceding statement in three different ways:

► Order deny,allow— The denydirectives are evaluated before the allowdirectives. If a host isn't specifically denied access, it is allowed to access the resource. This is the default ordering if nothing else is specified.

► Order allow,deny— All allowdirectives are evaluated before denydirectives. If a host isn't specifically allowed access, it is denied access to the resource.

► Order mutual-failure— Only hosts that are specified in an allowdirective and at the same time do not appear in a denydirective are allowed access. If a host doesn't appear in either directive, it is not granted access.

Consider this example. Suppose that you want to allow only persons from within your own domain to access the server-statusresource on your web. If your domain were named gnulix.org, you could add these lines to your configuration file:

SetHandler server-status

Order deny,allow

Deny from all

Allow from gnulix.org

Authentication is the process of ensuring that visitors really are who they claim to be. You can configure Apache to allow access to specific areas of web content only to clients who can authenticate their identities. There are several methods of authentication in Apache; Basic Authentication is the most common (and the method discussed in this chapter).

Under Basic Authentication, Apache requires a user to supply a username and a password to access the protected resources. Apache then verifies that the user is allowed to access the resource in question. If the username is acceptable, Apache verifies the password. If the password also checks out, the user is authorized and Apache serves the request.

HTTP is a stateless protocol; each request sent to the server and each response is handled individually, and not in an intelligent fashion. Therefore, the authentication information must be included with each request. That means each request to a password-protected area is larger and therefore somewhat slower. To avoid unnecessary system use and delays, protect only those areas of your website that absolutely need protection.

To use Basic Authentication, you need a file that lists which users are allowed to access the resources. This file is composed of a plain text list containing name and password pairs. It looks very much like the /etc/passwduser file of your Linux system.

Don't use /etc/passwdas a user list for authentication. When you're using Basic Authentication, passwords and usernames are sent as base 64-encoded text from the client to the server — which is just as readable as plain text. The username and pass word are included in each request that is sent to the server. So anyone who might be snooping on Net traffic would be able to get this information!

To create a user file for Apache, use the htpasswdcommand. This is included with the Apache package. If you installed with the RPMs, it is in /usr/bin. Running htpasswdwithout any options produces the following output:

Usage:

htpasswd [-cmdps] passwordfile username

htpasswd -b[cmdps] passwordfile username password

htpasswd -n[mdps] username

htpasswd -nb[mdps] username password

-c Create a new file.

-n Don't update file; display results on stdout.

-m Force MD5 encryption of the password.

-d Force CRYPT encryption of the password (default).

-p Do not encrypt the password (plaintext).

-s Force SHA encryption of the password.

-b Use the password from the command line rather than prompting for it.

-D Delete the specified user.

On Windows, TPF, and NetWare systems, the '-m' flag is used by default.

On all other systems, the '-p' flag will probably not work.

As you can see, it isn't a very difficult command to use. For example, to create a new user file named gnulixuserswith a user named wsb, you need to do something like this:

# htpasswd -c gnulixusers wsb

You would then be prompted for a password for the user. To add more users, you would repeat the same procedure, only omitting the -cflag.

You can also create user group files. The format of these files is similar to that of /etc/groups. On each line, enter the group name, followed by a colon, and then list all users, with each user separated by spaces. For example, an entry in a user group file might look like this:

gnulixusers: wsb pgj jp ajje nadia rkr hak

Now that you know how to create a user file, it's time to look at how Apache might use this to protect web resources.

To point Apache to the user file, use the AuthUserFiledirective. AuthUserFiletakes the file path to the user file as its parameter. If the file path isn't absolute—that is, beginning with a / — it's assumed that the path is relative to the ServerRoot. Using the AuthGroupFiledirective, you can specify a group file in the same manner.

Next, use the AuthTypedirective to set the type of authentication to be used for this resource. Here, the type is set to Basic.