Andrew Hudson - Fedora™ Unleashed, 2008 edition

Now you need to decide to which realm the resource belongs. Realms are used to group different resources that share the same users for authorization. A realm can consist of just about any string. The realm is shown in the Authentication dialog box on the user's web browser. Therefore, you should set the realm string to something informative. The realm is defined with the AuthNamedirective.

Finally, state which type of user is authorized to use the resource. You do this with the requiredirective. The three ways to use this directive are as follows:

► If you specify valid-useras an option, any user in the user file is allowed to access the resource (that is, provided she also enters the correct password).

► You can specify a list of users who are allowed access with the usersoption.

► You can specify a list of groups with the groupoption. Entries in the group list, as well as the user list, are separated by a space.

Returning to the server-statusexample you saw earlier, instead of letting users access the server-statusresource based on hostname, you can require the users to be authenticated to access the resource. You can do so with the following entry in the configuration file:

SetHandler server-status

AuthType Basic

AuthName "Server status"

AuthUserFile "gnulixusers"

Require valid-user

If you have host-based as well as user-based access protection on a resource, the default behavior of Apache is to require the requester to satisfy both controls. But assume that you want to mix host-based and user-based protection and allow access to a resource if either method succeeds. You can do so by using the satisfydirective. You can set the satisfydirective to All(this is the default) or Any. When set to All, all access control methods must be satisfied before the resource is served. If satisfyis set to Any, the resource is served if any access condition is met.

Here's another access control example, again using the previous server-statusexample. This time, you combine access methods so that all users from the Gnulixdomain are allowed access and those from outside the domain must identify themselves before gaining access. You can do so with the following:

SetHandler server-status

Order deny,allow

Deny from all

Allow from gnulix.org

AuthType Basic

AuthName "Server status"

AuthUserFile "gnulixusers"

Require valid-user

Satisfy Any

There are more ways to protect material on your web server, but the methods discussed here should get you started and are probably more than adequate for most circumstances. Look to Apache's online documentation for more examples of how to secure areas of your site.

The Apache core does relatively little; Apache gains its functionality from modules. Each module solves a well-defined problem by adding necessary features. By adding or removing modules to supply the functionality you want Apache to have, you can tailor the Apache server to suit your exact needs.

Nearly 50 core modules are included with the basic Apache server. Many more are available from other developers. The Apache Module Registry is a repository for add-on modules for Apache, and it can be found at http://modules.apache.org/. The modules are listed in the modulesdirectory under /etc/httpd/, but the following directory is a link to the /usr/lib/httpd/modulesdirectory where the modules reside (your list might look different):

mod_access.so mod_cern_meta.so mod_log_config.so mod_setenvif.so

mod_actions.so mod_cgi.so mod_mime_magic.so mod_speling.so

mod_alias.so mod_dav_fs.so mod_mime.so mod_ssl.so

mod_asis.so mod_dav.so mod_negotiation.so mod_status.so

mod_auth_anon.so mod_dir.so mod_perl.so mod_suexec.so

mod_auth_dbm.so mod_env.so mod_proxy_connect.so mod_unique_id.so

mod_auth_digest.so mod_expires.so mod_proxy_ftp.so mod_userdir.so

mod_auth_mysql.so mod_headers.so mod_proxy_http.so mod_usertrack.so

mod_auth_pgsql.so mod_imap.so mod_proxy.so mod_vhost_alias.so

mod_auth.so mod_include.so mod_python.so mod_autoindex.so

mod_info.so mod_rewrite.so

Each module adds new directives that can be used in your configuration files. As you might guess, there are far too many extra commands, switches, and options to describe them all in this chapter. The following sections briefly describe a subset of those modules available with Fedora's Apache installation.

mod_accesscontrols access to areas on your web server based on IP addresses, hostnames, or environment variables. For example, you might want to allow anyone from within your own domain to access certain areas of your web. Refer to the "File System Authentication and Access Control" section earlier in this chapter for more information.

mod_aliasmanipulates the URLs of incoming HTTP requests, such as when redirecting a client request to another URL. It also can map a part of the file system into your web hierarchy. For example,

Alias /images/ /home/wsb/graphics/

fetches contents from the /home/wsb/graphicsdirectory for any URL that starts with /images/. This is done without the client knowing anything about it. If you use a redirection, the client is instructed to go to another URL to find the requested content. More advanced URL manipulation can be accomplished with mod_rewrite.

mod_asisis used to specify, in fine detail, all the information to be included in a response. This completely bypasses any headers Apache might have otherwise added to the response. All files with an .asis extension are sent straight to the client without any changes.

As a short example of the use of mod_asis, assume that you've moved content from one location to another on your site. Now you must inform people who try to access this resource that it has moved, as well as automatically redirect them to the new location. To provide this information and redirection, you can add the following code to a file with an .asisextension:

Status: 301 No more old stuff!

Location: http://gnulix.org/newstuff/

Content-type: text/html

We've moved the old stuff and now you'll find it at:

New stuff!.

mod_authuses a simple user authentication scheme, referred to as Basic Authentication, which is based on storing usernames and encrypted passwords in a text file. This file looks very much like Unix's /etc/passwdfile and is created with the htpasswdcommand. Refer to the "File System Authentication and Access Control" section earlier in this chapter for more information about this subject.

The mod_auth_anonmodule provides anonymous authentication similar to that of anonymous FTP. The module enables you to define user IDs of those who are to be handled as guest users. When such a user tries to log on, he is prompted to enter his email address as his password. You can have Apache check the password to ensure that it's a (more or less) proper email address. Basically, it ensures that the password contains an @ character and at least one . character.