httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Boyle Owen" <Owen.Bo...@swx.com>
Subject RE: Start laughing already - securing files with Apache and Windows question
Date Fri, 23 Aug 2002 08:07:02 GMT
What didn't you understand about the tutorial on the apache website? However, since I assume
you read it, I'll try to re-interpret it for you:

(1) You put the .htaccess file in the directory you want to protect
(2) In httpd.conf, you "AllowOverride AuthConfig" for that directory (you already did this)
(3) You create a password file (e.g. protdir.pwd) (you already did this)
(4) You put the password file anywhere you like EXCEPT inside the docroot

*** I think this might be what was confusing you. You can put the file anywhere at all - there
is no special place for it. However, you have made one big mistake which is to put it under
your docroot (D:/web). This won't stop it working but it is not very secure since it means
a browser can see it!  move it somewhere unbrowseable like D:/pwds.

(5) In the .htaccess file tell apache where the password file is with "AuthUserFile D:/pwds/protdir.pwd"

** This is how apache knows where to find it - and this is why it can be anywhere.

I don't know if you made any other mistakes because you didn't list the .htaccess file (it
contains directives which are very important too).

Rgds,

Owen Boyle

>-----Original Message-----
>From: Koen Vingerhoets [mailto:koen.vingerhoets@ubench.com]
>Sent: Donnerstag, 22. August 2002 18:11
>To: users@httpd.apache.org
>Subject: RE: Start laughing already - securing files with Apache and
>Windows question
>
>
>TFM should give some more I then, like this one:
>http://www.tek-tips.com/gfaqs.cfm/spid/65/sfid/1830
>
>Not that it works but I'll RTFM some more, maybe I just need 
>better glasses.
>Or someone that tells me what they want from me.
>
>Ok, let's try again.
>
>I have a .htaccess file in the Directory I want to protect.
>Let's assume d:\web\protdir
>
>I have a passfile, containing the pass and such.
>I have no clue where to place it, so i putted it at d:\web\
>
>I have a httpd.conf like this
><<snip>>
>
><Directory "D:/web/protdir">
>AllowOverride AuthConfig
></Directory>
>
><VirtualHost xxx.xxx.xx.xx>
>ServerName ubtest01
>DocumentRoot d:\web
>ServerPath d:/web
></VirtualHost>
>
><</snip>>
>
>I have no problem accessing any file in the protdir
>Yes I restarted apache already.  I even saved all files before 
>doing so.
>
>I really wish someone can point to my most likely obvious 
>mistake which I
>can't find in the manual.
>
>Thanks.
>
>I'll try adding the <dir> in the <vhost> now.  Maybe that's it.
>
>Koen
>
>-----Original Message-----
>From: Boyle Owen [mailto:Owen.Boyle@swx.com]
>Sent: 22 August 2002 17:35
>To: users@httpd.apache.org; koen.vingerhoets@ubench.com
>Subject: RE: Start laughing already - securing files with Apache and
>Windows question
>
>
>TFM, which your should R is:
>http://httpd.apache.org/docs/howto/auth.html
>
>>-----Original Message-----
>>From: Koen Vingerhoets [mailto:koen.vingerhoets@ubench.com]
>>Sent: Donnerstag, 22. August 2002 17:27
>>To: users@httpd.apache.org
>>Subject: Start laughing already - securing files with Apache
>>and Windows
>>question
>>
>>
>>Hi,
>>
>>we run 3 win2k servers, one has Apache.
>>I just found out (my collegue never passed me the info) that our
>>administration files are available without authentification.
>>
>>I made a password file, but how do I have to use it to protect a
>>directory???
>>Instead of giving solutions, most sites just say: "If you have
>>windows, we
>>assume you don't need security." :(
>>
>>I hope someone can help me out...
>>
>>Thanks
>>
>>Met vriendelijke groet,
>>
>>Koen Vingerhoets
>>
>>***** UBench nv *****
>>http://www.ubench.com
>>____________________________________________
>>The information contained in this electronic mail message is
>>privileged and
>>confidential,
>>and is intended only for use of the addressee. If you are not
>>the intended
>>recipient, you
>>are hereby notified that any disclosure,reproduction,
>>distribution or other
>>use of this
>>communication is strictly prohibited.
>>
>>If you have received this communication in error, please
>>notify the sender
>>by reply
>>transmission and delete the message without copying or disclosing it.
>>
>>
>>
>>---------------------------------------------------------------------
>>The official User-To-User support forum of the Apache HTTP
>>Server Project.
>>See <URL:http://httpd.apache.org/userslist.html> for more info.
>>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
>>For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP 
>Server Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org
>
>
>
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP 
>Server Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org
>
>

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message