httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joshua Slive <jos...@slive.ca>
Subject Re: [users@httpd] Protecting files in a directory
Date Sun, 26 Jan 2003 23:01:41 GMT

On Sun, 26 Jan 2003, Mystery Admin wrote:

> Put this in an .htaccess file in the directory you want to protect:
>
> [tom@linux stats]$ cat .htaccess
> AuthUserFile /path/to/dir/.htpasswd
> AuthGroupFile /dev/null
> AuthName "Restricted Area"
> AuthType Basic
>
> <Limit GET>
> require valid-user
> </Limit>
> [tom@linux stats]$

> Put this in your Apache config file:
>
>        <Directory "/path/to/dir">
>           AllowOverride         AuthConfig
>           Options None
>         </Directory>

Sorry, but this is really bad advice.  Please read the docs, rather than
repeating what you heard somewhere-or-other.

Problems include:

1. The lines <Limit GET> and </Limit> should NOT be there.  If you include
those lines, you will ALLOW other methods like PUT, POST, DELETE, etc.

2. The AuthUserFile should NOT be placed in a web accessible directory.
It should be placed somewhere that does not map into your webspace.

3. The AuthGroupFile line is unnecessary and should be ommitted.

4. Using an .htaccess file is not necessary, and is, in fact, inefficient.
Simply place the directives in httpd.conf inside the appropriate
<Directory> section and restart apache.

(None of these things would stop the auth from working, but they will make
it inefficient and insecure.)

To sum up, if you want to protect the directory
/usr/local/apache/htdocs/private and the password file is located at
/usr/local/apache/passwd/passwords, then open your httpd.conf file and add
the following at the end:

<Directory /usr/local/apache/htdocs/private>
AuthType Basic
AuthName "By Invitation Only"
AuthUserFile /usr/local/apache/passwd/passwords
Require valid-user
</Directory>

Then restart apache.

For more information, see
http://httpd.apache.org/docs/howto/auth.html
and
http://www.apacheweek.com/features/userauth

Joshua.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message