httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Vicki Brown <...@cfcl.com>
Subject [users@httpd] Securing Apache at the top, can htaccess override that?
Date Fri, 05 Nov 2004 15:20:45 GMT
htaccess files AllowOverride.  Is it possible to make a sub area of a site
_less_ secure than Apache authentication makes the "entire" site?  Is it
possible to prevent this?

I work for a company that has two Virtual Hosts that form the Intranet:

	https://int.company.com is available ONLY inside the firewall

	https://private.company.com is available both inside and outside the
firewall,
	    External access requires login with password

	Most of the Corporate Intranet content is currently on private.

	There is also a Wiki in-house (specifically TWiki). It resides,
currently, on int. As int and private are actually two of several virtual
hosts on the same physical server, that's a minor distinction at best.

The Powers That Be are planning a move of much of the Intranet content to the
Wiki. I asked if the Wiki could thus be "placed" under private in order to
make it available outside the firewall (with login and password, of course; I
would think that comes without saying due to the way private is configured).

The Sys Admin is against this idea, saying:
>private.company.com is relatively easy to "secure", as authentication
>to it is handled at the top level. Twiki on the other hand uses a series
>of embedded htaccess files. Which means that a mistake made in setting
>up a web could very easily open up confidential information to the world
>at large.

The Sys Admin says the Company is using a .htaccess file at the DocumentRoot
to secure the site. In theory, any portion of the site could be opened for
lower security if someone with access to the server added another .htaccess
file further down the tree. Yipes!

What is desirable is a server that shows itself outside the firewall with
password access and where no lower directories in the tree can possibly have
more open security than the tree as a whole (the main page).

Can we do this in Apache? Or would we need to run the site out of CGI or
something else that handles all page authentications for us??
-- 
Vicki Brown     ZZZ                Journeyman Sourceror:
SF Bay Area, CA    zz  |\     _,,,---,,_      Scripts & Philtres
http://www.cfcl.com zz /,`.-'`'    -.  ;-;;,_Code, Doc, Process, QA
http://cfcl.com/vlb   |,4-  ) )-,_. ,\ ( `'-'Perl, Unix, Mac OS X, WWW
____________________ '---''(_/--'  `-'\_)  ___________________________

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message