httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Res <...@ausics.net>
Subject Re: [users@httpd] .htaccess advice
Date Wed, 09 Jul 2008 00:50:35 GMT
On Mon, 7 Jul 2008, Rob wrote:

> Just wanted to ask you if this looks right before i actually post it live on
> the production server
>
> This is what the Directory Part of the conf file looks like.
>
> # Security Over PHPmyAdmin
> <Directory "/var/www/html/phpmyadmin">
> Options Indexes Includes FollowSymLinks
> AllowOverride None
> AuthName "Login"
> AuthType Basic
> AuthUserFile /var/.htpasswd
> require valid-user
> </Directory>
>
> <Directory />
>    Options FollowSymLinks
>    AllowOverride All
> </Directory>
>
> I will change it to this:
>
> # Security Over PHPmyAdmin
> <Directory "/var/www/html/phpmyadmin">
> Options Indexes Includes FollowSymLinks
> AllowOverride None
> AuthName "Login"
> AuthType Basic
> AuthUserFile /var/.htpasswd
> require valid-user
> </Directory>
>
> <Directory />
>    Options FollowSymLinks
>   AllowOverride None
>   Order Deny,Allow
>   Deny from all
> </Directory>
>
> <Directory "/var/www/mysite">
>   AllowOverride None
>   Order Deny,Allow
>   Allow from 127.0.0.1
> </Directory>
>
> is this all right ? Do i have to change any thing else ? i have other sites
> on here which i dont want blocked, just that one site in that directory. My
> Virtual Hosts look like this if it matters:

>
> #mysite
> <VirtualHost 172.16.23.1:80>
> ServerName mysite.co.nz
> RewriteEngine on
> RewriteCond %{HTTP_HOST}   !^$
> RewriteRule ^/(.*)         http://www.mysite.co.nz/$1 [NE,R]
> </VirtualHost>
>
> <VirtualHost 172.16.23.1:80>
>    ServerAdmin developer@mysite.co.nz
>    DocumentRoot /var/www/html/mysite
>    ServerName www.mysite.co.nz
> </VirtualHost>


OK, since, to keep the server secure, you default to 'deny all' so when 
you use other vhosts, you need to implicitly give them an allow.
What I've done to reduce dramatically the size of my vhosts.conf files is
/var/www = our overall web root, so because I've set " / " as deny all I 
have
set:

<Directory "/var/www">
     AllowOverride None
     Order Deny,Allow
     Allow from all
</Directory>

NOTE: You also need to do same for the ERROR alias...

<Directory "/usr/local/apache/error">
     Order deny,allow
     Allow from all
...other options

So general hosts are unrestricted.... Addin that in httpd.conf will ensure 
of it...

But vhost restrictions will of course over-ride it, so they will get all 
sites, but when they hit your

  <Directory "/var/www/mysite">
    AllowOverride None
    Order Deny,Allow
    Allow from 127.0.0.1
  </Directory>

no-one but localhost will get it... and ... when they hit phpadmin, it 
will  want user/pass in AuthUserFile /var/.htpasswd , but you dont want 
that? So all you do is add in IP's you want to permit, separated by a 
single space. I'm not sure on the limit of this, when we ran the old 
phpbb2 (the one any 10yo knows how to abuse) we had an extensive list of 
ranges, allowing only APNIC IP ranges to access it. Since our phpmyadmins 
are accessed by a myriad of people, I use MySQL database with user/pass 
access, much less hassle <G>

> Also is it possible to choose where the blocked people go ? at the moment
> they load the fedora test page, i would like to inform them with a message
> why they arent seeing the site properly.

Sure is, you can do this in the respective protected directory statements,
use...
       ErrorDocument 401 /error/reject-site.com.html  (can call it anything 
you want, but if you adda few I suggest you call it simple linked names so 
you dont confuse it with apaches required error files if your looking in a 
hurry.


-- 
Cheers
Res
 	--- Usenet policy, and why I might ignore you ---
1/ GoogleGroups are UDP'd on my nntp server. If you use them, don't
    waste your time or energy replying to me.

2/ If only cleanfeed filtered out trolls as well as spam, usenet would be
    a nicer place.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message