Presentation is loading. Please wait.

Presentation is loading. Please wait.

Access control and user management in Apache 1WUCM1.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Access control and user management in Apache 1WUCM1."— Presentation transcript:

1 Access control and user management in Apache 1WUCM1

2 Apache access control Include appropriate module: – mod_auth for basic authentication – mod_digest for digest authentication – mod_authz_host for access control by host Access control can be: – Site wide usually set up in the httpd.conf file – Per directory – often using an "access control file" Unix:.htaccess Windows: htaccess.hta – Access control files need to be protected themselves, especially when used per directory WUCM12

3 Access control policy Access control needs designing – What should go in the httpd.conf file site-wide? What do you want to be mandatory and not permit users to change? – For per directory controls: who can control access to their own bit? who can add/remove/manage users? who can overrule site-wide structures? – Beware a proliferation of userIDs/passwords WUCM13

4 Access by user Access control usually on a "per directory" basis Need to be able to override site-wide control Configured on a "realm" basis htaccess.hta file might be: WUCM14 AuthName "RogerSecrets" AuthType Basic AuthUserFile "N:/WebRoot/Users/users.pwd" require valid-user

5 Require option Require can be general or specific: – require valid-user – require user martin jane Users can be grouped Need a group file – plain text – staff: martin jane You can require a specific group of users, e.g. – require group staff WUCM15

6 Access by host 1 Restrict access by host using allow and deny The order directive specifies which rule to apply first: – Order allow,deny When you want to let most hosts in but keep a few out – Order deny,allow When you want to keep most hosts out and let a few in – Order mutual-failure When you want to let in only those on the allow list and who are not on the deny list – not very common! WUCM16

7 Access by host 2 Example: setup so access to directory admin can be from your office PC or home PC (assume fixed IP) WUCM17 Order deny,allow Deny from all Allow from 148.192.255.5 155.6.122.9

8 Mixing access controls User access control and host access control can be applied to the same site/directory Satisfy directive tells Apache how to mix the rules: – satisfy any either host or user (id/password) valid – satisfy all must be valid user and from a permitted host WUCM18

9 User management Need a database of user name/password pairs A flat file is easy for small numbers of users For larger user bases, use a proper database Apache has a password utility htpasswd that builds a simple flat file WUCM19

10 htpasswd htpasswd has three (or 4) parameters: – flags (e.g. -c to create file from scratch) – password file – user to add – optional: the password - but not hidden e.g. htpasswd -c n:\WebRoot\Users\user.pwd roger If you don't specify password, it will prompt you for it Windows version uses MD5 encryption by default WUCM110

11 htpasswd: examples of use WUCM111

12 Anonymous access Needs module mod_auth_anon Permits access via a "guest" user id with a password of user's email address You should publish a privacy policy in respect of your use of these emails WUCM112

13 Example WUCM113 Anonymous guest anonymous guestuser Anonymous_MustGiveEmail on Anonymous_LogEmail on Anonymous_VerifyEmail on Anonymous_NoUserId off Require valid-user

14 Search engine spider control (1) "Robots" or "spiders" are automated clients used to traverse websites Most used to gather information for search engines e.g. Google Reasons to keep spiders out (of all or part of site): – It is incomplete – It is private – It is time sensitive (i.e. the contents will be rapidly out of date) – It is dynamically generated – Bad spiders may hit too fast and block user access WUCM114

15 Search engine spider control (2) Most spiders/robots will voluntarily adhere to your robot policies Bad spiders will ignore it so it is not a guarantee of protection A file robots.txt in the DocumentRoot directory (e.g. htdocs) controls robot behaviour See http://www.robotstxt.org/wc/norobots.html for details of the standardhttp://www.robotstxt.org/wc/norobots.html WUCM115

16 Example robots.txt WUCM116 User-agent: WebCrawler User-agent: excite Disallow: /cgi-bin Disallow: /private Allow: / User-agent: * Disallow: /

17 Logging access Generating access logs is usually a component of any security policy: – Why? – Who looks at them? – Authority part of your policy? – How long to keep? Use of tools to extract statistics Should logs include user identifiers? WUCM117

18 Security of CGI scripts Main recommendation – only enable CGI if needed CGI issues: – Do you allow users to install their own CGI scripts? – What user does the CGI script run as? – Use a CGI wrapper – suEXEC or CGIwrap – Keep the patch level monitored – Open Source CGI scripts regularly updated WUCM118

Download ppt "Access control and user management in Apache 1WUCM1."

Similar presentations

A digression The next feature of programming HTTP clients that we will consider is user authentication Before considering that, however, we will digress.

A digression The next feature of programming HTTP clients that we will consider is user authentication Before considering that, however, we will digress.
1 Web Servers / Deployment Alastair Dawes Original by Bhupinder Reehal.

1 Web Servers / Deployment Alastair Dawes Original by Bhupinder Reehal.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
Initial web server configuration 1WUCM1. Overview Planning Testing the OS/Environment – IP setup Installation Configuration – Simple minimum details Testing.

Initial web server configuration 1WUCM1. Overview Planning Testing the OS/Environment – IP setup Installation Configuration – Simple minimum details Testing.
Access control and user management in Apache

Access control and user management in Apache
Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.

Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.

1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.
Initial web server configuration Dr Jim Briggs 1WUCM1.

Initial web server configuration Dr Jim Briggs 1WUCM1.
Apache Configuration Setting up a web server. Basic Server Facts Runs on port 80 Server application -> httpd Richly configurable Many defaults will let.

Apache Configuration Setting up a web server. Basic Server Facts Runs on port 80 Server application -> httpd Richly configurable Many defaults will let.
Chapter Apache Installation in Linux- Mandrake. Acknowledgment The following information has been obtained directly from www.mandrake.com www.mandrake.com.

Chapter Apache Installation in Linux- Mandrake. Acknowledgment The following information has been obtained directly from
Apache Access Controls. Ways to control Allow/Deny access control –By IP –By domain name Password –Apache managed passwords –Realms.

Apache Access Controls. Ways to control Allow/Deny access control –By IP –By domain name Password –Apache managed passwords –Realms.
Security SIG: Introduction to Tripwire Chris Harwood John Ives.

Security SIG: Introduction to Tripwire Chris Harwood John Ives.
Hands-On Microsoft Windows Server 2003 Administration Chapter 7 Administering Web Resources in Windows Server 2003.

Hands-On Microsoft Windows Server 2003 Administration Chapter 7 Administering Web Resources in Windows Server 2003.
Introduction To Windows NT ® Server And Internet Information Server.

Introduction To Windows NT ® Server And Internet Information Server.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Apache : Installation, Configuration, Basic Security Presented by, Sandeep K Thopucherela, ECE Department.

Apache : Installation, Configuration, Basic Security Presented by, Sandeep K Thopucherela, ECE Department.
SSL (Secure Socket Layer) and Secure Web Pages Rob Sodders, University of Florida CIS4930 “Advanced Web Design” Spring 2004

SSL (Secure Socket Layer) and Secure Web Pages Rob Sodders, University of Florida CIS4930 “Advanced Web Design” Spring 2004
APACHE SERVER By Innovationframes.com »

APACHE SERVER By Innovationframes.com »
Sharepoint Portal Server Basics. Introduction Sharepoint server belongs to Microsoft family of servers Integrated suite of server capabilities Hosted.

Sharepoint Portal Server Basics. Introduction Sharepoint server belongs to Microsoft family of servers Integrated suite of server capabilities Hosted.
Setting up a Subversion repository By: Matt Krass Last Updated: 4/11/07.

Setting up a Subversion repository By: Matt Krass Last Updated: 4/11/07.

Similar presentations

Ads by Google