Setting up access control using HTACCESS
There is an advantage to controlling access to certain parts of your domain. If, for instance, you wanted to make general information public, but only wanted to make specific information available to your customers you could use a feature of NCSA-based httpd servers commonly reffered to as HTACCESS. Using this access control method you can limit access to certain branches of the directory tree. If you want to really understand how this works, nothing is better than reading the manual.Basic Access Control
You can control access to your webpage two different ways, by host filtering or user authentication. But keep in mind that neither method is fullproof. This should be considered as secure as a courtesy lock on a restroom door; nice, but ultimately ineffective.The default name of the access control file is .htaccess but that is not written in stone. In the server configuration overview we looked at a file called httpd.conf. This file had the following entry:
AccessFileName .htaccess
This is the default value, but any specified filename can be used. For the purposes of this tutorial I will refer to the .htaccess file by name, but your server may use a different file name.
The method of control is very simple. Place a correctly formated file called .htaccess in a directory and you can restrict access via the web to that directory. Here is a simple example of an .htacess file:
AuthUserFile /dev/null AuthGroupFile /dev/null AuthName "This is NOT a restricted directory" AuthType Basic <Limit GET> order allow,deny allow from all </Limit>
The first two lines refer to files that contain lists of users and groups. I will cover the specific format of the files and their use later. The AuthName entry is displayed in the message box if the browser needs to request a username / password. AuthType is always Basic because the advanced authorization methods based on Kerberos or MD5 are detailed enough for books themselves.
The important parts for now are contained in the familiar looking
<Limit GET> order deny,allow deny from all allow from linuxweblog.com </Limit>
This rule will cause everyone to be denied EXCEPT hosts from linuxweblog.com. The server processes the rules in order and the first exception case is returned. Here is another way to look at it.
<Limit GET> order allow,deny deny from linuxweblog.com </Limit>
By changing the order to allow,deny and changing the allow entry to deny we have created a ban list. Everyone EXCEPT linuxweb.com hosts can get documents from the directory.
<Limit GET> order deny,allow allow from all deny from linuxweblog.com 192.168.10. </Limit>
This rule set is evaluated the same as the one above it, but includes an additional deny rule for the 192.168.10. domain. The drawback to using a DNS name can be illustrated if the web server can not resolve an IP address to a domain name. If you rely completely on DNS names and DNS ever fails, you may find yourself locked out of your own site!
Host access control is the simplest way to control access, but what if you have a different ip address every time you log in and you don't want to allow everyone from your domain access to the directory tree? I'm glad I asked that.User Based Access Control
The most effective method of access restriction is the use of a username and password. By using two additional files, people can be granted access either by username or group membership. These two files are conventionally called .htpasswd and .htgroup but they can be any name specified in the .htaccess file. I will refer to the conventional names, but feel free to change them on your site. The .htpasswd file is a file that contains a list of usernames and encrypted passwords seperated by colons. Here is an example:Bob:ZUvJgtVp77Vik Ted:rBW8u1RJUr6eU Carol:HwrJPys5u7NcM Alice:UORwkyVbeWc6M
This is a list of a 4 user .htpasswd file. The format is similar to a standard Un*x /etc/passwd file and in fact the encryption method is compatible. So if you want, you can base the .htpasswd off of an actual modified Un*x /etc/passwd file. Here is an example of the .htgroup file:
Admin: Carol Managers: Ted Carol Staff: Bob Ted Carol Alice
The names of the groups are not special except as they are used. Using these files as examples, lets look at some new rule sets.
AuthUserFile /usr/local/etc/httpd/private/.htpasswd AuthGroupFile /usr/local/etc/httpd/private/.htgroup AuthName "This is a restricted directory" AuthType Basic <Limit GET> order allow,deny allow from all require user Alice require group Managers satisfy any </Limit>
In this case we have specified authorization user and group files and given a title to the message box. The rule will deny everyone EXCEPT Alice OR the group Managers. The satifisy element handles whether the rule is evalutated as a logical AND or OR. By default it is a logical AND. That means that without the "satisfy any" line it would assume "satisfy all" and require both user Alice and group Managers to access the directory. Since Alice is not a part of the Managers group NO ONE would have access to the directory. Let's look at another one.
AuthUserFile /usr/local/etc/httpd/private/.htpasswd AuthGroupFile /usr/local/etc/httpd/private/.htgroup AuthName "This is a restricted directory" AuthType Basic <Limit GET> order deny,allow deny from all allow from linuxweblog.com require group Managers satisfy all </Limit>
This example combines both user and host validation. You have to supply a username that is in the Managers group AND be connecting from the linuxweblog.com domain.
