| |
How to protect your data. Apache Web Server. |
Contacting
us Web
Office Searching CERN
There are two ways of restricting access to documents: either by the hostname of the browser being used, or by asking for a username and password.This second way is called user authentication.
Setting up user authentication requires two steps: firstly, you create a file containing the usernames and passwords. Secondly, you tell the server what resources are to be protected and which users are allowed (after entering a valid password) to access them.
We have called the password file 'users'. Everybody should use the same name to be homogeneous.
Where to find the users file?
For people having their data locally (in www), they will find it at
/W3dir/<YOUR_DIRECTORY>/Apache/ connecting from wwwlab.
For people having their data in afs, we have created a new directory for each of you under /W3dir/Apache/<YOUR_DIRECTORY>/Apache/ (from wwwlab).
A web interface is used to create, modify or delete users in the users file.
If your pages are locally located open the URL:
http://www.cern.ch/apache-bin/main.cgi/<YOUR_DIRECTORY>
If your pages are in afs open the URL:
http://www.cern.ch/apache-bin/main.cgi/Apache/<YOUR_DIRECTORY>
If you want to protect this page prompting you to create or change the passwords for your protected pages, just send an e-mail to www@www.cern.ch saying which login and password you want to use to open this page.
Configuring the Server
Now, we'll have to tell the server to use this file.
The directives to create the protected area can be placed in a .htaccess
file in the directory concerned, or in a <Directory> section in the
configuration file.
If you want the www.support to protect your data, send an e-mail to www@www.cern.ch.
If you want to protect your data yourself:
To restrict a directory to any user listed in the users file, you should create a .htaccess file containing:
AuthName <simbolic_name>
AuthType Basic
AuthUserFile <path to your users file>
require valid-user
The first directive, AuthName, specifies a realm name for this protection. Once a user has entered a valid username and password, any other resources within the same realm name can be accessed with the same username and password. This can be used to create two areas which share the same username and password.
The AuthType directive tells the server what protocol is to be used for authentication. At the moment, Basic is the only method available
AuthUserFile tells the server the location of the users
file created by the web interface.
AuthGroupFile, can be used to tell the server the location of
a groups file (see below).
require tells the server which usernames from the users
file are valid for particular access methods.
the argument valid-user tells the server that any username
in the users file can be used. But it could be configured to allow
only certain users in:
require user martin jane
would only allow users martin and jane access (after they have entered a
correct password). If user art (or any other
user) tried to access this directory - even with the correct password
- they would be denied. This is useful to
restrict different areas of your server to different people with the
same users file. If a user is allowed to access the different areas,
they only have to remember a single password. Note that if the realm name
differs in the different areas, the user will have to re-enter their password.
Using Groups
If you want to allow only selected people in the users file into a particular area, you should use groups. The group file should be called groups and it will be located in the same directory as the users file. The same person can belong to more than one group. All the usernames in the groups file must be present in the users file.
Example of a groups file:
admin:isabel david
team:david pepe montse
Example of a users file:
david:FD2Dk.zMGUPD.
isabel:XfViT467MJO4g
pepe:JYPBeq9c06l.U
montse:5RWASJ5urWri.
sacra:fDASEgc53SghH
Here we have two groups, admin and all. We can configure the Web server
so that the URL http://www.cern.ch/YOUR_DIRECTORY/ will be only accesible
from 'team' wherelse http://www.cern.ch/YOUR_DIRECTORY/private only from
'admin'.
To restrict access to just users in the admin group, you would use
require group admin
Multiple groups can be listed, and require user can also be given, in which case any user in any of the listed groups, or any user listed explicitly, can access the resource. For example :
require group admin team
require user sacra
which would allow any user in group team or group admin, or the user
sacra, to access this resource after entering a valid password.
Restricting By Hostname or Username
It is possible to use both username and hostname restrictions at the
same time. Normally Apache will require that both restrictions are satisfied,
that is, that the user comes from an allowed host or domain name and that
they supply a valid username and password. However the Satisfy any
directive can be used in the .htaccess file. When this directive is given,
anyone coming from the allowed domains will be given access without having
to enter a username and password. All other users (from the "denied" domains)
will be prompted for a username and password.
Some examples. Different .htaccess files.
1.- Directory accessible for just two users in the users file.
require user caro fuen
require valid-user
order deny,allow
deny from all
allow from .cern.ch
More Information on Apache Web Server.
Apache Server Project - http://www.apache.org/
Apache Week - http://www.apacheweek.com/