Apache and Access Control

Access Control with Apache Web Server allows you to regulate who can view directories and content on the Apache server. The Directory directive provides granular access to folders and content.If a company needed to allow only one group in their domain to access a particular folder the Directory directive could accomplish this. If the group sales from mybigsales.com needed to access a customers directory this is how it could be create in the /etc/httpd/conf/httpd.conf file ( CentOS) or in the /etc/apache2/apache2.conf (Ubuntu 8.04):

<Directory /var/www/html/customers>

order deny, allow

allow from sales.mybigsales.com

deny from .mybigsales.com

</Directory>

The directory listed in the example is the path on the server, not a URL. The order deny, allow is part of the order directive that tells Apache to deny first and then allow what is allowed. So in the example all of the domain .mybigsales.com is denied and then sales.mybigsales.com is allowed. It is important to understand that this order denies and then at the end allows.

Apache provides Password Authentication to directories using the htpasswd program. The first thing that needs to be done is to decide on where to place these password files. It is important that they are not placed in areas that are easily accessed as they should only be read by apache. It is probably best to place them in the /etc/httpd directory or the /etc/pache2 if you are using Ubuntu 8.04. You may even want to create a separate more secure directory called within /etc/httpd or /etc/apache2. Use the htpasswd program to initialize a file for sales for example:

htpasswd -c /etc/httpd/sales tom

The program will request a password and then to confirm the password. The -c option creates the file so DO NOT USE IT THE SECOND TIME!!!! If you do it will wipe out the first users you placed in the file. The password file will contain passwords for any number of people you want to have access to this folder. For example if you wanted to add mary later you would use this command:

htpasswd /etc/httpd/sales mary

The next step is to make sure the permissions are correct on the password files. Change the owner to apache and change permissions to 600.

chmod 600 sales

The owner and group were changed to apache. Note you will need to verify these permissions each time changes are made to the file.

chown apache:apache sales

Now the file rights are rw for the owner and nothing for group or other. This is an important setting.

The example below shows several passwords for directories have been created (tech, administrators, sales, office). When viewed listing the permissions all will work except the tech password..why?

drwxr-xr-x 4 root root 1024 Jan 22 08:41 .

drwxr-xr-x 60 root root 6144 Jan 23 04:02 ..

-rw------- 1 root root 19 Jan 1 13:18 tech

-rw------- 1 apache apache 59 Jan 22 08:45 administrators

drwxr-xr-x 7 root root 1024 Jan 22 08:33 conf

drwxr-xr-x 2 root root 1024 Jul 3 2005 conf.d

lrwxrwxrwx 1 root root 19 Jul 2 2005 logs -> ../../var/log/httpd

lrwxrwxrwx 1 root root 27 Jul 2 2005 modules -> ../../usr/lib/httpd/modules

lrwxrwxrwx 1 root root 13 Jul 2 2005 run -> ../../var/run

-rw------- 1 apache apache 41 Jan 23 14:44 sales

-rw------- 1 apache apache 1180 Jan 23 14:55 office

The answer to the above question is that apache needs to view the file. When the tech file is owned by root, apache cannot read the file.

Once a password file has been created, the directory that needs to be protected should be setup in the httpd.conf or apache2.conf for Ubuntu 8.04 file. The Directory directive is used to create the context of the file by using:

<Directory >

</Directory>

The first line shows which directory the password will protect.

<Directory /var/www/html/sales>

The second line determines the kind of authentication, which is Basic.

AuthType Basic

The AuthName will show on the login this text string to verify which group should use this directory.

AuthName “Sales Group”

The AuthUserFile is the file location for the password file.

AuthUserFile /etc/httpd/sales

Each user of the directory may be determined with specific listing of the user name and the inclusion of that password in the /etc/httpd/sales password file. “require user” will mandate that no one will be able to use this directory except those users listed. require user tom jane mary joe

If there were a lot of people using the directory one password could be give to all users in the sales group for example.

<Directory /var/www/html/sales>

AuthType Basic

AuthName "Sales Group"

AuthUserFile /etc/httpd/sales

require user tom jane mary joe

</Directory>