Differences between revisions 2 and 3
Revision 2 as of 2009-06-08 12:52:03
Size: 3552
Editor: tardis-c08
Comment:
Revision 3 as of 2009-06-16 11:48:25
Size: 3596
Editor: 77-56-110-124
Comment:
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
## page was renamed from Homepage/Security

Secure Webserver

If you want to publish material over a secure connection (SSL - Secure Sockets Layer), you can create a directory within public_html called secure and place the material in there. This site is then accessible via https://people.ee.ethz.ch/~username/. Note though that the SSL protocol needs more resources than the normal HTTP protocol, so only put material in this subdirectory which really has to be transferred encrypted.

Also note that local users can see what is in your public_html/secure directory by walking through the file system. Some hiding is possible through the use of chmod 711 secure but it's nothing to be proud of. The only way to get some level of protection locally is to use a cgi in the public_html/secure directory which is only readable and executable for you, and then use this cgi as a gateway to publish other documents also stored with permisions only readable to you. This again is no real protection for the fact that your material lies on the disk as plain files. So anybody with root access can read the files. To get around this problem the files would have to be encrypted and your cgi would have to decrypt them on the fly when delivering. This is still not really secure, but about as good as it gets with this setup.

Protecting your pages with a password

It's possible to protect your pages with a password. Follow these steps to configure authentication for a subdirectory within your public_html  directory:

1. Create the directory: mkdir ~/public_html/protected. 2. Create a .htaccess file in this directory with the following content:

AuthType Basic
AuthName "Protected Area"
AuthUserFile /home/joe/.htpasswd
Require valid-user

3. Create the password file with the htpasswd utility:

touch ~/.htpasswd && htpasswd -s ~/.htpasswd anyuser 

htpasswd will prompt for the new password (yes, htpasswd has a -c switch for creating a new file, but since it's pretty easy to inadvertently erase an existing file this way I recommend using the approach with touch).

4. Test your page in the browser. If it doesn't work as expected Apache's error log (/usr/galen/netvar/apache/logs/error_log.people) might give a clue.

Additional users/passwords can be added with htpasswd -s ~/.htpasswd anotheruser. Additionally, it's possible to use different password files for different subdirectories or files - it all depends on your needs.

Restricting access to a directory to defined unix groups

The following .htaccess file enables all users of group isgee to access your website-directory (after authentication): Read more about htaccess-files here.

AuthLDAPUrl "ldaps://spitfire.ee.ethz.ch oenone.ee.ethz.ch yosemite.ee.ethz.ch/ou=users,dc=isg,dc=ee?uid?one"
AuthLDAPGroupAttributeIsDN off
AuthLDAPGroupAttribute memberUid
AuthAuthoritative Off
AuthType Basic
AuthName "Restricted area"
require group cn=isgee,ou=groups,dc=isg,dc=ee

To see all defined groups and their members, execute: getent group

The LDAP-DN of the wanted group then is: cn=groupname,ou=groups,dc=isg,dc=ee

If You have users that get their group membership from the passwd entry (GID field), also allow users that match the GID (e.g. 64): require ldap-attribute gidNumber=64

For more details on LDAP-Authentication, check thisdocumentation for mod_auth_ldap.

Web/Homepage/Security (last edited 2023-10-16 13:45:59 by alders)