|
Size: 3613
Comment:
|
← Revision 39 as of 2023-10-16 13:45:59 ⇥
Size: 5368
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 1: | Line 1: |
| #rev 2018-09-25 pmeier #rev 2020-08-31 alders |
|
| Line 3: | Line 6: |
| = Security = | |
| Line 7: | Line 9: |
| If you want to publish material over a secure connection (SSL - Secure Sockets Layer), you can create a directory within `public_html` called secure and place the material in there. This site is then accessible via `https://people.ee.ethz.ch/~username/`. Note though that the SSL protocol needs more resources than the normal HTTP protocol, so only put material in this subdirectory which really has to be transferred encrypted. | You can access your personal homepage over http or https. Both protocols have the webbroot in the public_html subdirectory of your home. |
| Line 9: | Line 11: |
| Also note that local users can see what is in your `public_html/secure` directory by walking through the file system. Some hiding is possible through the use of `chmod 711 secure` but it's nothing to be proud of. The only way to get some level of protection locally is to use a cgi in the `public_html/secure` directory which is only readable and executable for you, and then use this cgi as a gateway to publish other documents also stored with permisions only readable to you. This again is no real protection for the fact that your material lies on the disk as plain files. So anybody with root access can read the files. To get around this problem the files would have to be encrypted and your cgi would have to decrypt them on the fly when delivering. This is still not really secure, but about as good as it gets with this setup. | Also note that local users can see what is in your `public_html` directory by walking through the file system. All files in a normal static html website must be readable by the webserver and so they are readable for every user who has access to the filesystem, where your home is placed. The only way to get some level of protection locally is to use a CGI in the `public_html` directory which is only readable and executable for you, and then use this CGI as a gateway to deliver documents also stored with permissions only readable to you. |
| Line 11: | Line 13: |
| == Protecting your pages with a password == It's possible to protect your pages with a password. Follow these steps to configure authentication for a subdirectory within your `public_html ` directory: |
|
| Line 14: | Line 14: |
| 1. Create the directory: `mkdir ~/public_html/protected`. 2. Create a `.htaccess` file in this directory with the following content: |
== Authentication and Authorization == While speaking about access control one must distinguish between authentication and authorization. Authentication is the process of verifying that "you are who you say you are", authorization is the process of verifying that "you are permitted to do what you are trying to do". Authorization thus requires authentication. |
| Line 17: | Line 18: |
| {{{ AuthType Basic AuthName "Protected Area" AuthUserFile /home/joe/.htpasswd Require valid-user }}} 3. Create the password file with the `htpasswd` utility: |
This approach is also implemented by Apache's htaccess configuration directives. E.g. * Authentication: {{{AuthBasicProvider}}} directive * Authorization: {{{Require}}} directive |
| Line 25: | Line 22: |
| {{{touch ~/.htpasswd && htpasswd -s ~/.htpasswd anyuser }}} | == Website Protection == === LOCAL vs. LDAP === There are two different "databases" access control can work with: |
| Line 27: | Line 26: |
| `htpasswd` will prompt for the new password (yes, `htpasswd` has a `-c` switch for creating a new file, but since it's pretty easy to inadvertently erase an existing file this way I recommend using the approach with `touch`). | You should use LDAP if access control should be based on registered D-ITET users and groups. On the other hand, an independent access control based on self defined users (e.g. for non D-ITET users) is achieved best using a LOCAL "database". |
| Line 29: | Line 28: |
| 4. Test your page in the browser. If it doesn't work as expected Apache's error log (`/usr/galen/netvar/apache/logs/error_log.people`) might give a clue. | === Local Password File === Follow these steps to configure access control for a sub directory within your `public_html` directory: |
| Line 31: | Line 31: |
| Additional users/passwords can be added with `htpasswd -s ~/.htpasswd anotheruser`. Additionally, it's possible to use different password files for different subdirectories or files - it all depends on your needs. | 1. {{{htpasswd}}} can only be found on {{{people}}} hence you need to login there first ({{{ssh people}}}). As an alternative solution you could use a [[http://aspirine.org/htpasswd_en.html|web-based variant]] which implemented the htpasswd command in javascript (make sure to generate an '''SHA-1''' Hash!) |
| Line 33: | Line 33: |
| == Restricting access to a directory to defined unix groups == The following `.htaccess` file enables all users of group `isgee` to access your website-directory (after authentication): Read more about htaccess-files [[http://httpd.apache.org/docs/2.0/howto/htaccess.html|here]]. |
1. Create a directory, for example: `mkdir ~/public_html/mySecureWebsite`. |
| Line 36: | Line 35: |
| {{{ AuthLDAPUrl "ldaps://spitfire.ee.ethz.ch oenone.ee.ethz.ch yosemite.ee.ethz.ch/ou=users,dc=isg,dc=ee?uid?one" AuthLDAPGroupAttributeIsDN off AuthLDAPGroupAttribute memberUid AuthAuthoritative Off AuthType Basic AuthName "Restricted area" require group cn=isgee,ou=groups,dc=isg,dc=ee }}} To see all defined groups and their members, execute: `getent group` |
1. Create a `.htaccess` file in this directory with the following content: {{{ AuthType Basic AuthName "Protected Area" AuthUserFile /home/<UserName>/.htpasswd Require valid-user }}} |
| Line 47: | Line 43: |
| The LDAP-DN of the wanted group then is: `cn=groupname,ou=groups,dc=isg,dc=ee` | 1. Create the password file in your home-directory with the `htpasswd` utility (installed on the webservers): {{{ touch ~/.htpasswd && htpasswd -s ~/.htpasswd anyuser }}} |
| Line 49: | Line 48: |
| If You have users that get their group membership from the passwd entry (GID field), also allow users that match the GID (e.g. 64): `require ldap-attribute gidNumber=64` | `htpasswd` will prompt for the new password (yes, `htpasswd` has a `-c` switch for creating a new file, but since it's pretty easy to inadvertently erase an existing file this way I recommend using the approach with `touch`). |
| Line 51: | Line 50: |
| For more details on LDAP-Authentication, check this[[http://httpd.apache.org/docs/2.0/mod/mod_auth_ldap.html|documentation]] for mod_auth_ldap. | 1. Test your page in the browser. If it doesn't work as expected Apache's error log (`/var/log/apache2/error_log.people_ee_ssl @ people.ee.ethz.ch`) might give a clue. 1. Additional users/passwords can be added with `htpasswd -s ~/.htpasswd anotheruser`. Additionally, it's possible to use different password files for different subdirectories or files, for example `~/.htpasswd01` for directory `~/public_html/bla01` and `~/.htpasswd02` for directory `~/public_html/bla02` - it all depends on your needs. 1. Read more about htaccess files [[https://httpd.apache.org/docs/2.4/howto/htaccess.html|here]]. === LDAP Directory Service === For access control against registered D-ITET users and groups a more complex htaccess file is needed based on three different sections. All sections together are setting up the entire htaccess file. 1. Authentication {{{ AuthType Basic AuthName "YOUR LOGIN Text" AuthBasicProvider ldap }}} 1. Anonymous LDAP Binding Anonymous access to the LDAP server is allowed on ITET's managed offline replica (i.e update once per day) only. Direct access to ID's LDAP Service is restricted to special proxy users. A personal proxy user for staff and proj accounts can be requested (support@ee.ethz.ch) for some special cases if anonymous access is not sufficient. {{{ AuthLDAPURL "ldaps://ldap02.ee.ethz.ch ldap01.ee.ethz.ch/ou=users,ou=itet,ou=auth,o=ethz,c=ch?uid?one" }}} 1. Authorization The authorization depends on your needs. Here are some examples for common setups. Combination of authorization methods is also possible (defaults to a logical OR). a. By group: {{{ AuthLDAPGroupAttribute memberUid AuthLDAPGroupAttributeIsDN off Require ldap-group cn=<GroupName>,ou=custom,ou=groups,ou=nethz,ou=id,ou=auth,o=ethz,c=ch }}} b. By user: {{{ Require ldap-user <user1> <user2> }}} c. Valid user (i.e. no further authorization, valid authentication against the LDAP server is sufficient) {{{ Require valid-user }}} Necessary group information, i.e. the group name can be retrieved by executing 'getent group' on an ISG D-ITET manged Linux client. Read more about LDAP authentication and authorization [[https://httpd.apache.org/docs/2.4/mod/mod_authnz_ldap.html|here]]. == File Permissions == While using anonymous LDAP binding no special file permissions are needed A simple ''chmod 644 .htaccess'' should be fine. ---- [[CategoryWEBS]] |
Contents
Secure Webserver
You can access your personal homepage over http or https. Both protocols have the webbroot in the public_html subdirectory of your home.
Also note that local users can see what is in your public_html directory by walking through the file system. All files in a normal static html website must be readable by the webserver and so they are readable for every user who has access to the filesystem, where your home is placed. The only way to get some level of protection locally is to use a CGI in the public_html directory which is only readable and executable for you, and then use this CGI as a gateway to deliver documents also stored with permissions only readable to you.
Authentication and Authorization
While speaking about access control one must distinguish between authentication and authorization. Authentication is the process of verifying that "you are who you say you are", authorization is the process of verifying that "you are permitted to do what you are trying to do". Authorization thus requires authentication.
This approach is also implemented by Apache's htaccess configuration directives. E.g.
Authentication: AuthBasicProvider directive
Authorization: Require directive
Website Protection
LOCAL vs. LDAP
There are two different "databases" access control can work with:
You should use LDAP if access control should be based on registered D-ITET users and groups. On the other hand, an independent access control based on self defined users (e.g. for non D-ITET users) is achieved best using a LOCAL "database".
Local Password File
Follow these steps to configure access control for a sub directory within your public_html directory:
htpasswd can only be found on people hence you need to login there first (ssh people). As an alternative solution you could use a web-based variant which implemented the htpasswd command in javascript (make sure to generate an SHA-1 Hash!)
Create a directory, for example: mkdir ~/public_html/mySecureWebsite.
Create a .htaccess file in this directory with the following content:
AuthType Basic AuthName "Protected Area" AuthUserFile /home/<UserName>/.htpasswd Require valid-user
Create the password file in your home-directory with the htpasswd utility (installed on the webservers):
touch ~/.htpasswd && htpasswd -s ~/.htpasswd anyuser
htpasswd will prompt for the new password (yes, htpasswd has a -c switch for creating a new file, but since it's pretty easy to inadvertently erase an existing file this way I recommend using the approach with touch).
Test your page in the browser. If it doesn't work as expected Apache's error log (/var/log/apache2/error_log.people_ee_ssl @ people.ee.ethz.ch) might give a clue.
Additional users/passwords can be added with htpasswd -s ~/.htpasswd anotheruser. Additionally, it's possible to use different password files for different subdirectories or files, for example ~/.htpasswd01 for directory ~/public_html/bla01 and ~/.htpasswd02 for directory ~/public_html/bla02 - it all depends on your needs.
Read more about htaccess files here.
LDAP Directory Service
For access control against registered D-ITET users and groups a more complex htaccess file is needed based on three different sections. All sections together are setting up the entire htaccess file.
- Authentication
AuthType Basic AuthName "YOUR LOGIN Text" AuthBasicProvider ldap
- Anonymous LDAP Binding
Anonymous access to the LDAP server is allowed on ITET's managed offline replica (i.e update once per day) only. Direct access to ID's LDAP Service is restricted to special proxy users. A personal proxy user for staff and proj accounts can be requested (support@ee.ethz.ch) for some special cases if anonymous access is not sufficient.
AuthLDAPURL "ldaps://ldap02.ee.ethz.ch ldap01.ee.ethz.ch/ou=users,ou=itet,ou=auth,o=ethz,c=ch?uid?one"
- Authorization
- The authorization depends on your needs. Here are some examples for common setups. Combination of authorization methods is also possible (defaults to a logical OR).
- By group:
AuthLDAPGroupAttribute memberUid AuthLDAPGroupAttributeIsDN off Require ldap-group cn=<GroupName>,ou=custom,ou=groups,ou=nethz,ou=id,ou=auth,o=ethz,c=ch
b. By user:Require ldap-user <user1> <user2>
c. Valid user (i.e. no further authorization, valid authentication against the LDAP server is sufficient)Require valid-user
Necessary group information, i.e. the group name can be retrieved by executing 'getent group' on an ISG D-ITET manged Linux client.
Read more about LDAP authentication and authorization here.
File Permissions
While using anonymous LDAP binding no special file permissions are needed A simple chmod 644 .htaccess should be fine.