asg15.htm

apache技术手册

<HTML>

<HEAD>

<TITLE>Apache Server Survival Guide asg15.htm </TITLE>

<LINK REL="ToC" HREF="index.htm" tppabs="http://docs.rinet.ru:8080/Apachu/index.htm">

<LINK REL="Index" HREF="htindex.htm" tppabs="http://docs.rinet.ru:8080/Apachu/htindex.htm">

<LINK REL="Next" HREF="asg16.htm" tppabs="http://docs.rinet.ru:8080/Apachu/asg16.htm">

<LINK REL="Previous" HREF="asg14.htm" tppabs="http://docs.rinet.ru:8080/Apachu/asg14.htm"></HEAD>

<BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#800080">
<!--#exec cmd="/www/docs/ssi-bin/restricted_search.ssi"-->





<!--#exec cmd="/www/docs/ssi-bin/inc.ssi"-->






<A NAME="I0"></A>

<H2>Apache Server Survival Guide asg15.htm</H2>

<P ALIGN=LEFT>

<A HREF="asg14.htm" tppabs="http://docs.rinet.ru:8080/Apachu/asg14.htm" TARGET="_self"><IMG SRC="purprev.gif" tppabs="http://docs.rinet.ru:8080/Apachu/purprev.gif" WIDTH = 32 HEIGHT = 32 BORDER = 0 ALT="Previous Page"></A>

<A HREF="index.htm" tppabs="http://docs.rinet.ru:8080/Apachu/index.htm" TARGET="_self"><IMG SRC="purtoc.gif" tppabs="http://docs.rinet.ru:8080/Apachu/purtoc.gif" WIDTH = 32 HEIGHT = 32 BORDER = 0 ALT="TOC"></A>

<A HREF="asg16.htm" tppabs="http://docs.rinet.ru:8080/Apachu/asg16.htm" TARGET="_self"><IMG SRC="purnext.gif" tppabs="http://docs.rinet.ru:8080/Apachu/purnext.gif" WIDTH = 32 HEIGHT = 32 BORDER = 0 ALT="Next Page"></A>


<HR ALIGN=CENTER>

<P>

<UL>

<UL>

<UL>

<LI>

<A HREF="#E68E165" >Host-Based Access Control (Domain-Level Access Control)</A>

<UL>

<LI>

<A HREF="#E69E181" >The order Directive</A>

<LI>

<A HREF="#E69E182" >The allow Directive</A>

<LI>

<A HREF="#E69E183" >The deny Directive</A>

<LI>

<A HREF="#E69E184" >Host-based Access Control Examples</A></UL>

<LI>

<A HREF="#E68E166" >User Authentication Control</A>

<UL>

<LI>

<A HREF="#E69E185" >Requesting a Password</A>

<LI>

<A HREF="#E69E186" >Managing Flat-File Password Files with htpasswd</A>

<LI>

<A HREF="#E69E187" >Managing DBM and DB Password Databases with dbmmanage</A></UL>

<LI>

<A HREF="#E68E167" >Group Authentication</A>

<LI>

<A HREF="#E68E168" >Summary</A></UL></UL></UL>

<HR ALIGN=CENTER>

<A NAME="E66E15"></A>

<H1 ALIGN=CENTER>

<CENTER>

<FONT SIZE=6 COLOR="#FF0000"><B>15</B></FONT></CENTER></H1>

<BR>

<A NAME="E67E21"></A>

<H2 ALIGN=CENTER>

<CENTER>

<FONT SIZE=6 COLOR="#FF0000"><B>Access Control</B><B> and User Authentication</B></FONT></CENTER></H2>

<BR>

<P>User authentication and access control allow you to restrict access to your Web server's document tree. If you are building a site that will be accessible to the world and you don't need to restrict access to your materials, you may want to skip this chapter.

<BR>

<P>Servers with sensitive information should be behind a firewall or should use encryption technology that protects your materials from unauthorized viewing. Directly connecting to the Internet with a server that has sensitive information is asking for trouble.

<BR>

<P>Apache provides several methods you can use to restrict unauthorized access to your documents. These access control and user authentication extensions are implemented in the form of modules. Modules extend the functionality of Apache by adding new functionality that is not part of the Apache core itself. Modules provide additional directives that allow you to control the behavior of the server much the same way you control other aspects of the server's configuration.

<BR>

<P>As with any resource that needs to be secured, security factors depend on many issues. If the information you are publishing is of a highly sensitive nature, you should consider an alternative publishing medium. You may want to consider using a secure server, such as Apache-SSL or Stronghold. Both of these servers are based on the Apache source, but they add Secure Socket Layer (SSL) technology, which encrypts transactions between the server and the client when accessed with a compatible browser. Information on SSL servers is covered in <A HREF="asg14.htm" tppabs="http://docs.rinet.ru:8080/Apachu/asg14.htm">Chapter 14</A>, &quot;Secure Web Servers.&quot;

<BR>

<P>The topics in this chapter offer an extremely basic measure of security, if you can call it that. User authentication and access control put a basic barrier between the user accessing your data and your server. If your data is sensitive, don't place your trust in any piece of software unless you understand the potential risks that could create a hole in your security scheme. Once again, do not place highly sensitive information on a publicly accessible server!

<BR>

<P>Apache provides a simple authentication scheme by which a user can prove his identity to the server: <I>Basic</I> <I>authentication</I>. While the mechanisms used to verify the authentication information are reliable, you should be aware that Basic authentication is not secure. It assumes that your network connection to the server is trustworthy&#151;an assumption that is questionable once you access your server from outside your local network. Be aware when you transmit a password that unless you are using a secure server, the password transaction is not encrypted in any way by the client browser. It is encoded using a similar process to the UNIX uuencode program, which ensures its integrity during transmission. However, this method of encoding doesn't provide any encryption or other means of securing the data. Anyone with some technical ability who intercepts the request could decode the password information and use it to access your restricted materials. You should also be aware that when you authenticate, this process is repeated for every document you request (your password and user id are sent with every page request, thus your password is sent not once but many times).

<BR>

<P>Apache 1.1 adds a new form of authentication called <I>Digest </I><I>authentication,</I> which uses RSA MD5 encryption technology. The use of Digest authentication requires a supporting Web browser. Be aware that unless you are using a secure server to access your documents, the information that you transmit is still sent in world-readable form.

<BR>

<P>Now you understand that not one single measure of security is enough or infallible; that passwords can be compromised by someone decoding them or intercepting them; and that your networking wires can be tapped, or someone with access to a Domain Name System (DNS) server could make any machine masquerade as if it were in your network. The tools Apache provides can help you build a basic barrier to discourage and stop most unauthorized users from accessing your information.

<BR>

<P>Apache provides two methods you can use to control access to the documents you make available on the Web:

<BR>

<UL>

<LI>Host-based or domain-level access control

<BR>

<BR>

<LI>User authentication

<BR>

<BR>

</UL>

<P><A NAME="I2"></A>You can enable access control and user authentication on a serverwide basis or on a per-directory basis by using the appropriate access control file (ACF):

<BR>

<UL>

<LI>Serverwide access is controlled by settings on the global ACF, conf/access.conf.

<BR>

<BR>

<LI>Per-directory access control can also be configured on the global ACF by using &lt;Directory&gt; sections or by using per-directory ACFs or .htaccess files. The use of per-directory ACFs may be restricted or not allowed by the global access control file.

<BR>

<BR>

</UL>

<BLOCKQUOTE>

<BLOCKQUOTE>

<HR ALIGN=CENTER>

<BR>

<NOTE>A section is a special type of directive that follows an SGML-type syntax: &lt;<I>directive</I> <I>option</I>...&gt;...&lt;/<I>directive</I>&gt;. Apache implements a few sections: &lt;VirtualHost&gt;, &lt;Directory&gt;, &lt;Limit&gt;, and new to 1.1, &lt;Location&gt;. The &lt;Location&gt; directive allows you to implement access control on a URL basis.

<BR>Access control on a per-file basis is not available to Apache versions prior to 1.1. If you need to restrict access to a file, you will need to create a directory for that file and restrict access to the directory instead.

<BR>Apache 1.1 introduces the &lt;Location&gt; section, which allows you to restrict access based on an uniform resource locator (URL) or file address.

<BR>Apache 1.2 will introduce a new section directive, &lt;File&gt;, which is similar in functionality to the &lt;Location&gt; section.</NOTE>

<BR>

<HR ALIGN=CENTER>

</BLOCKQUOTE></BLOCKQUOTE>

<P>In general, per-directory ACFs are not a good idea for a site that needs tight security because some of the directives can override settings you specified on your global ACF. However, if for administration reasons you want to relegate access control management to the owners of the materials, per-directory access control files are the only way to go.

<BR>

<P>The name of the per-directory ACF is set by the AccessFileName directive. This directive is typically found in conf/srm.conf. The default value for AccessFileName is

<BR>

<BR>

<PRE>

<FONT COLOR="#000080">AccessFileName .htaccess</FONT></PRE>

<P>Note that the period in the filename will make the file invisible to most users, unless they use the -a flag to ls (the program used for listing directories). Access control directives are usually found inside a &lt;Limit&gt; section. A &lt;Limit&gt; section contains control directives enclosed by a &lt;Limit&gt;...&lt;/Limit&gt; tag pair:

<BR>

<PRE>

<FONT COLOR="#000080">&lt;Limit <I>method method ...</I>&gt;

<I>ControlDirective</I>

...

&lt;/Limit&gt;</FONT></PRE>

<P><I>method</I><I> </I>refers to any HTTP valid access method (GET, POST, HEAD, and so on). Apache only enables GET, POST, and HEAD. The HEAD method returns an HTTP header describing the document, not the document itself. Other potentially dangerous methods are not implemented in Apache: PUT, DELETE, LINK, and UNLINK. So you should not have to worry about those. However, always read the documentation and be aware of HTTP methods that may compromise your security.

<BR>

<P>The enclosed directives only apply to the directory tree listed in a &lt;Directory&gt; section if the &lt;Limit&gt; section is in the global ACF. If they are found on a per-directory ACF, then all directories under that tree will share the requirements listed. If they are found outside a &lt;Directory&gt; section on the global ACF, then the requirement applies globally to all directories, even to documents outside your DocumentRoot pointed to by an Alias directive. (For more information, please refer to <A HREF="asg10.htm" tppabs="http://docs.rinet.ru:8080/Apachu/asg10.htm">Chapter 10</A>, &quot;Apache Modules.&quot;

<BR>

<BR>

<A NAME="E68E165"></A>

<H3 ALIGN=CENTER>

<CENTER>

<FONT SIZE=5 COLOR="#FF0000"><B>Host-Based Access Control (Domain-Level Access Control)</B></FONT></CENTER></H3>

<BR>

<P>Host-based access control grants or denies access depending on the Internet Protocol (IP) address of the machine that generated the request. This system is the least intrusive to legitimate users because access is granted on the basis of the machine address. Machines matching a description are allowed or denied access to the document tree without requesting further information from the client.

<BR>

<P>Host-based access control is provided by the mod_access module. The mod_access module is compiled into Apache by default, so the directives it provides can be used without the need for additional configuration. 

<BR>

<P>The mod_access module provides three directives to help you control access to your site:

<BR>

<UL>

<LI>order

<BR>

<BR>

<LI>allow from

<BR>

<BR>

<LI>deny from

<BR>

<BR>

</UL>

<BR>

<A NAME="E69E181"></A>

<H4 ALIGN=CENTER>

<CENTER>

<FONT SIZE=4 COLOR="#FF0000"><B>The </B><B>order</B><B> Directive</B></FONT></CENTER></H4>

<BR>

<P>The order directive defines the order in which the allow and deny directives are evaluated within the &lt;Limit&gt; or &lt;Directory&gt; section. The syntax for the order directive is

<BR>

<P>order [deny,allow] | [allow,deny] | [mutual-failure]

<BR>

<P>The possible options are

<BR>



<TABLE  BORDERCOLOR=#000040 BORDER=1 CELLSPACING=2 WIDTH="80%" CELLPADDING=2 >

<TR>

<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>

deny,allow 

</FONT>

<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>

Evaluates the deny directive first and then grants exceptions based on the allow directive.

</FONT>

<TR>

<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>

allow,deny 

</FONT>

<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>

Evaluates the allow directive first and then grants exceptions based on the deny directive.

</FONT>

<TR>

<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>

mutual-failure 

</FONT>

<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>

Evaluates so that only hosts that appear in the allow list and do not appear on the deny list are granted access.</FONT>

</TABLE><BR>

<A NAME="E69E182"></A>

<H4 ALIGN=CENTER>

<CENTER>