702-705.html

linux-unix130.linux.and.unix.ebooks130 linux and unix ebookslinuxLearning Linux - Collection of 12 E

<HTML>
<HEAD>
<TITLE>Special Edition Using Linux, Fourth Edition:Configuring Apache</TITLE>
<META NAME="ROBOTS" CONTENT="NOINDEX, NOFOLLOW">
<SCRIPT>
<!--
function displayWindow(url, width, height) {
        var Win = window.open(url,"displayWindow",'width=' + width +
',height=' + height + ',resizable=1,scrollbars=yes');
}
//-->
</SCRIPT>
</HEAD>

 -->


<!--ISBN=0789717468//-->
<!--TITLE=Special Edition Using Linux, Fourth Edition//-->
<!--AUTHOR=Jack Tackett//-->
<!--AUTHOR=Jr.//-->
<!--AUTHOR=Steve Burnett//-->
<!--PUBLISHER=Macmillan Computer Publishing//-->
<!--IMPRINT=Que//-->
<!--CHAPTER=36//-->
<!--PAGES=702-705//-->
<!--UNASSIGNED1//-->
<!--UNASSIGNED2//-->

<CENTER>
<TABLE BORDER>
<TR>
<TD><A HREF="699-702.html">Previous</A></TD>
<TD><A HREF="../ewtoc.html">Table of Contents</A></TD>
<TD><A HREF="705-707.html">Next</A></TD>
</TR>
</TABLE>
</CENTER>
<P><BR></P>
<H3><A NAME="Heading15"></A><FONT COLOR="#000077">Advanced Functionality</FONT></H3>
<P>You may want to exert even more control over your server or customize the operating environment in very specific ways. You can configure the Apache server to support advanced functionality, such as access control and user authentication.
</P>
<H4 ALIGN="LEFT"><A NAME="Heading16"></A><FONT COLOR="#000077">Host-Based Access Control</FONT></H4>
<P>You can control access to the server, or even a subdirectory of the server, based on the host name, domain, or IP number of the client&#146;s machine. This is done by using the directives <TT>allow</TT> and <TT>deny</TT>, which can be used together with <TT>order</TT>. <TT>allow</TT> and <TT>deny</TT> can take multiple hosts:</P>
<!-- CODE SNIP //-->
<PRE>
deny from badguys.com otherbadguys.com
</PRE>
<!-- END CODE SNIP //-->
<P>Typically, you want to do one of two things: you want to deny access to your server from everyone but a few other machines, or you want to grant access to everyone except a few hosts. Denying access from all but a few machines is accomplished with these commands:
</P>
<!-- CODE SNIP //-->
<PRE>
order deny,allow
allow from mydomain.com
deny from all
</PRE>
<!-- END CODE SNIP //-->
<P>This directive means, &#147;Only grant access to hosts in the domain mydomain.com.&#148; This domain could include host1.mydomain.com, ppp.mydomain.com, and the-boss.mydomain.com.
</P>
<P>The preceding directive tells the server to evaluate the <TT>deny</TT> conditions before the <TT>allow</TT> conditions when determining whether to grant access. Likewise, the &#147;only exclude a couple of sites&#148; case described earlier can be handled by using the following:</P>
<!-- CODE SNIP //-->
<PRE>
order allow,deny
allow from all
deny from badguys.com
</PRE>
<!-- END CODE SNIP //-->
<P><TT>order</TT> is needed because&#151;again&#151;the server needs to know which rule to apply first. The default for <TT>order</TT> is <TT>deny,allow</TT>.</P>
<P>In a third argument to <TT>order</TT>, called <TT>mutual-failure</TT>, a condition has to pass the <TT>allow</TT> and <TT>deny</TT> rules to succeed. In other words, it has to appear in the <TT>allow</TT> list, and it must not appear in the <TT>deny</TT> list, as in the following example:</P>
<!-- CODE SNIP //-->
<PRE>
order mutual-failure
allow from mydomain.com
deny from the-boss.mydomain.com
</PRE>
<!-- END CODE SNIP //-->
<P>In this example, the-boss.mydomain.com is prevented from accessing this resource, but every other machine at mydomain.com can access it.
</P>
<BLOCKQUOTE>
<P><FONT SIZE="-1"><HR><B>CAUTION:&nbsp;&nbsp;</B><BR>Protecting resources by host name is dangerous. It&#146;s relatively easy for a determined person who controls the reverse-DNS mapping for his IP number to spoof any host name he wants. Thus, it&#146;s strongly recommended that you use IP numbers to protect anything sensitive. In the same way, you can simply list the domain name to refer to any machine in that domain. You also can give fragments of IP numbers:<!-- CODE SNIP //-->
<PRE>
  allow from 204.62.129
</PRE>
<!-- END CODE SNIP //-->
<P>This will allow only hosts whose IP numbers match, such as 204.62.129.1 or 204.62.129.130.
</P>
<P>Typically, these directives are used within a <TT>&lt;Limit&gt;</TT> container, and even that within a <TT>&lt;Directory&gt;</TT> container, usually in an access.conf configuration file. The following example is a good template for most protections; it protects the /www/htdocs/private directory from any host except those in the 204.62.129 IP space:</P>
<!-- CODE //-->
<PRE>
  &lt;Directory /www/htdocs/private&gt;
  Options Includes
  AllowOverride None
  &lt;Limit GET POST&gt;
  order allow,deny
  deny from all
  allow from 204.62.129
  &lt;/Limit&gt;
  &lt;/Directory&gt;
</PRE>
<!-- END CODE //-->
<HR></FONT>
</BLOCKQUOTE>
<H4 ALIGN="LEFT"><A NAME="Heading17"></A><FONT COLOR="#000077">User Authentication</FONT></H4>
<P>When you place a resource under <I>user authentication</I>, you restrict access to it by requiring a name and password. This name and password is kept in a database on the server. This database can take many forms; Apache modules have been written to access flat-file databases, database management (DBM) file databases, mSQL databases (a freeware database), Oracle and Sybase databases, and more. This chapter covers only flat-file and DBM-format databases.</P>
<P>First, some basic configuration directives. The <TT>AuthName</TT> directive sets the authentication &#147;realm&#148; for the password-protected pages. The realm is what gets presented to clients when prompted for authentication, as in <TT>Please enter your name and password for the realm.</TT></P>
<P>The <TT>AuthType</TT> directive sets the authentication type for the area. In HTTP/1.0, there&#146;s only one authentication type&#151;Basic. HTTP/1.1 will have a few more, such as MD5.</P>
<P>The <TT>AuthUserFile</TT> directive specifies the file that contains a list of names and passwords, one pair per line. The passwords are encrypted by simple UNIX <TT>crypt()</TT> routines. For example,</P>
<!-- CODE SNIP //-->
<PRE>
joe:D.W2yvlfjaJoo
mark:21slfoUYGksIe
</PRE>
<!-- END CODE SNIP //-->
<P>The <TT>AuthGroupFile</TT> directive specifies the file that contains a list of groups and members of those groups, separated by spaces like this:</P>
<!-- CODE SNIP //-->
<PRE>
managers: joe mark
production: mark shelley paul
</PRE>
<!-- END CODE SNIP //-->
<P>Finally, the <TT>require</TT> directive specifies what conditions need to be met for access to be granted. It can list only specified users who may connect, specify a group or list of groups of users who may connect, or say any valid user in the database is automatically granted access. The following is an example:</P>
<!-- CODE SNIP //-->
<PRE>
require user mark paul
 (Only mark and paul may access.)

require group managers
 (Only people in group managers may access.)

require valid-user
 (Anyone in the AuthUserFile database may access.)
</PRE>
<!-- END CODE SNIP //-->
<P>The configuration file ends up looking something like this:
</P>
<!-- CODE SNIP //-->
<PRE>
&lt;Directory /www/htdocs/protected/&gt;
AuthName Protected
AuthType basic
AuthUserFile /usr/local/etc/httpd/conf/users
&lt;Limit GET POST&gt;
require valid-user
&lt;/Limit&gt;
&lt;/Directory&gt;
</PRE>
<!-- END CODE SNIP //-->
<P>If you want to protect a directory to a particular group, the configuration file looks something like the following:
</P>
<!-- CODE //-->
<PRE>
&lt;Directory /www/htdocs/protected/&gt;
AuthName Protected
AuthType basic
AuthUserFile /usr/local/etc/httpd/conf/users
AuthGroupFile /usr/local/etc/httpd/conf/group
&lt;Limit GET POST&gt;
require group managers
&lt;/Limit&gt;
&lt;/Directory&gt;
</PRE>
<!-- END CODE //-->
<P><BR></P>
<CENTER>
<TABLE BORDER>
<TR>
<TD><A HREF="699-702.html">Previous</A></TD>
<TD><A HREF="../ewtoc.html">Table of Contents</A></TD>
<TD><A HREF="705-707.html">Next</A></TD>
</TR>
</TABLE>
</CENTER>


</td>
</tr>
</table>
<!-- begin footer information -->



</body></html>