The NCSA and Apache servers provide a system of security to sensitive documents on your server by allowing you to restrict access to directories. Access can be determined based on username/password authentication, IP address, or a combination of both. Directory access is controlled by the use of access configuration files (ACFs).
You may control access to any directory in your document tree with a global access configuration file. The global ACF lives in the conf directory and is specified by the AccessConfig directive in your httpd.conf file. The default is access.conf. Global ACFs have the userid and groupid of the server daemon, and therefore, the server administrator should be the only person who has access to the file. A global ACF is required.
You can also have per-directory access configuration files. These files describe access control for only the directories that they live in. Per-directory ACFs allow users who have write permission to certain directories available on the server to establish their own access rules. The name of per-directory ACFs is specified with the AccessFileName directive in the srm.conf file. The default name is .htaccess. Per-directory ACFs can be restricted or forbidden in the global ACF.
Both types of ACFs are constructed the same way, except for a few additional directives in global ACFs that specify directories and overrides.
Basically, an ACF does one or more of the following functions:
This is an example of a global ACF:
<Directory /projects> Options All AuthType Basic AuthUserFile /usr/local/etc/httpd/conf/.htpasswd AuthGroupFile /usr/local/etc/httpd/conf/.htgroup <Limit GET> order allow,deny allow from all </Limit> </Directory> <Directory /projects/golf> <Limit GET> order deny,allow deny from all allow from .golf.org </Limit> </Directory> <Directory /projects/golf/team> AuthName For Team Players Only <Limit GET> require group golfteam </Limit> </Directory> <Directory /projects/golf/team/captain> AuthName Captain Only <Limit GET> require user captain </Limit> </Directory>
This example shows the various ways in which access control can be implemented. The global ACF uses the Directory sectioning directives to enclose access information for different directories (wildcards may also be used to designate a set of directories). The settings for each different directory apply to that directory and all of its subdirectories unless overridden in a lower directory's specifications.
Per-directory ACFs contain the same information as <Directory> ... </Directory> sections, except without the Directory tags. Use of per-directory ACFs is controlled by the AllowOverride directive within <Directory> sections in the global ACF.
For user and group level authentication, a password file is needed. The location and name of the password file is specified in the AuthUserName directive. The easiest and most common way to create a password file is to use the htpasswd program that is distributed with the server. To create a new password file to store a new username and password, use this command:
% htpasswd -c pathname username
The -c option tells the program to open a file with the given pathname. The program will ask you to type the password you want to use for the given username twice, and the username and encrypted password will be stored in the new file. Other users can be added to the file by using the same command and pathname without the -c option.
Password files created with .htpasswd are similar to UNIX password files. Keep in mind, however, that there is no correspondence between valid users and passwords on a UNIX server and users and passwords on the Web server. You do not need an account on the UNIX server to have access to the Web server.
You can corral several users into a single named group by creating a group file. The location and name of the group file is specified with the AuthGroupFile directive. Each line of a group file specifies the group name, followed by a colon, followed by a list of valid usernames that belong to the group:
groupname: username1 username2 username3 ...
Each user in a group needs to be entered into the password file. When a group authentication is required, the server will accept any valid username/password from the group to allow access.
The .htpasswd user authentication scheme is known as the basic authentication method for HTTP servers. Apache and NCSA allow other types of authentication methods, which are configured with a similar set of directives.
This is a listing of all of the directives that may be used in global and per-directory access configuration files (ACFs).
allow from hostnames ...
The allow directive is used within the <Limit> section of an ACF. It specifies which hosts can access a given directory with a given method. The hostname can be any of the following:
A domain name, like .ora.com. Only hosts from that domain are permitted access.
A full hostname.
An IP address of a host.
The first 1 to 3 bytes of an IP address, for subnet restriction.
Using the word all means that all hosts are allowed.
There can be only one allow directive per <Limit> section. If omitted, there is no default.
AllowOverride options ...
Controls the extent to which you allow local per-directory access control files to override the global access defaults defined by the access.conf configuration file. The directive takes one or more options, which can be:
ACFs are not allowed in this directory.
ACFs are unrestricted in this directory.
Allow use of the Options directive.
Allow use of directory indexing directives.
Allow use of the AddType and AddEncoding directives.
Allow use of these directives: AuthName, AuthType, AuthUserFile, AuthGroupFile, or any other Auth* directives.
Allow use of the Limit section directive.
The AllowOverride directive can only be used for the global ACF. If omitted, the default is:
The Apache server can be configured to use DBM authentication in addition to basic authentication. The AuthDBMGroupFile directive specifies the location of the DBM group file. It replaces AuthGroupFile when DBM is used.
The Apache server can be configured to use DBM authentication in addition to basic authentication. The AuthDBMUserFile directive specifies the location of the DBM password file. It replaces AuthUserFile when DBM is used.
The Apache server can be configured to use Berkeley DB authentication, for sites that support DB but not DBM. The AuthDBUserFile directive specifies the location of the DB password file.
The Apache server can be configured to use Berkeley DB authentication, for sites that support DB but not DBM. The AuthDBGroupFile directive specifies the location of the DB group file.
Specifies the group filename as an absolute path. For example:
Sets the name of the authorization realm for this directory. The value is a short name describing this authorization realm; it can contain spaces.
Sets the type of authorization used in this directory. Basic authorization is the most commonly used method.
Specifies the file that contains a list of users and passwords for user authentication. The file name is given as the absolute path of a user file created with the htpasswd support program. For example:
deny from hostnames ...
The deny directive is used within a <Limit> section of an ACF. It affects which hosts are denied access to a directory. The hostnames can be any one of the following:
A domain name, like .ora.com. Hosts from that domain are denied access.
A full hostname.
The IP address of a host.
The first 1 to 3 bytes of an IP address, for subnet restriction.
Using the word all means that all hosts are denied access.
The <Directory> directive is a sectioning directive that identifies the directory or directories to which contained access-control directives apply. It is used to structure the global ACF, and cannot be used in a per-directory ACF. The start tag has the following format:
where dir is the absolute pathname of the directory, which may include wildcard characters (* and ?) to designate a set of directories.
The <Limit> directive is a sectioning directive that identifies which clients and users can access a directory. This directive applies to both the global ACF and per-directory ACFs. The start tag has the following syntax:
<Limit method1 method2 ...>
where method is one of the following:
Allows clients to retrieve documents and execute scripts with the GET request method.
Allows clients to use scripts and resources using the POST request method (mostly CGI programs).
The order, deny, allow, and require directives are the usual inhabitants of the Limit sectioning directive. Later versions of NCSA (1.5 and up) have three additional directives designed for the <Limit> section: referer, satisfy, and OnDeny.
A sectioning directive for specifying directives that apply to a given URL. Basically just a more specific version of <Directory>.
For NCSA versions 1.5 and later, the OnDeny directive can be used in a <Limit> section of an ACF to redirect the client to another URL if access to the directory has been denied.
Options options ...
Controls the degree of advanced features that you wish to allow on your server. One or more options may be listed on the Options line, separated by spaces. Valid entries are:
No features are enabled in this directory.
Allows users to request indexes in this directory.
Server-side includes are enabled in this directory.
Server-side includes are enabled in the directory, but the exec feature is disabled.
Execution of CGI scripts is allowed in this directory.
The server follows symbolic links in this directory.
The server only follows symbolic links if the target file/directory is owned by the same user ID as the link.
All features are enabled in this directory.
The Options directive can be used in both the global ACF and in per-directory ACFs. There can be only one Options directive per Directory segment. If omitted, the default is:
The order directive specifies the order in which deny and allow directives are evaluated within a <Limit> section. This directive is only available within <Limit> sections, but can be used on a global ACF or per-directory ACF basis. The order line can take one of the following forms:
deny directives are evaluated before allow directives (this is the default).
allow directives are evaluated before deny directives
This setting means that any host appearing on the allow list is allowed, any host listed on the deny list is denied, and any host not appearing in either list is denied.
referer allow|deny from URL
For NCSA version 1.5 or later, the referer directive can be used in a <Limit> section of an ACF to specify that a request in this directory must have originated from a specified location. The URL must use the service name (http:, etc.), and can be an exact match to a document name or use wildcards to designate a set of documents, directories, or servers.
require entity names ...
Specifies which authenticated users can access a given directory with a given method in a <Limit> section of an ACF. A require line requires that all of the appropriate Auth* directives are specified for the directory. entity is one of the following:
Only the named users can access this directory with the given methods. Each name is therefore a username that exists in the specified password file.
Only users in the named groups can access this directory with the given methods. Each name is therefore a group name that is listed in the specified group file.
All users listed in the AuthUserFile (specified password file) are allowed access upon providing a valid password.
For NCSA version 1.5 and later, the satisfy directive can be used in a <Limit> section of an ACF to control how access is handled when both allow and require directives are used (i.e., when both host and user/password authentication are set). The directive can take one of two values:
This setting means that a user must satisfy both the allow and require directives to gain access to the directory.
This setting means that a user must satisfy only one of the allow or require directives to gain access to the directory.
The following directives can also be used within the global ACF and per-directory ACFs as indicated:
Only per-directory ACFs
Only per-directory ACFs
All ACFs All ACFs
These directives are a subset of those allowed in srm.conf, and are described earlier in this chapter.
For the Apache server, other directory-specific configuration directives may be included in Directory sections or per-directory ACFs in addition to those listed above. A non-applicable directive should be unaffected.