| www.nerdgirl.dk |
|
Index About... Linux >> |
| FreeBSD |
|
Q&A Installation Update Network configuration The ports collection Adding users Newsyslog Crontab (task schedule) Files and directories Synchronize the clock |
| Databases |
|
MySQL Installation phpMyAdmin PostgreSQL Installation |
| Apache |
|
Installation Configuration Monitoring activity PHP WebDAV htaccess Webalizer MG2 gallery phpGedView |
| ProFTPD |
| Installation |
| Postfix & Co. |
|
Setup considerations Postfix tutorial Monitor activity |
| Vim |
| Installation |
| Shell |
|
Changing shell Changing the prompt 8 Bit encoding |
| Misc |
| Terminal emulator (term) |
| To do... |
| Accounting |
|
SQL Ledger |
| Version Control |
|
CVS commands Subversion |
| Teamspeak |
| Server |
Website configuration tips & tricks
- Read this first
- Password protection using a password file
- Password protection using a database
- How to force SSL
- Preventing deep links
Read this first
The Apache configuration file httpd.conf contains settings applied to all hosted domains, and also domain specific settings (settings contained in <VirtualHost> tags). Of course you don't want your users to edit the httpd.conf file, but fortunately they can do site specific settings themselves by allowing them to use .htaccess files.
A .htaccess file (note the dot in front of the filename) is a plain text file with settings in it. It can be placed at the root of a website or any sub directory. The settings in it will apply to the current and all sub directories in the current directory.
First of all, you must set the AllowOverride directive in httpd.conf. AllowOverrride controls which types of directives that are allowed in .htaccess files.:
<Directory "/usr/local/www/example.com">
AllowOverride All
</Directory>
Add a section like the above for each of the domains you want to allow using .htaccess. If you want to be more specific about what you want to allow, read this page.
Remember to restart Apache to make the changes take effect.
The following sections of this page, describes som examples of using .htaccess files.
Note: Instruct your users to use ASCII mode when uploading .htaccess files. If BINARY mode is used the file will NOT work.
Password protection using a password file
This section describes how to protect all or part of a website against unauthorized access. The content of the .htaccess file:
AuthUserFile /usr/local/www/secure_directory/.htpasswd
AuthGroupFile /dev/null
AuthName "My protected site"
AuthType Basic
require valid-user
In the first line, replace bolded text with the path to your own protected area. In the third line, replace bolded text with a text of your choice. This text will appear in the login boks.
You may need to CHMOD the .htaccess file to 644 or (RW-R--R--). This makes the file usable by the server.
Create a directory just above your website root. This is where you will create your password file, and we don't want this in a
public directory.
For example, my password file is in /usr/local/www/secure_directory/
Now, you need to create the .htpasswd file. You can do it manually by putting each users username an password into it:
pumpkin: 345dog
radish:cat789
john:rabbit999
Each line must end with a line break, and there must be an empty line at the end of the file.
Another way of creating the password file is by using the htpasswd command, but this requires ssh access to the server.
When creating it for the first time, do this:
htpasswd -c /usr/local/www/secure_directory/.htpasswd jsmith
New password:
Re-type new password:
Adding password for user jsmith
Next time you want to create a user, ommit the -c option (this is important to remember, or you will override the existing users/passwords in the file). For security reasons, passwords do not show op on the screen as you type.
This example shows how to change the password for an existing user (bold text is all in one line):
htpasswd -b /usr/local/www/secure_directory/.htpasswd jsmith horse371
Updating password for user jsmith
Password protection using a database
It is possible to lookup username and passwords in a database, instead of reading them from a file. This section will cover the steps to do this by using the Apache module mod_auth_mysql.
If you have users who need to restrict access to their website, this is probably the best approach, since they can create the users in their own database.
If you need to install the module, make sure you get the correct one for your version of Apache. After installation, you should see a new "LoadModule auth_mysql_module" line in Apache's configuration file. Remove the # in front of the line and then restart Apache.
The following assumes that MySQL and the Apache module mod_auth_mysql is installed.
Create the .htaccess file in the root of the area you whish to protect. Fill in the following content (replace text in bold with your own information):
AuthName "Your Protected Area"
AuthType Basic
# Directives specific to mod_auth_mysql
# Auth_MySQL_Info [server] [user] [pass]
Auth_MySQL_Username mysql_username_here
Auth_MySQL_Password mysql_password_here
Auth_MySQL_DB mysql_databasename_here
Auth_MySQL_Password_Table tablename_here
Auth_MySQL_Username_Field username_field_here
Auth_MySQL_Password_Field password_field_here
Auth_MySQL_Encrypted_Passwords Off
# Set above to "On" if you used crypt() on users'
# passwords before storing them
Auth_MySQL_Non_Persistent On
Auth_MYSQL On
# Set the above to "Off" if you want other
# authentication to take over in case the visitor
# fails mysql authentication
Auth_MySQL_Empty_Passwords Off
# Set the above to "On" if you want to allow correct
# correct username only, no password
# End mod_auth_mysql specific directives
require valid-user
The first three settings (Auth_MySQL_Username, Auth_MySQL_Password and Auth_MySQL_DB) is used to connect to the database. The next three settings is the table and fields used to authenticate users.
The following demonstrates how you login to mysql and create a database and a table to hold your user accounts.:
mysql -u username -p
Enter password:
mysql> create database mydatabase;
mysql> use mydatabase;
mysql> create table mytable (
-> username varchar(25) not null,
-> password varchar(25) not null,
-> primary key (username)
-> );
Here is an example of how to insert a user in the table you have just created:
mysql> insert into mytable (username, password)
-> values('Peter','dog6677');
You can list your users like this:
mysql> select * from mytable; +----------+----------+ | username | password | +----------+----------+ | Peter | dog6677 | | Alice | cat3456 | | John | super33 | +----------+----------+ 3 rows in set (0.00 sec)
Another more userfriendly way, is to install phpmyadmin, an let your users use that instead.
How to force SSL
If a domain uses SSL, you can force SSL by adding this to your .htaccess file:
<IfModule mod_ssl.c>
SSLRequireSSL
</IfModule>
<IfModule !mod_ssl.c>
# no non-ssl access
order allow,deny
</IfModule>
Users trying to enter on a none-SSL connection will get the "Forbidden" error page.
Prevent deep links
You may have sertain files on your page which is not ment for display on other peoples websites via deep linking (aka hot links). For example, you may have stunning photographs or movie files, and you dont want other people to include them as content on their sites by linking directly to them.
It is very easy to prevent this. Just replace 'example.com' and 'path/to/picture.jpg' in the example below and put it into your .htaccess file at the root of the website:
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_REFERER} .
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?example\.com [NC]
RewriteRule \.(gif|jpg)$ path/to/picture.jpg
</IfModule>