On Fri, Jul 3, 2009 at 11:41 PM, Bob Elzer <bob.elzer@gmail.com> wrote:
You might want to try installing webmin.   http://www.webmin.com/
 
It makes it easier to maintain you apache config file, webmin knows where the files are for the different distros, so it will edit the correct ones for you.
Webmin is a way to break things really badly and might require more work than just configuring and learning Apache right.

The version of his webserver documents will be all he needs.
Webmin also has a great many security issues if not installed right.
 
 

From: plug-discuss-bounces@lists.plug.phoenix.az.us [mailto:plug-discuss-bounces@lists.plug.phoenix.az.us] On Behalf Of Lisa Kachold
Sent: Friday, July 03, 2009 11:32 PM
To: Main PLUG discussion list
Subject: Re: Well now it's an Apache security rodeo...



On Fri, Jul 3, 2009 at 8:03 PM, Jim March <1.jim.march@gmail.com> wrote:
On Fri, Jul 3, 2009 at 7:49 PM, Lisa Kachold<lisakachold@obnosis.com> wrote:
> Verify your server will allow .htaccess file overrides:
>
> # locate httpd.conf
> # vi /etc/httpd/conf/httpd.conf (or whereever it is)
>
> <beware some versions of apache/apache2 use include files rather than place
> Directory configuration in httpd.conf>

Well I found the file (just one) but it's zero bytes...?

YOU must have either a httpd.conf or an apache.conf file in a ServerRoot directory. (Usually /etc/apache or /etc/httpd/)
It could also be servername.conf check your /etc/init.d/httpd file or /etc/rc.local (whereever it's started from) and version.
What is your version of Apache? 

Your DocumentRoot is going to be /var/www/ and you must have a <Directory entry for it!

That directory entry must have the statement "AllowOverride All" like below:


> 1) Directory
> Find your section with the <Directory > tag and add "AllowOverride All"
>
> <Directory /var/www/html/htaccess-enabled>
>     Options FollowSymLinks
>     AllowOverride All
>
> </Directory>
>
> Refs: http://httpd.apache.org/docs/1.3/mod/core.html#allowoverride
>
> http://www.sitedeveloper.ws/tutorials/htaccess.htm

OK, done, about to reboot...but first...

> 2) Security
>
> Should be fine, but check out this post:
>
> http://perishablepress.com/press/2006/01/10/stupid-htaccess-tricks/

Ah.  'Kay, just for starters I added:

That denies everyone!

---
# secure htaccess file
<Files .htaccess>
 order allow,deny
 deny from all
</Files>
---
# secure htaccess file
# Enter htpasswd information and auth stuff here
<Files .htaccess>
 order deny,allow
 deny from all
 allow from 192.168.1.0/24
 allow from 74.183.9.76
</Files>
 

ALSO: should I assume that an .htaccess file at /var/www will also
control access to, say, /var/www/events?
No, that .htaccess file is not hierarchial since it's not setup in your configuration globally, just for the directory.
<Note in your first htpasswd file you had a path and directory that were being protected, you would use the same syntax.> Experiment to learn.
You can have a <Directory > entry for each of your areas in your httpd(apache)conf files. 


THANKS!

Jim
Sure anytime.  Email me off list or call or whatever you need.


> 3) Restart
>
> # apachectl restart
>
> On Fri, Jul 3, 2009 at 7:12 PM, Jim March <1.jim.march@gmail.com> wrote:
>>
>> Sigh.  OK, I've got all the IP/router stuff done.  Kewl.  Now to give
>> it some password security!
>>
>> First thing I tried was the security settings within Zoneminder.
>> Looked good, got to where login was needed for user "admin" on a
>> password I set, cool, except couldn't see any images anymore - local
>> or remote.  Checked the security restrictions on user "admin", it's
>> supposed to have all possible rights per the ZM management screens.
>> WTF?  Turn off login security in ZM and sure enough, I can see my
>> cameras again.
>>
>> God.  Dammit.
>>
>> Well by now I'm convinced that ZM is buggier than an ant farm anyways,
>> so to heck with it, this thing is running Apache, I oughta be able to
>> control it there, right?
>>
>> Heh.
>>
>> I ask about it on TFUG and Matt was kind enough to provide a link to a
>> decent-looking tutorial on Apache security:
>>
>> On Fri, Jul 3, 2009 at 4:57 PM, Matt Jacob<matt@mattjacob.com> wrote:
>> > If you're running Apache as your web server, it's fairly trivial to
>> > set up HTTP Basic Authentication:
>> >
>> > http://httpd.apache.org/docs/2.2/howto/auth.html
>> >
>> > Matt
>>
>> Ehhhh...it ain't working.
>>
>> Hmmmm.  So let's go over what I did, see if I blew it?  (Given I've
>> never run the back-end to a website EVER, not unlikely...)
>>
>> OK, here's exactly what I did:
>>
>> 1) I figured out where my web-stuff was sitting (including index.html):
>> /var/www
>>
>> 2) I put a file there name of .htaccess containing:
>>
>> ---
>> AuthType Basic
>> AuthName "Restricted Files"
>> # (Following line optional)
>> AuthBasicProvider file
>> AuthUserFile /usr/local/apache/passwd/passwords
>> Require user zmuser
>> ---
>>
>> 3) I made sure the directory /usr/local/apache/passwd/passwords
>> existed with everybody-can-read-it permissions (only root can write).
>>
>> 4) I ran the command:
>>
>> sudo htpasswd -c /usr/local/apache/passwd/passwords zmuser
>>
>> ...and gave it a password DIFFERENT from the user login password (user
>> is logging into XUbuntu as zmuser and passwords are NOT default).
>>
>> And...shouldn't that have done it?  Yet it acts like there's still no
>> security at all.
>>
>> There's directories under /var/www that contain data being served -
>> should I copy that .htaccess file down into them?
>>
>> Note that I don't need separate user access levels for multiple
>> users...there's just the shop owner going to use this.
>>
>> Thanks!
>>
>> Jim
>> ---------------------------------------------------
>> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
>> To subscribe, unsubscribe, or to change your mail settings:
>> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
>
>
> --
> (503)754-4452 wiki.obnosis.com
> scientology.obnosis.com
>
>
>
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss



--
(503)754-4452 wiki.obnosis.com
scientology.obnosis.com





---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss



--
(503)754-4452 wiki.obnosis.com
scientology.obnosis.com