Re: Well now it's an Apache security rodeo...

Top Page
Attachments:
Message as email
+ (text/plain)
+ (text/html)
+ (text/plain)
Delete this message
Reply to this message
Author: Lisa Kachold
Date:  
To: Main PLUG discussion list
Subject: Re: Well now it's an Apache security rodeo...
Verify your server will allow .htaccess file overrides:

# locate httpd.conf
# vi /etc/httpd/conf/httpd.conf (or whereever it is)

<beware some versions of apache/apache2 use include files rather than place
Directory configuration in httpd.conf>

1) Directory
Find your section with the <Directory > tag and add "AllowOverride All"

<Directory /var/www/html/htaccess-enabled>
    Options FollowSymLinks
    AllowOverride All
</Directory>


Refs: http://httpd.apache.org/docs/1.3/mod/core.html#allowoverride

http://www.sitedeveloper.ws/tutorials/htaccess.htm


2) Security

Should be fine, but check out this post:

http://perishablepress.com/press/2006/01/10/stupid-htaccess-tricks/

3) Restart

# apachectl restart


On Fri, Jul 3, 2009 at 7:12 PM, Jim March <> wrote:

> Sigh. OK, I've got all the IP/router stuff done. Kewl. Now to give
> it some password security!
>
> First thing I tried was the security settings within Zoneminder.
> Looked good, got to where login was needed for user "admin" on a
> password I set, cool, except couldn't see any images anymore - local
> or remote. Checked the security restrictions on user "admin", it's
> supposed to have all possible rights per the ZM management screens.
> WTF? Turn off login security in ZM and sure enough, I can see my
> cameras again.
>
> God. Dammit.
>
> Well by now I'm convinced that ZM is buggier than an ant farm anyways,
> so to heck with it, this thing is running Apache, I oughta be able to
> control it there, right?
>
> Heh.
>
> I ask about it on TFUG and Matt was kind enough to provide a link to a
> decent-looking tutorial on Apache security:
>
> On Fri, Jul 3, 2009 at 4:57 PM, Matt Jacob<> wrote:
> > If you're running Apache as your web server, it's fairly trivial to
> > set up HTTP Basic Authentication:
> >
> > http://httpd.apache.org/docs/2.2/howto/auth.html
> >
> > Matt
>
> Ehhhh...it ain't working.
>
> Hmmmm. So let's go over what I did, see if I blew it? (Given I've
> never run the back-end to a website EVER, not unlikely...)
>
> OK, here's exactly what I did:
>
> 1) I figured out where my web-stuff was sitting (including index.html):
> /var/www
>
> 2) I put a file there name of .htaccess containing:
>
> ---
> AuthType Basic
> AuthName "Restricted Files"
> # (Following line optional)
> AuthBasicProvider file
> AuthUserFile /usr/local/apache/passwd/passwords
> Require user zmuser
> ---
>
> 3) I made sure the directory /usr/local/apache/passwd/passwords
> existed with everybody-can-read-it permissions (only root can write).
>
> 4) I ran the command:
>
> sudo htpasswd -c /usr/local/apache/passwd/passwords zmuser
>
> ...and gave it a password DIFFERENT from the user login password (user
> is logging into XUbuntu as zmuser and passwords are NOT default).
>
> And...shouldn't that have done it? Yet it acts like there's still no
> security at all.
>
> There's directories under /var/www that contain data being served -
> should I copy that .htaccess file down into them?
>
> Note that I don't need separate user access levels for multiple
> users...there's just the shop owner going to use this.
>
> Thanks!
>
> Jim
> ---------------------------------------------------
> PLUG-discuss mailing list -
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>




--
(503)754-4452 wiki.obnosis.com
scientology.obnosis.com
---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss