Re: Well now it's an Apache security rodeo...

Top Page
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: Michael Butash
Date:  
To: Main PLUG discussion list
Subject: Re: Well now it's an Apache security rodeo...
Use apache2.conf instead of httpd.conf on ubuntu, they structure the
files differently... If you *must* modify httpd.conf or apache.conf
under ubuntu, do so, but otherwise add a new file with the changes
under /etc/apache2/conf.d and they will be *included* per apache

That being said, ubuntu's apache structures site setup differently in
the form of *include* directories. Look for your "default-000" site
file under /etc/apache2/sites-available/ directory, and modify that for
your directory security or associated overrides. Or just create a new
site all together, and link it.

Might want to google specifically for ubuntu apache questions, it works
differently from most other distros where it expects to find certain
information within the /etc/apache2 hierarchy.

-mb


On Fri, 2009-07-03 at 19:49 -0700, Lisa Kachold wrote:
> Verify your server will allow .htaccess file overrides:
>
> # locate httpd.conf
> # vi /etc/httpd/conf/httpd.conf (or whereever it is)
>
> <beware some versions of apache/apache2 use include files rather than
> place Directory configuration in httpd.conf>
>
> 1) Directory
> Find your section with the <Directory > tag and add "AllowOverride
> All"
>
> <Directory /var/www/html/htaccess-enabled>
>     Options FollowSymLinks
>     AllowOverride All

>
> </Directory>
>
> Refs: http://httpd.apache.org/docs/1.3/mod/core.html#allowoverride
>
> http://www.sitedeveloper.ws/tutorials/htaccess.htm
>
>
> 2) Security
>
> Should be fine, but check out this post:
>
> http://perishablepress.com/press/2006/01/10/stupid-htaccess-tricks/
>
> 3) Restart
> # apachectl restart
>
> On Fri, Jul 3, 2009 at 7:12 PM, Jim March <>
> wrote:
>         Sigh.  OK, I've got all the IP/router stuff done.  Kewl.  Now
>         to give
>         it some password security!

>
>         First thing I tried was the security settings within
>         Zoneminder.
>         Looked good, got to where login was needed for user "admin" on
>         a
>         password I set, cool, except couldn't see any images anymore -
>         local
>         or remote.  Checked the security restrictions on user "admin",
>         it's
>         supposed to have all possible rights per the ZM management
>         screens.
>         WTF?  Turn off login security in ZM and sure enough, I can see
>         my
>         cameras again.

>
>         God.  Dammit.

>
>         Well by now I'm convinced that ZM is buggier than an ant farm
>         anyways,
>         so to heck with it, this thing is running Apache, I oughta be
>         able to
>         control it there, right?

>
>         Heh.

>
>         I ask about it on TFUG and Matt was kind enough to provide a
>         link to a
>         decent-looking tutorial on Apache security:

>
>         On Fri, Jul 3, 2009 at 4:57 PM, Matt Jacob<>
>         wrote:
>         > If you're running Apache as your web server, it's fairly
>         trivial to
>         > set up HTTP Basic Authentication:
>         >
>         > http://httpd.apache.org/docs/2.2/howto/auth.html

>         >
>         > Matt

>
>         Ehhhh...it ain't working.

>
>         Hmmmm.  So let's go over what I did, see if I blew it?  (Given
>         I've
>         never run the back-end to a website EVER, not unlikely...)

>
>         OK, here's exactly what I did:

>
>         1) I figured out where my web-stuff was sitting (including
>         index.html): /var/www

>
>         2) I put a file there name of .htaccess containing:

>
>         ---
>         AuthType Basic
>         AuthName "Restricted Files"
>         # (Following line optional)
>         AuthBasicProvider file
>         AuthUserFile /usr/local/apache/passwd/passwords
>         Require user zmuser
>         ---

>
>         3) I made sure the
>         directory /usr/local/apache/passwd/passwords
>         existed with everybody-can-read-it permissions (only root can
>         write).

>
>         4) I ran the command:

>
>         sudo htpasswd -c /usr/local/apache/passwd/passwords zmuser

>
>         ...and gave it a password DIFFERENT from the user login
>         password (user
>         is logging into XUbuntu as zmuser and passwords are NOT
>         default).

>
>         And...shouldn't that have done it?  Yet it acts like there's
>         still no
>         security at all.

>
>         There's directories under /var/www that contain data being
>         served -
>         should I copy that .htaccess file down into them?

>
>         Note that I don't need separate user access levels for
>         multiple
>         users...there's just the shop owner going to use this.

>
>         Thanks!

>
>         Jim
>         ---------------------------------------------------
>         PLUG-discuss mailing list -
>         
>         To subscribe, unsubscribe, or to change your mail settings:
>         http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

>
>
>
> --
> (503)754-4452 wiki.obnosis.com
> scientology.obnosis.com
>
>
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list -
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss


---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss