Well now it's an Apache security rodeo...

Jim March 1.jim.march at gmail.com
Fri Jul 3 19:12:00 MST 2009


Sigh.  OK, I've got all the IP/router stuff done.  Kewl.  Now to give
it some password security!

First thing I tried was the security settings within Zoneminder.
Looked good, got to where login was needed for user "admin" on a
password I set, cool, except couldn't see any images anymore - local
or remote.  Checked the security restrictions on user "admin", it's
supposed to have all possible rights per the ZM management screens.
WTF?  Turn off login security in ZM and sure enough, I can see my
cameras again.

God.  Dammit.

Well by now I'm convinced that ZM is buggier than an ant farm anyways,
so to heck with it, this thing is running Apache, I oughta be able to
control it there, right?

Heh.

I ask about it on TFUG and Matt was kind enough to provide a link to a
decent-looking tutorial on Apache security:

On Fri, Jul 3, 2009 at 4:57 PM, Matt Jacob<matt at mattjacob.com> wrote:
> If you're running Apache as your web server, it's fairly trivial to
> set up HTTP Basic Authentication:
>
> http://httpd.apache.org/docs/2.2/howto/auth.html
>
> Matt

Ehhhh...it ain't working.

Hmmmm.  So let's go over what I did, see if I blew it?  (Given I've
never run the back-end to a website EVER, not unlikely...)

OK, here's exactly what I did:

1) I figured out where my web-stuff was sitting (including index.html): /var/www

2) I put a file there name of .htaccess containing:

---
AuthType Basic
AuthName "Restricted Files"
# (Following line optional)
AuthBasicProvider file
AuthUserFile /usr/local/apache/passwd/passwords
Require user zmuser
---

3) I made sure the directory /usr/local/apache/passwd/passwords
existed with everybody-can-read-it permissions (only root can write).

4) I ran the command:

sudo htpasswd -c /usr/local/apache/passwd/passwords zmuser

...and gave it a password DIFFERENT from the user login password (user
is logging into XUbuntu as zmuser and passwords are NOT default).

And...shouldn't that have done it?  Yet it acts like there's still no
security at all.

There's directories under /var/www that contain data being served -
should I copy that .htaccess file down into them?

Note that I don't need separate user access levels for multiple
users...there's just the shop owner going to use this.

Thanks!

Jim


More information about the PLUG-discuss mailing list