Well now it's an Apache security rodeo...

Jim March 1.jim.march at gmail.com
Fri Jul 3 20:03:53 MST 2009 

On Fri, Jul 3, 2009 at 7:49 PM, Lisa Kachold<lisakachold at obnosis.com> wrote:
> Verify your server will allow .htaccess file overrides:
>
> # locate httpd.conf
> # vi /etc/httpd/conf/httpd.conf (or whereever it is)
>
> <beware some versions of apache/apache2 use include files rather than place
> Directory configuration in httpd.conf>

Well I found the file (just one) but it's zero bytes...?

> 1) Directory
> Find your section with the <Directory > tag and add "AllowOverride All"
>
> <Directory /var/www/html/htaccess-enabled>
>     Options FollowSymLinks
>     AllowOverride All
>
> </Directory>
>
> Refs: http://httpd.apache.org/docs/1.3/mod/core.html#allowoverride
>
> http://www.sitedeveloper.ws/tutorials/htaccess.htm

OK, done, about to reboot...but first...

> 2) Security
>
> Should be fine, but check out this post:
>
> http://perishablepress.com/press/2006/01/10/stupid-htaccess-tricks/

Ah.  'Kay, just for starters I added:

---
# secure htaccess file
<Files .htaccess>
 order allow,deny
 deny from all
</Files>
---

ALSO: should I assume that an .htaccess file at /var/www will also
control access to, say, /var/www/events?

THANKS!

Jim

> 3) Restart
>
> # apachectl restart
>
> On Fri, Jul 3, 2009 at 7:12 PM, Jim March <1.jim.march at gmail.com> wrote:
>>
>> Sigh.  OK, I've got all the IP/router stuff done.  Kewl.  Now to give
>> it some password security!
>>
>> First thing I tried was the security settings within Zoneminder.
>> Looked good, got to where login was needed for user "admin" on a
>> password I set, cool, except couldn't see any images anymore - local
>> or remote.  Checked the security restrictions on user "admin", it's
>> supposed to have all possible rights per the ZM management screens.
>> WTF?  Turn off login security in ZM and sure enough, I can see my
>> cameras again.
>>
>> God.  Dammit.
>>
>> Well by now I'm convinced that ZM is buggier than an ant farm anyways,
>> so to heck with it, this thing is running Apache, I oughta be able to
>> control it there, right?
>>
>> Heh.
>>
>> I ask about it on TFUG and Matt was kind enough to provide a link to a
>> decent-looking tutorial on Apache security:
>>
>> On Fri, Jul 3, 2009 at 4:57 PM, Matt Jacob<matt at mattjacob.com> wrote:
>> > If you're running Apache as your web server, it's fairly trivial to
>> > set up HTTP Basic Authentication:
>> >
>> > http://httpd.apache.org/docs/2.2/howto/auth.html
>> >
>> > Matt
>>
>> Ehhhh...it ain't working.
>>
>> Hmmmm.  So let's go over what I did, see if I blew it?  (Given I've
>> never run the back-end to a website EVER, not unlikely...)
>>
>> OK, here's exactly what I did:
>>
>> 1) I figured out where my web-stuff was sitting (including index.html):
>> /var/www
>>
>> 2) I put a file there name of .htaccess containing:
>>
>> ---
>> AuthType Basic
>> AuthName "Restricted Files"
>> # (Following line optional)
>> AuthBasicProvider file
>> AuthUserFile /usr/local/apache/passwd/passwords
>> Require user zmuser
>> ---
>>
>> 3) I made sure the directory /usr/local/apache/passwd/passwords
>> existed with everybody-can-read-it permissions (only root can write).
>>
>> 4) I ran the command:
>>
>> sudo htpasswd -c /usr/local/apache/passwd/passwords zmuser
>>
>> ...and gave it a password DIFFERENT from the user login password (user
>> is logging into XUbuntu as zmuser and passwords are NOT default).
>>
>> And...shouldn't that have done it?  Yet it acts like there's still no
>> security at all.
>>
>> There's directories under /var/www that contain data being served -
>> should I copy that .htaccess file down into them?
>>
>> Note that I don't need separate user access levels for multiple
>> users...there's just the shop owner going to use this.
>>
>> Thanks!
>>
>> Jim
>> ---------------------------------------------------
>> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
>> To subscribe, unsubscribe, or to change your mail settings:
>> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
>
>
> --
> (503)754-4452 wiki.obnosis.com
> scientology.obnosis.com
>
>
>
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>

More information about the PLUG-discuss mailing list