How to create a secure WWW site?

Hi,
I need to have a Web site that has a password authentication and works with https.
1. How do I get a password prompt (similar to the one at the Experts Exchange)?
2. I have looked at Apache and SSLeay but could not figure out how to configure them for this. Are they suitable for the task?
3. I understand a secure site needs a certificate. How do I get it?

Thanks,
Simon
simonffAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

df020797Commented:
The certificates are associated with SSL sites. I.E. with which sites do I want to enale SSL in my client. SSL is a way to encrypt traffic bewteen the server and client via RSA encryption.
This is done by installing SSL extensions on the webserver.

The password prompt like the one at this site is a simple htaccess auth. he method is included in most servers. This is done by using .htaccess, .htgroup and .htpasswd files in the directories you want to protect.

I include here examples on these files :

.htacess
AuthUserFile /home/myuser/public_html/secret/.htpasswd
AuthGroupFile /home/myuser/public_html/secret/.htgroup
AuthName Username
AuthType Basic

<Limit GET>
Require group mygroup
</Limit>

.htgroup
mygroup: myuser

.htpasswd
myuser:EncryptedPasswordByStdUnixDesEncryption


In the directory (in webspace) you wan to protect you put this .htaccess file which points out which .htpasswd and .htgroup files itr want to use. Of course all .htaccess files could point to the same passwd and group file, but also point to special files if some area are gonna be used by others than the normal users.

To encrypt you either use C proggs or Perl programs. Both of them can use libcrypt. If include a perl prog as an example on encryption program:

#!/bin/perl

{

srand(time);
$CPassword = crypt(@ARGV[0], &CreateSalt);
print("$CPassword\n");

}

sub CreateSalt{
        @Salt[0] = &RandomChar;
        @Salt[1] = &RandomChar;

        $Salt = join(/\"\"/, @Salt);
        return($Salt);
        }

sub RandomChar{
        $Char = 0;

        while (!(($Char > 48 && $Char < 57) || ($Char > 65) && ($Char < 90) || (
$Char > 97) && ($Char < 122))){
                $Char = int(rand(256));
                }

        $ASCIIChar = pack(C,$Char);
        return(unpack(a,$ASCIIChar));
        }

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
grantkCommented:
Thank you. Some more questions:
1. Does the "realm" stuff means that once I enter the password, I can browse inside this realm without reentering it?
2. The Apache manual says that for large group files DBM files should be used. How do I produce them?
3. Who gets the password that the user enters and who crypt()'s it to compare with the stored one? A CGI script? If so, how does it fit into the .htaccess philosophy?
4. Will Apache respect file locking if I am going to update the .ht* files from another application?
0
simonffAuthor Commented:
1) A userand password is saved in th browse until itsrestarted, or you can ell the data to die within a timeperiod via driectives in the .htaccess file. The ervr challenges for userand password fo all directories the ,htacess exist, so if you have:

mydir
    - otherdir
             -nestir
             .htacess
    - mydiragain
           -fjukdir
                   .htaccess
           .htaccess

Everyone can browse mydir. Otherdir cant be bowsed without a user and password hence thereis a .hacces.. although nestdir can be browsed if you knw the url hence it has no .htaccess. Mydiragain and fjukdir are only browseable with user and dir hence it hs .htaccess files.

2. DBM is a standard dbm format for unix. You can use makemap to produce dbm maps. Justtype text file and then run makemap dbm datbase.db < database.raw.text
I dont know in wat format you should type the data to Apache though, cause this frmat is application sepcific, ot database specific.
3) A module in the www server does all this for you. ANnd the .htaccess file is controlled by the www server.
4) No,it dont respect filelocking. But this you easily yourse can implement in the progs you aremaking to updates the .ht* files.

Regarding the mass of info in tis questionand that you continued to as... could you adjust the points?
0
df020797Commented:
Adjusted points to 200
0
simonffAuthor Commented:
Thanx :-)

0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.