Solved

How to create a secure WWW site?

Posted on 1997-12-01
5
272 Views
Last Modified: 2013-12-23
Hi,
I need to have a Web site that has a password authentication and works with https.
1. How do I get a password prompt (similar to the one at the Experts Exchange)?
2. I have looked at Apache and SSLeay but could not figure out how to configure them for this. Are they suitable for the task?
3. I understand a secure site needs a certificate. How do I get it?

Thanks,
Simon
0
Comment
Question by:simonff
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 2

Accepted Solution

by:
df020797 earned 200 total points
ID: 1583032
The certificates are associated with SSL sites. I.E. with which sites do I want to enale SSL in my client. SSL is a way to encrypt traffic bewteen the server and client via RSA encryption.
This is done by installing SSL extensions on the webserver.

The password prompt like the one at this site is a simple htaccess auth. he method is included in most servers. This is done by using .htaccess, .htgroup and .htpasswd files in the directories you want to protect.

I include here examples on these files :

.htacess
AuthUserFile /home/myuser/public_html/secret/.htpasswd
AuthGroupFile /home/myuser/public_html/secret/.htgroup
AuthName Username
AuthType Basic

<Limit GET>
Require group mygroup
</Limit>

.htgroup
mygroup: myuser

.htpasswd
myuser:EncryptedPasswordByStdUnixDesEncryption


In the directory (in webspace) you wan to protect you put this .htaccess file which points out which .htpasswd and .htgroup files itr want to use. Of course all .htaccess files could point to the same passwd and group file, but also point to special files if some area are gonna be used by others than the normal users.

To encrypt you either use C proggs or Perl programs. Both of them can use libcrypt. If include a perl prog as an example on encryption program:

#!/bin/perl

{

srand(time);
$CPassword = crypt(@ARGV[0], &CreateSalt);
print("$CPassword\n");

}

sub CreateSalt{
        @Salt[0] = &RandomChar;
        @Salt[1] = &RandomChar;

        $Salt = join(/\"\"/, @Salt);
        return($Salt);
        }

sub RandomChar{
        $Char = 0;

        while (!(($Char > 48 && $Char < 57) || ($Char > 65) && ($Char < 90) || (
$Char > 97) && ($Char < 122))){
                $Char = int(rand(256));
                }

        $ASCIIChar = pack(C,$Char);
        return(unpack(a,$ASCIIChar));
        }

0
 

Expert Comment

by:grantk
ID: 1583033
Thank you. Some more questions:
1. Does the "realm" stuff means that once I enter the password, I can browse inside this realm without reentering it?
2. The Apache manual says that for large group files DBM files should be used. How do I produce them?
3. Who gets the password that the user enters and who crypt()'s it to compare with the stored one? A CGI script? If so, how does it fit into the .htaccess philosophy?
4. Will Apache respect file locking if I am going to update the .ht* files from another application?
0
 

Author Comment

by:simonff
ID: 1583034
1) A userand password is saved in th browse until itsrestarted, or you can ell the data to die within a timeperiod via driectives in the .htaccess file. The ervr challenges for userand password fo all directories the ,htacess exist, so if you have:

mydir
    - otherdir
             -nestir
             .htacess
    - mydiragain
           -fjukdir
                   .htaccess
           .htaccess

Everyone can browse mydir. Otherdir cant be bowsed without a user and password hence thereis a .hacces.. although nestdir can be browsed if you knw the url hence it has no .htaccess. Mydiragain and fjukdir are only browseable with user and dir hence it hs .htaccess files.

2. DBM is a standard dbm format for unix. You can use makemap to produce dbm maps. Justtype text file and then run makemap dbm datbase.db < database.raw.text
I dont know in wat format you should type the data to Apache though, cause this frmat is application sepcific, ot database specific.
3) A module in the www server does all this for you. ANnd the .htaccess file is controlled by the www server.
4) No,it dont respect filelocking. But this you easily yourse can implement in the progs you aremaking to updates the .ht* files.

Regarding the mass of info in tis questionand that you continued to as... could you adjust the points?
0
 
LVL 2

Expert Comment

by:df020797
ID: 1583035
Adjusted points to 200
0
 

Author Comment

by:simonff
ID: 1583036
Thanx :-)

0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
SCCM, SCOM or Something Else 6 60
Slow Internet Connection 9 66
Changing Lease Duration for DHCP clients 34 68
Force a website to use the second network card 3 39
Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question