Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 276
  • Last Modified:

How to create a secure WWW site?

Hi,
I need to have a Web site that has a password authentication and works with https.
1. How do I get a password prompt (similar to the one at the Experts Exchange)?
2. I have looked at Apache and SSLeay but could not figure out how to configure them for this. Are they suitable for the task?
3. I understand a secure site needs a certificate. How do I get it?

Thanks,
Simon
0
simonff
Asked:
simonff
  • 2
  • 2
1 Solution
 
df020797Commented:
The certificates are associated with SSL sites. I.E. with which sites do I want to enale SSL in my client. SSL is a way to encrypt traffic bewteen the server and client via RSA encryption.
This is done by installing SSL extensions on the webserver.

The password prompt like the one at this site is a simple htaccess auth. he method is included in most servers. This is done by using .htaccess, .htgroup and .htpasswd files in the directories you want to protect.

I include here examples on these files :

.htacess
AuthUserFile /home/myuser/public_html/secret/.htpasswd
AuthGroupFile /home/myuser/public_html/secret/.htgroup
AuthName Username
AuthType Basic

<Limit GET>
Require group mygroup
</Limit>

.htgroup
mygroup: myuser

.htpasswd
myuser:EncryptedPasswordByStdUnixDesEncryption


In the directory (in webspace) you wan to protect you put this .htaccess file which points out which .htpasswd and .htgroup files itr want to use. Of course all .htaccess files could point to the same passwd and group file, but also point to special files if some area are gonna be used by others than the normal users.

To encrypt you either use C proggs or Perl programs. Both of them can use libcrypt. If include a perl prog as an example on encryption program:

#!/bin/perl

{

srand(time);
$CPassword = crypt(@ARGV[0], &CreateSalt);
print("$CPassword\n");

}

sub CreateSalt{
        @Salt[0] = &RandomChar;
        @Salt[1] = &RandomChar;

        $Salt = join(/\"\"/, @Salt);
        return($Salt);
        }

sub RandomChar{
        $Char = 0;

        while (!(($Char > 48 && $Char < 57) || ($Char > 65) && ($Char < 90) || (
$Char > 97) && ($Char < 122))){
                $Char = int(rand(256));
                }

        $ASCIIChar = pack(C,$Char);
        return(unpack(a,$ASCIIChar));
        }

0
 
grantkCommented:
Thank you. Some more questions:
1. Does the "realm" stuff means that once I enter the password, I can browse inside this realm without reentering it?
2. The Apache manual says that for large group files DBM files should be used. How do I produce them?
3. Who gets the password that the user enters and who crypt()'s it to compare with the stored one? A CGI script? If so, how does it fit into the .htaccess philosophy?
4. Will Apache respect file locking if I am going to update the .ht* files from another application?
0
 
simonffAuthor Commented:
1) A userand password is saved in th browse until itsrestarted, or you can ell the data to die within a timeperiod via driectives in the .htaccess file. The ervr challenges for userand password fo all directories the ,htacess exist, so if you have:

mydir
    - otherdir
             -nestir
             .htacess
    - mydiragain
           -fjukdir
                   .htaccess
           .htaccess

Everyone can browse mydir. Otherdir cant be bowsed without a user and password hence thereis a .hacces.. although nestdir can be browsed if you knw the url hence it has no .htaccess. Mydiragain and fjukdir are only browseable with user and dir hence it hs .htaccess files.

2. DBM is a standard dbm format for unix. You can use makemap to produce dbm maps. Justtype text file and then run makemap dbm datbase.db < database.raw.text
I dont know in wat format you should type the data to Apache though, cause this frmat is application sepcific, ot database specific.
3) A module in the www server does all this for you. ANnd the .htaccess file is controlled by the www server.
4) No,it dont respect filelocking. But this you easily yourse can implement in the progs you aremaking to updates the .ht* files.

Regarding the mass of info in tis questionand that you continued to as... could you adjust the points?
0
 
df020797Commented:
Adjusted points to 200
0
 
simonffAuthor Commented:
Thanx :-)

0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now