Solved

How to create a secure WWW site?

Posted on 1997-12-01
5
268 Views
Last Modified: 2013-12-23
Hi,
I need to have a Web site that has a password authentication and works with https.
1. How do I get a password prompt (similar to the one at the Experts Exchange)?
2. I have looked at Apache and SSLeay but could not figure out how to configure them for this. Are they suitable for the task?
3. I understand a secure site needs a certificate. How do I get it?

Thanks,
Simon
0
Comment
Question by:simonff
  • 2
  • 2
5 Comments
 
LVL 2

Accepted Solution

by:
df020797 earned 200 total points
ID: 1583032
The certificates are associated with SSL sites. I.E. with which sites do I want to enale SSL in my client. SSL is a way to encrypt traffic bewteen the server and client via RSA encryption.
This is done by installing SSL extensions on the webserver.

The password prompt like the one at this site is a simple htaccess auth. he method is included in most servers. This is done by using .htaccess, .htgroup and .htpasswd files in the directories you want to protect.

I include here examples on these files :

.htacess
AuthUserFile /home/myuser/public_html/secret/.htpasswd
AuthGroupFile /home/myuser/public_html/secret/.htgroup
AuthName Username
AuthType Basic

<Limit GET>
Require group mygroup
</Limit>

.htgroup
mygroup: myuser

.htpasswd
myuser:EncryptedPasswordByStdUnixDesEncryption


In the directory (in webspace) you wan to protect you put this .htaccess file which points out which .htpasswd and .htgroup files itr want to use. Of course all .htaccess files could point to the same passwd and group file, but also point to special files if some area are gonna be used by others than the normal users.

To encrypt you either use C proggs or Perl programs. Both of them can use libcrypt. If include a perl prog as an example on encryption program:

#!/bin/perl

{

srand(time);
$CPassword = crypt(@ARGV[0], &CreateSalt);
print("$CPassword\n");

}

sub CreateSalt{
        @Salt[0] = &RandomChar;
        @Salt[1] = &RandomChar;

        $Salt = join(/\"\"/, @Salt);
        return($Salt);
        }

sub RandomChar{
        $Char = 0;

        while (!(($Char > 48 && $Char < 57) || ($Char > 65) && ($Char < 90) || (
$Char > 97) && ($Char < 122))){
                $Char = int(rand(256));
                }

        $ASCIIChar = pack(C,$Char);
        return(unpack(a,$ASCIIChar));
        }

0
 

Expert Comment

by:grantk
ID: 1583033
Thank you. Some more questions:
1. Does the "realm" stuff means that once I enter the password, I can browse inside this realm without reentering it?
2. The Apache manual says that for large group files DBM files should be used. How do I produce them?
3. Who gets the password that the user enters and who crypt()'s it to compare with the stored one? A CGI script? If so, how does it fit into the .htaccess philosophy?
4. Will Apache respect file locking if I am going to update the .ht* files from another application?
0
 

Author Comment

by:simonff
ID: 1583034
1) A userand password is saved in th browse until itsrestarted, or you can ell the data to die within a timeperiod via driectives in the .htaccess file. The ervr challenges for userand password fo all directories the ,htacess exist, so if you have:

mydir
    - otherdir
             -nestir
             .htacess
    - mydiragain
           -fjukdir
                   .htaccess
           .htaccess

Everyone can browse mydir. Otherdir cant be bowsed without a user and password hence thereis a .hacces.. although nestdir can be browsed if you knw the url hence it has no .htaccess. Mydiragain and fjukdir are only browseable with user and dir hence it hs .htaccess files.

2. DBM is a standard dbm format for unix. You can use makemap to produce dbm maps. Justtype text file and then run makemap dbm datbase.db < database.raw.text
I dont know in wat format you should type the data to Apache though, cause this frmat is application sepcific, ot database specific.
3) A module in the www server does all this for you. ANnd the .htaccess file is controlled by the www server.
4) No,it dont respect filelocking. But this you easily yourse can implement in the progs you aremaking to updates the .ht* files.

Regarding the mass of info in tis questionand that you continued to as... could you adjust the points?
0
 
LVL 2

Expert Comment

by:df020797
ID: 1583035
Adjusted points to 200
0
 

Author Comment

by:simonff
ID: 1583036
Thanx :-)

0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Join & Write a Comment

Suggested Solutions

Lets look at the default installation and configuration of FreeProxy 4.10 REQUIREMENTS 1. FreeProxy 4.10 Application - Can be downloaded here (http://www.handcraftedsoftware.org/index.php?page=download) 2. Ensure that you disable the windows fi…
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now