Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.
Is it wise (&feasible) for me to use .htaccess file for my application??
Hi Mr. Hoffman and Mr. Samri,
How u doin? Well i want to clarify that is it wise and feasible to write .htaccess file for my application which will be live24/7 to thousands of users. Actually if you remember i have been constantly taking your and Samri's able guidance for hosting my application live. Still to refresh your memory i posted my query at (http://www.experts-exchange.com/Web/Web_Servers/Apache/Q_21100303.html). I have almost implemented all the things which you guys suggested. My envt is RHL 9.0/ Apache2.0 with mod_mono/ Mono 1.0. The users will be accessing some other directories too in the main application directory. e.g if i have placed the application directory "apps" as under /var/www/html/apps, now in this apps directory i have some other directories which the users will be needing to retrieve some data for thier use. Should i check for the authentication at that level tool? All I want is that only valid users may have access to that data. Although at the first entry point the .NET applcation asks for the authentication of the valid user but i was still wondering from my, i mean Apache's point of view. I dont know whether this is a valid question or not and i think you are in a better position to guide me. So from that point of view what do you suggest? I would really appreciate if you could guide me step by step...
Thanks in advance
Regards!!
How u doin? Well i want to clarify that is it wise and feasible to write .htaccess file for my application which will be live24/7 to thousands of users. Actually if you remember i have been constantly taking your and Samri's able guidance for hosting my application live. Still to refresh your memory i posted my query at (http://www.experts-exchange.com/Web/Web_Servers/Apache/Q_21100303.html). I have almost implemented all the things which you guys suggested. My envt is RHL 9.0/ Apache2.0 with mod_mono/ Mono 1.0. The users will be accessing some other directories too in the main application directory. e.g if i have placed the application directory "apps" as under /var/www/html/apps, now in this apps directory i have some other directories which the users will be needing to retrieve some data for thier use. Should i check for the authentication at that level tool? All I want is that only valid users may have access to that data. Although at the first entry point the .NET applcation asks for the authentication of the valid user but i was still wondering from my, i mean Apache's point of view. I dont know whether this is a valid question or not and i think you are in a better position to guide me. So from that point of view what do you suggest? I would really appreciate if you could guide me step by step...
Thanks in advance
Regards!!
Asked:
4-
4
-
2
2 Solutions
Addition: You may take a look at Apache FAQ at http://httpd.apache.org/docs/misc/FAQ.html
Specif section : "G. Authentication and Access Restrictions"
cheers.
Specif section : "G. Authentication and Access Restrictions"
cheers.
Thx Samri....I will just implement all these things and let u know..I m in US...btw where dya live?
Regards
Regards
If you don't like the .htaccess files in all over the place, you can use ONE file to crontrol
the login access. (eg: access.conf, or what evername you want to called it).
Just make sure that you httpd.conf has something looks like:
AccessConfig /etc/apache/access.conf
the login access. (eg: access.conf, or what evername you want to called it).
Just make sure that you httpd.conf has something looks like:
AccessConfig /etc/apache/access.conf
also have a look at:
http://www.itlab.musc.edu/mySiteMaker/LOGGING-HOWTO.html
"<Limit GET POST>
require valid-user
</Limit>"
apply to the access.conf, so you can control the user login for the dir.
http://www.itlab.musc.edu/mySiteMaker/LOGGING-HOWTO.html
"<Limit GET POST>
require valid-user
</Limit>"
apply to the access.conf, so you can control the user login for the dir.
parvinderg,
Somewhere in GMT+8 timezone. It's in Kuala Lumpur - *just woked up after 8 hours of hibernation :)
Somewhere in GMT+8 timezone. It's in Kuala Lumpur - *just woked up after 8 hours of hibernation :)
Hi Samri...
How u doin? It all great here:). Samri can u please help me in clarifying something about protecting server files in context to my case. How can i implement it when it comes to my application. What syntax do i need to write?
This is the link about which i need some explaination.
http://httpd.apache.org/docs-2.0/misc/security_tips.html#protectserverfiles
Regards
How u doin? It all great here:). Samri can u please help me in clarifying something about protecting server files in context to my case. How can i implement it when it comes to my application. What syntax do i need to write?
This is the link about which i need some explaination.
http://httpd.apache.org/docs-2.0/misc/security_tips.html#protectserverfiles
Regards
Hi parvinderg,
First of all, the URL that you mentioned is pretty much straighforward.
# cd /; ln -s / public_html
Accessing http://localhost/~root/
simply means that you create a symbolic link for user root (since most root will have their home directory to be in / - the root of the filesystem) - for some reason that I could not think of. The command, would create a symbolic_link public_html, to the root, so anybody that does http://yourserver/~root/ would actually be looking at /, since by default Options (http://httpd.apache.org/docs-2.0/mod/core.html#options) is set to All. You could explicitly do Option -FollowSymlinks to disable traversal of symlinks. However this would impose a different problem later on.
Next option would be following the recommendation from Apache website (since they knew the stuff better :);
<Directory />
Order Deny,Allow
Deny from all
</Directory>
This would, by default deny access to all parts of filesystem. For each, access that is required, you would need to explicitly add the <Directory>... </Directory> tag to enable them.
The "<Directory /usr/users/*/public_html>"
First of all, the URL that you mentioned is pretty much straighforward.
# cd /; ln -s / public_html
Accessing http://localhost/~root/
simply means that you create a symbolic link for user root (since most root will have their home directory to be in / - the root of the filesystem) - for some reason that I could not think of. The command, would create a symbolic_link public_html, to the root, so anybody that does http://yourserver/~root/ would actually be looking at /, since by default Options (http://httpd.apache.org/docs-2.0/mod/core.html#options) is set to All. You could explicitly do Option -FollowSymlinks to disable traversal of symlinks. However this would impose a different problem later on.
Next option would be following the recommendation from Apache website (since they knew the stuff better :);
<Directory />
Order Deny,Allow
Deny from all
</Directory>
This would, by default deny access to all parts of filesystem. For each, access that is required, you would need to explicitly add the <Directory>... </Directory> tag to enable them.
The "<Directory /usr/users/*/public_html>"
Question has a verified solution.
Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.
Have a better answer? Share it in a comment.
Join & Write a Comment Already a member? Login.
Featured Post
Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.
One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.
Tackle projects and never again get stuck behind a technical roadblock.
Join Now
i am almost off to bed.
Regarding validity -- yes, as long as your question has "apache" word in it. :)
So we are looking at the following directory tree:
/var/www/html
/var/www/html/apps
/var/www/html/otherstuff
...
and quick answer, YES, you could use .htaccess to protect the stuff in any folder. But first, jump to the usual :
http://httpd.apache.org/docs-2.0/howto/auth.html on protection and stuff.
http://httpd.apache.org/docs-2.0/howto/htaccess.html on more info on .htaccess
Most of the information is pretty much laid down by the Apache team there.
Basically, once you had protected the a directory (either in .htaccess in that folder, or in <Directory>.. tag in server config), the ACL is pretty much inherited to the folder underneath. As for your directory tree-- if you had protected /var/www/html/apps, andything /var/www/html/apps/apps1, /var/www/html/apps/apps2, /var/www/html/apps/apps3 etc. would be protected. Any access to any resource within that directory tree would be greeted with a password pop-up box.
Hope this could give you a kick start.