Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 312
  • Last Modified:

Is it wise (&feasible) for me to use .htaccess file for my application??

Hi Mr. Hoffman and Mr. Samri,
How u doin? Well i want to clarify that is it wise and feasible to write .htaccess file for my application which will be live24/7 to thousands of users. Actually if you remember i have been constantly taking your and Samri's able guidance for hosting my application live. Still to refresh your memory i posted my query at (http://www.experts-exchange.com/Web/Web_Servers/Apache/Q_21100303.html). I have almost implemented all the things which you guys suggested. My envt is RHL 9.0/ Apache2.0 with mod_mono/ Mono 1.0. The users will be accessing some other directories too in the main application directory. e.g if i have placed the application directory "apps" as under /var/www/html/apps, now in this apps directory i have some other directories which the users will be needing to retrieve some data for thier use. Should i check for the authentication at that level tool? All I want is that only valid users may have access to that data. Although at the first entry point the .NET applcation asks for the authentication of the valid user but i was still wondering from my, i mean Apache's point of view. I dont know whether this is a valid question or not and i think you are in a better position to guide me. So from that point of view what do you suggest? I would really appreciate if you could guide me step by step...
Thanks in advance
Regards!!
0
parvinderg
Asked:
parvinderg
  • 4
  • 4
  • 2
2 Solutions
 
samriCommented:
hi parvinderg,

i am almost off to bed.

Regarding validity -- yes, as long as your question has "apache" word in it. :)

So we are looking at the following directory tree:

/var/www/html
/var/www/html/apps
/var/www/html/otherstuff
...

and quick answer, YES, you could use .htaccess to protect the stuff in any folder.  But first, jump to the usual :
http://httpd.apache.org/docs-2.0/howto/auth.html on protection and stuff.
http://httpd.apache.org/docs-2.0/howto/htaccess.html on more info on .htaccess

Most of the information is pretty much laid down by the Apache team there.

Basically, once you had protected the a directory (either in .htaccess in that folder, or in <Directory>.. tag in server config), the ACL is pretty much inherited to the folder underneath.  As for your directory tree-- if you had protected /var/www/html/apps, andything /var/www/html/apps/apps1, /var/www/html/apps/apps2, /var/www/html/apps/apps3 etc. would be protected.  Any access to any resource within that directory tree would be greeted with a password pop-up box.

Hope this could give you a kick start.

0
 
samriCommented:
Addition:  You may take a look at Apache FAQ at http://httpd.apache.org/docs/misc/FAQ.html
Specif section : "G. Authentication and Access Restrictions"

cheers.
0
 
parvindergAuthor Commented:
Thx Samri....I will just implement all these things and let u know..I m in US...btw where dya live?

Regards
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
yuzhCommented:
If you don't like the .htaccess files in all over the place, you can use ONE file to crontrol
the login access. (eg: access.conf, or what evername you want to called it).

Just make sure that you httpd.conf has something looks like:

AccessConfig /etc/apache/access.conf


0
 
yuzhCommented:
also have a look at:
http://www.itlab.musc.edu/mySiteMaker/LOGGING-HOWTO.html

"<Limit GET POST>
require valid-user
</Limit>"

 apply to the access.conf, so you can control the user login for the dir.
0
 
samriCommented:
parvinderg,

Somewhere in GMT+8 timezone.  It's in Kuala Lumpur - *just woked up after 8 hours of hibernation :)
0
 
parvindergAuthor Commented:
Hi Samri...
How u doin? It all great here:). Samri can u please help me in clarifying something about protecting server files in context to my case. How can i implement it when it comes to my application. What syntax do i need to write?
This is the link about which i need some explaination.
http://httpd.apache.org/docs-2.0/misc/security_tips.html#protectserverfiles
Regards
0
 
parvindergAuthor Commented:
can u explain especially about :
<Directory /usr/users/*/public_html>
Regards
0
 
samriCommented:
Hi parvinderg,

First of all, the URL that you mentioned is pretty much straighforward.  

# cd /; ln -s / public_html
Accessing http://localhost/~root/

simply means that you create a symbolic link for user root (since most root will have their home directory to be in / - the root of the filesystem) - for some reason that I could not think of.  The command, would create a symbolic_link public_html, to the root, so anybody that does http://yourserver/~root/ would actually be looking at /, since by default Options (http://httpd.apache.org/docs-2.0/mod/core.html#options) is set to All.  You could explicitly do Option -FollowSymlinks to disable traversal of symlinks.  However this would impose a different problem later on.

Next option would be following the recommendation from Apache website (since they knew the stuff better :);

<Directory />
Order Deny,Allow
Deny from all
</Directory>

This would, by default deny access to all parts of filesystem.  For each, access that is required, you would need to explicitly add the <Directory>... </Directory> tag to enable them.

The "<Directory /usr/users/*/public_html>" would cause a wildcard (*) match for any folder that is /usr/users/username/public_html> to be substituted.  So you practically do not need to add a Directory tag for each users.  Also look at UserDir directive (http://httpd.apache.org/docs-2.0/mod/mpm_common.html#user) for a directive complementing this.

0
 
parvindergAuthor Commented:
Thanks a lot Samri and yuzh...
Regards
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 4
  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now