Wednesday, December 29, 2010

HTTP/HTTPS -- Configure private directories

At first glance, this objective can mean 2 things: allowing users to setup public_html directories, or securing directories with configuration files or .htaccess. A great page detailing the setup of HTTP can be found at http://www.brennan.id.au/13-Apache_Web_Server.html

public_html
edit the /etc/httpd/conf/httpd.conf and find the line UserDir disabled. Comment out this line, and uncomment the line UserDir public_html.
Restart the web server - service httpd restart
NOTE: There may be multiple layers of security blocking access including folder, file and selinux restrictions.
Specifically, ensure the apache user has access to the home and public_html directories, as well as all files under the public_html directory. Additionally, run setsebool -P httpd_enable_homedirs true

Securing directories
edit the /etc/httpd/conf/httpd.conf file

        AuthType Basic
        AuthName "Private area - authorization required"
        AuthUserFile /etc/httpd/conf/authusers
        Require valid-user
Add users to the authusers file - htpasswd /etc/httpd/conf/authusers username
Restart the web server - service httpd restart
Access should now be restricted to username

.htaccess
This is traditionally used to restrict access to public_html directories since the average user doesnt have access to edit the httpd.conf file.
In the target folder, touch 2 files: .htaccess and .htauthusers
Edit .htaccess and enter the following (note the AuthUserFile appears to need a fully qualified path)
AuthType Basic
AuthName "Private Area"
AuthUserFile /home/username/public_html/private/.htauthusers
Require valid-user
Execute htpasswd .htauthusers username
Access should now be restricted to user username

No comments: