| Author |
moving from access control from htaccess to httpd.conf
|
|
| Steve Shaw 2006-05-20, 1:15 pm |
| Hi
I've been reading that its better performance wise to control access to
folders via the conf file rather than to use htaccess.
I have a website with about 40 users using htaccess for access control
and would like to change this.
my .htaccess file looks like this
AuthUserFile /usr/local/etc/.htpasswd
AuthGroupFile /usr/local/etc/.htgroup
AuthName Website
AuthType Basic
<Limit GET>
require group webusers
</Limit>
So what exactly do i need to put in the httpd.conf file to do the same ?
Also - if i need to add/remove users or change passwords can i still do
this by editing the .htpasswd and .group files or will i need to restart
apache every time ?
Thanks
Steve
| |
| Robert Ionescu 2006-05-20, 1:15 pm |
| Steve Shaw wrote:
> So what exactly do i need to put in the httpd.conf file to do the same?
Create a directory container with the path pointing to the directories
to protect (if it doesn't exist now, i.e. the container fpr the path
pointing to the DocumentRoot should exist):
<Directory /var/www/some/path>
AuthUserFile /usr/local/etc/.htpasswd
AuthGroupFile /usr/local/etc/.htgroup
AuthName Website
AuthType Basic
# so POST and other methods are unprotected.
<Limit GET>
require group webusers
</Limit>
</Directory>
> Also - if i need to add/remove users or change passwords can i still do
> this by editing the .htpasswd and .group files
You'll have to edit them and restart apache (gracefully) as well.
--
Robert
| |
| Steve Shaw 2006-05-21, 1:19 am |
| Thanks
You added the comment
# so POST and other methods are unprotected.
Does this mean i should add something else here to improve security - am
I leaving things open with only Limit GET ?
Also when you say restart apache greacefully - I presume you mean i can
use /etc/init.d/httpd restart
Steve
Robert Ionescu wrote:
> Steve Shaw wrote:
>
> Create a directory container with the path pointing to the directories
> to protect (if it doesn't exist now, i.e. the container fpr the path
> pointing to the DocumentRoot should exist):
>
> <Directory /var/www/some/path>
> AuthUserFile /usr/local/etc/.htpasswd
> AuthGroupFile /usr/local/etc/.htgroup
> AuthName Website
> AuthType Basic
>
> # so POST and other methods are unprotected.
> <Limit GET>
> require group webusers
> </Limit>
> </Directory>
>
>
> You'll have to edit them and restart apache (gracefully) as well.
>
| |
| Robert Ionescu 2006-05-21, 1:15 pm |
| Steve Shaw wrote:
> # so POST and other methods are unprotected.
>
> Does this mean i should add something else here to improve security - am
> I leaving things open with only Limit GET ?
You're leaving every other request method open (POST, HEAD etc.). That
is usually not the intention. To protect every request method, remove
the <limit ....> - </limit> container.
> Also when you say restart apache greacefully - I presume you mean i can
> use /etc/init.d/httpd restart
I ment http://httpd.apache.org/docs/2.0/en...g.html#graceful
--
Robert
| |
| Steve Shaw 2006-05-25, 1:25 am |
| Perfect
Thanks for the help, it's all working now - and alot faster than using
htaccess ;-)
Robert Ionescu wrote:
> Steve Shaw wrote:
>
> You're leaving every other request method open (POST, HEAD etc.). That
> is usually not the intention. To protect every request method, remove
> the <limit ....> - </limit> container.
>
>
> I ment http://httpd.apache.org/docs/2.0/en...g.html#graceful
>
|
|
|
|