Admin Panel 2: Private Server Configuration: Difference between revisions
(New page: {{Uc_nav_apanel2}} This page allows you to set-up a username and password making your web page server private (restricts access to the root folder www). To use this feature you need to act...) |
(No difference)
|
Revision as of 17:55, 26 June 2008
Admin Panel 2 |
This page allows you to set-up a username and password making your web page server private (restricts access to the root folder www). To use this feature you need to activate it in the file /www/.htaccess I have provided a detailed description how to do this see below.
Defaults
Name | Default value | |
Username: | root | This form displays current settings, which is “root” for both name and password. |
Password: | root | When you choose your own make sure they are different. |
After saving your user name/password pair you can find them in file .htpasswd this file is located in folder *\Uniform Server\udrive\htpasswd\www
Security
A very important point to note, for security reasons folder htpasswd is placed outside of the root folder www. Apache only serves data from designed root folders UniServer’s default installation has one public root folder www; hence apanel's name and password cannot be severed to the Internet.
Automatic protection - Web page server
Uniform Server serves web pages from the root folder www (*\Uniform Server\udrive\www) it contains a special file named .htaccess This protects the root folder and all folders and files below it. The default Apache command settings within this file restrict access to localhost. The name/password pair set above have no effect until enabled in the .htaccess file see below.
Name/password pair access
Enabling Apache commands in .htaccess you can force a user on your machine (or Internet) to enter a name and password to gain access to pages on your server.
You can add your own Apache commands to this file. The file provided splits into three main sections, understanding their interaction is important especially when you want to put your servers on-line or make your server private.
.htaccess - Private or public server
The remainder of this section looks at the file .htaccess in more detail. It is a text file; to edit open in any text editor but never use a word processor they add special characters and screw text files up badly.
Uniform Server uses several .htaccess files, each protecting a particular area of the server. This one protects your web-site and can be found in folder: *\Uniform Server\udrive\www
The file looks like this:
# This file provides security to the server limiting access to the localhost only. # Comment to deactivate. Order Deny,Allow Deny from all Allow from 127.0.0.1 # To allow execution of cgi scripts in this directory uncomment next two lines. AddHandler cgi-script .pl .cgi Options +ExecCGI #-- # Activate this to use the Private Server Feature! #-- # To lock server, uncomment the next 4 lines. # Defaults: Username - root; Password - root #AuthName "Uniform Server - Server Access" #AuthType Basic #AuthUserFile /htpasswd/www/.htpasswd #Require valid-user
I have split the above into three sections, describing each section in detail at the end I combined all three section. Top
Public Server
To create a public server the quickest but not the best way is to delete the htaccess file. This removes any restrictions imposed, anyone on the Internet or local network can access all the folders and files in the root folder www.
Deleting the htaccess file is a bit draconian you loose flexibly and control for example lets look at the first section of this file.
File .htaccess Located in folder *\Uniform Server\udrive\www
|
|
Code | Comment |
# This file provides security to the server limiting access to the localhost only. #Order Deny,Allow |
Section 1) The last three lines are commented this means they are inactive and not protecting the folder or its sub-folders If this was the only section it has the same effect as deleting the file. Alternatively you could delete all lines in this section the effect would still remain the same. |
My real point using just three comments you have put your server online, remove the comments and you are back to square one, its that flexibility I am talking about. Delete the lines next time you wish to use them you may have to look up the format for the commands. Lets look at those three lines in more detail.
Localhost
The securest way to develop a web-site is to run the servers with localhost access only (UniServer’s default) note the last three lines in section one shown below are uncommented making them active. These three Apache instructions are what I would call a cosey little group meaning you will always find then arranged this way.
The first line states that the next two instructions will be executed in this order Deny and then Allow. If you had twenty Allow instruction followed by one Deny all those Allow instructions would be ignored and the Deny would be executed. Apache would then look for the first occurrence of Allow and execute it.
You must have that first line. It is normal practice to write the next two instructions in the order stated.
Deny from all, means just that no one has access to the Apache server. Now we make one exception Allow from port 127.0.0.1 this is localhost IP adress (the PC that Apache is running on)
File .htaccess Located in folder *\Uniform Server\udrive\www
|
|
Code | Comment |
# This file provides security to the server limiting access to the localhost only. Order Deny,Allow |
Section 1) The last three lines are uncommented this means they are active and protecting the folder, where .htacces resides and all its sub-folders a) Execute the next two commands in this order Deny and the Allow. |
Script execution
All root folders by default are not allowed to run cgi scripts. In order to run scripts you need to inform Apache accordingly the two lines in htaccess section 2 do this.
Apache has no concept of user file extensions your Perl scripts could have the extension .plug, .zap or whatever. To cater for this Apache has a number of small helper programs that handle this situation. The handler program for cgi scripts is named “cgi-script” you pass information to this program by following the name with the file extensions that you are using for your scripts. For example cgi-script .zap .pl the handler program informs Apache that these files are cgi scripts and to be treated accordingly.
To run the handler program it needs adding to Apache using the command AddHandler. As a user you need to inform Apache what you want to do with the scripts. You have two options either to run or not run the scripts.
To allow execution of scripts you use the following option +ExecCGI the default is –ExecCGI
File .htaccess Located in folder *\Uniform Server\udrive\www
|
|
Code | Comment |
# To disallow execution of cgi scripts in this directory comment next two lines. AddHandler cgi-script .bat .exe .pl .cgi |
Section 2) Allows scripts execution |
File .htaccess Located in folder *\Uniform Server\udrive\www
|
|
Code | Comment |
# To disallow execution of cgi scripts in this directory comment next two lines.
# Options +ExecCGI |
Section 2) Comment the lines as shown to disable script execution |
Name Password Protection
The final section of htaccess deals with user name and password protection by default this is disabled. If you have put your servers online (see section 1) anyone on the Internet can view your web site. If you have restricted your server to localhost (default) anyone with access (physical) to your PC can view your web site.
File .htaccess Located in folder *\Uniform Server\udrive\www
|
|
Code | Comment |
#-- #AuthName "Uniform Server - Server Access" |
Section 3) Comment to disable user name password access to your web site default setting on installing UniServer. |
Uncomment the last four lines to enable password protection. Any user trying to view your web site will be requested to enter a name and password. This is the name/password pair you entered for your personal server.
Please note this section is independent of the settings in section one hence authentication will be required.
File .htaccess Located in folder *\Uniform Server\udrive\www
|
|
Code | Comment |
#-- AuthName "Uniform Server - Server Access" |
Section 3) Uncomment last four lines as shown to enable user name password protection. |
The first line AuthName "Uniform Server - Secure Server Access" contains text that is displayed in the authentication required pop-up window, change this to match your web site.
- AuthType Basic - The name and password are not saved encrypted plain text is used hence why they are not stored in the root folder.
- AuthUserFile /htpasswd/www/.htpasswd - This is the path to your password file and informs Apache where to find it.
- Require valid-user - This informs Apache authentication must be used to access this folder (apanel's pages).
Note: Its not just the root folder that is protected all folders and files within it are protected. Typing any page name directly into a browser that is within your site will require authentication for first time access.
Summary - Private Server
The complete htaccess file is shown below. It is currently configure to allow localhost access (section 1), to run cgi scripts (section 2) and require user authentication (section 3).
File .htaccess Located in folder *\Uniform Server\udrive\www
|
|
Code | Comment |
# This file provides security to the server limiting access to the localhost only. Order Deny,Allow |
Section 1) To put your servers online comment the last three line in this section. The default setting is for localhost access, you can remain connected to the Internet only your local browser will be able to view and access your web-site server. |
# To allow execution of cgi scripts in this directory uncomment next two lines. AddHandler cgi-script .pl .cgi |
Section 2) The default is to allow execution of scripts. If you do not runs CGI scripts comment out the last two lines in this section. |
#-- #AuthName "Uniform Server - Server Access" |
Section 3) For a personal web server the last four lines have been uncommented. To access your web site a user must supply coreect user name and password. To disable this comment the last four lines. This allows every one access with the restriction set in section 1) |
Ric |