Admin Panel 2: Private Server Configuration

Revision as of 10:07, 21 June 2013 by BobS (talk | contribs) (Removed excess category tags)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Admin Panel 2

This page allows you to set-up a username and password making your web page server private (restricts access to the root folder www). To use this feature you need to activate it in the file /www/.htaccess I have provided a detailed description how to do this see below.

Defaults

Name Default value  
Username: root This form displays current settings, which is “root” for both name and password.
Password: root When you choose your own make sure they are different.

After saving your user name/password pair you can find them in file .htpasswd this file is located in folder *\Uniform Server\udrive\htpasswd\www

Top

Security

A very important point to note, for security reasons folder htpasswd is placed outside of the root folder www. Apache only serves data from designed root folders UniServer’s default installation has one public root folder www; hence apanel's name and password cannot be severed to the Internet.

Automatic protection - Web page server

Uniform Server serves web pages from the root folder www (*\Uniform Server\udrive\www) it contains a special file named .htaccess This protects the root folder and all folders and files below it. The default Apache command settings within this file restrict access to localhost. The name/password pair set above have no effect until enabled in the .htaccess file see below.

Name/password pair access

Enabling Apache commands in .htaccess you can force a user on your machine (or Internet) to enter a name and password to gain access to pages on your server.

You can add your own Apache commands to this file. The file provided splits into three main sections, understanding their interaction is important especially when you want to put your servers on-line or make your server private.

Top

.htaccess - Private or public server

The remainder of this section looks at the file .htaccess in more detail. It is a text file; to edit open in any text editor but never use a word processor they add special characters and screw text files up badly.

Uniform Server uses several .htaccess files, each protecting a particular area of the server. This one protects your web-site and can be found in folder: *\Uniform Server\udrive\www

The file looks like this:

# This file provides security to the server limiting access to the localhost only. 
# Comment to deactivate.

Order Deny,Allow
Deny from all
Allow from 127.0.0.1

# To allow execution of cgi scripts in this directory uncomment next two lines.

AddHandler cgi-script .pl .cgi
Options +ExecCGI

#--
# Activate this to use the Private Server Feature!
#--
# To lock server, uncomment the next 4 lines.
# Defaults: Username - root; Password - root

#AuthName "Uniform Server - Server Access"
#AuthType Basic
#AuthUserFile /htpasswd/www/.htpasswd
#Require valid-user

I have split the above into three sections, describing each section in detail at the end I combined all three section. Top

Public Server

To create a public server the quickest but not the best way is to delete the htaccess file. This removes any restrictions imposed, anyone on the Internet or local network can access all the folders and files in the root folder www.

Deleting the htaccess file is a bit draconian you loose flexibly and control for example lets look at the first section of this file.

File .htaccess Located in folder *\Uniform Server\udrive\www
Code Comment

# This file provides security to the server limiting access to the localhost only.
# Comment to deactivate.

#Order Deny,Allow
#Deny from all
#Allow from 127.0.0.1

Section 1) The last three lines are commented this means they are inactive and not protecting the folder or its sub-folders

If this was the only section it has the same effect as deleting the file.

Alternatively you could delete all lines in this section the effect would still remain the same.

My real point using just three comments you have put your server online, remove the comments and you are back to square one, its that flexibility I am talking about. Delete the lines next time you wish to use them you may have to look up the format for the commands. Lets look at those three lines in more detail.

Top

Localhost

The securest way to develop a web-site is to run the servers with localhost access only (UniServer’s default) note the last three lines in section one shown below are uncommented making them active. These three Apache instructions are what I would call a cosey little group meaning you will always find then arranged this way.

The first line states that the next two instructions will be executed in this order Deny and then Allow. If you had twenty Allow instruction followed by one Deny all those Allow instructions would be ignored and the Deny would be executed. Apache would then look for the first occurrence of Allow and execute it.

You must have that first line. It is normal practice to write the next two instructions in the order stated.

Deny from all, means just that no one has access to the Apache server. Now we make one exception Allow from port 127.0.0.1 this is localhost IP adress (the PC that Apache is running on)

File .htaccess Located in folder *\Uniform Server\udrive\www
Code Comment

# This file provides security to the server limiting access to the localhost only.
# Comment to deactivate.

Order Deny,Allow
Deny from all
Allow from 127.0.0.1

Section 1) The last three lines are uncommented this means they are active and protecting the folder, where .htacces resides and all its sub-folders

a) Execute the next two commands in this order Deny and the Allow.
b) Deny from all No one allowed access to the Apache server
c) Allow from 127.0.0.1 Localhost is the only exception and allowed access.

Top

Script execution

All root folders by default are not allowed to run cgi scripts. In order to run scripts you need to inform Apache accordingly the two lines in htaccess section 2 do this.

Apache has no concept of user file extensions your Perl scripts could have the extension .plug, .zap or whatever. To cater for this Apache has a number of small helper programs that handle this situation. The handler program for cgi scripts is named “cgi-script” you pass information to this program by following the name with the file extensions that you are using for your scripts. For example cgi-script .zap .pl the handler program informs Apache that these files are cgi scripts and to be treated accordingly.

To run the handler program it needs adding to Apache using the command AddHandler. As a user you need to inform Apache what you want to do with the scripts. You have two options either to run or not run the scripts.

To allow execution of scripts you use the following option +ExecCGI the default is –ExecCGI

File .htaccess Located in folder *\Uniform Server\udrive\www
Code Comment

# To disallow execution of cgi scripts in this directory comment next two lines.

AddHandler cgi-script .bat .exe .pl .cgi
Options +ExecCGI

Section 2) Allows scripts execution


File .htaccess Located in folder *\Uniform Server\udrive\www
Code Comment

# To disallow execution of cgi scripts in this directory comment next two lines.

  1. AddHandler cgi-script .bat .exe .pl .cgi

# Options +ExecCGI

Section 2) Comment the lines as shown to disable script execution

Top

Name Password Protection

The final section of htaccess deals with user name and password protection by default this is disabled. If you have put your servers online (see section 1) anyone on the Internet can view your web site. If you have restricted your server to localhost (default) anyone with access (physical) to your PC can view your web site.

File .htaccess Located in folder *\Uniform Server\udrive\www
Code Comment

#--
# Activate this to use the Private Server Feature!
#--
# To lock server, uncomment the next 4 lines.
# Defaults: Username - root; Password - root

#AuthName "Uniform Server - Server Access"
#AuthType Basic
#AuthUserFile /htpasswd/www/.htpasswd
#Require valid-user

Section 3) Comment to disable user name password access to your web site default setting on installing UniServer.

Uncomment the last four lines to enable password protection. Any user trying to view your web site will be requested to enter a name and password. This is the name/password pair you entered for your personal server.

Please note this section is independent of the settings in section one hence authentication will be required.

File .htaccess Located in folder *\Uniform Server\udrive\www
Code Comment

#--
# Activate this to use the Private Server Feature!
#--
# To lock server, uncomment the next 4 lines.
# Defaults: Username - root; Password - root

AuthName "Uniform Server - Server Access"
AuthType Basic
AuthUserFile /htpasswd/www/.htpasswd
Require valid-user

Section 3) Uncomment last four lines as shown to enable user name password protection.

The first line AuthName "Uniform Server - Secure Server Access" contains text that is displayed in the authentication required pop-up window, change this to match your web site.

 

  • AuthType Basic - The name and password are not saved encrypted plain text is used hence why they are not stored in the root folder.
  • AuthUserFile /htpasswd/www/.htpasswd - This is the path to your password file and informs Apache where to find it.
  • Require valid-user - This informs Apache authentication must be used to access this folder (apanel's pages).

Note: Its not just the root folder that is protected all folders and files within it are protected. Typing any page name directly into a browser that is within your site will require authentication for first time access.

Top

Summary - Private Server

The complete htaccess file is shown below. It is currently configure to allow localhost access (section 1), to run cgi scripts (section 2) and require user authentication (section 3).

File .htaccess Located in folder *\Uniform Server\udrive\www
Code Comment

# This file provides security to the server limiting access to the localhost only.
# Comment to deactivate.

Order Deny,Allow
Deny from all
Allow from 127.0.0.1

Section 1) To put your servers online comment the last three line in this section.

The default setting is for localhost access, you can remain connected to the Internet only your local browser will be able to view and access your web-site server.

# To allow execution of cgi scripts in this directory uncomment next two lines.

AddHandler cgi-script .pl .cgi
Options +ExecCGI

Section 2) The default is to allow execution of scripts.

If you do not runs CGI scripts comment out the last two lines in this section.

#--
# Activate this to use the Private Server Feature!
#--
# To lock server, uncomment the next 4 lines.
# Defaults: Username - root; Password - root

#AuthName "Uniform Server - Server Access"
#AuthType Basic
#AuthUserFile /htpasswd/www/.htpasswd
#Require valid-user

Section 3) For a personal web server the last four lines have been uncommented. To access your web site a user must supply coreect user name and password.

To disable this comment the last four lines. This allows every one access with the restriction set in section 1)

Top


  Ric