Welcome to the MacNN Forums.

simonmartin · Jan 14, 2003, 01:58 PM

I have just created a site for a friend of mine and (due to my isp cacheing things and not alowing us to see changes for several days if I use my homepage there) have hosted it on my own box.

I'm nervous about security now, as I'm usually behind several firewalls.

How can I password protect my site hosted on 10.2.3 so that anyone who hits my machine can only get so far unless they know the password?

Many thanks

Simon

megus · Jan 14, 2003, 03:58 PM

Hi Simon, looks like we keep running in to each other

.

Have a look at this article. I think you'll find what your looking for.

It's off to the terminal, again

//megus

simonmartin · Jan 14, 2003, 04:23 PM

Originally posted by megus:
Hi Simon, looks like we keep running in to each other .

Have a look at this article. I think you'll find what your looking for.

It's off to the terminal, again

//megus

Hej Megus,

Bra artikel, tack sa mycket. Det ar en bit jag inte forstar...

(That's it :-) In the section which says "Next, it's really just a matter of telling Apache what directory we want to secure. Open (or create) your .htaccess file, and add the following:

AuthName "Uber Goober Ad Campaign"
AuthType Basic
AuthUserFile /Library/WebServer/.htpasswd

require valid-user"

Does this mean that "Uber Goober Ad Campaign" is the folder we are securing and that I should simply substitute "Sites" here?

Thanks mate.

I hate the Terminal...

Simon

megus · Jan 14, 2003, 04:31 PM

Ojd�, ser man p�

No, the AuthName tag is the realm name. You may have noticed it when logging in to certain sites, the login dialog presents a name of the realm you're about to enter.

You could pretty much name it anything.

Have a look here for more information on authentication in Apache.

//megus

simonmartin · Jan 14, 2003, 04:54 PM

Originally posted by megus:
Ojd�, ser man p�

No, the AuthName tag is the realm name. You may have noticed it when logging in to certain sites, the login dialog presents a name of the realm you're about to enter.

You could pretty much name it anything.

Have a look here for more information on authentication in Apache.

//megus

Megus,

Sorry mate, I'm a bit dense...

So a 'realm' is a secure area, yes? I still don't understand how I define what this secure area is. In other words, how do I ensure that the 'realm' in question is my 'Sites' folder?

Thanks

Simon

simonmartin · Jan 14, 2003, 05:04 PM

Originally posted by simonmartin:
Megus,

Sorry mate, I'm a bit dense...

So a 'realm' is a secure area, yes? I still don't understand how I define what this secure area is. In other words, how do I ensure that the 'realm' in question is my 'Sites' folder?

Thanks

Simon

Ok, I think I have it...

"The .htaccess file is the key to the whole thing. In the example in the article, you can move the '.htaccess' file to any directory, and that directory will be secured. In your case, simply move .htaccess to your Clients directory, and the passwords you set up in the .htpasswd should work there."

So... as long as I place the '.htaccess' file within my 'Sites' folder, that folder will be secured.

Yes?

Simon

megus · Jan 14, 2003, 05:40 PM

Yes that's it!

But, observe that if you would like the Webserver-root located at /Library/WebServer/Documents/ to also "AllowOverride All" then you'll also have to make the change in the httpd.conf file located at /private/etc/httpd/httpd.conf

//megus

simonmartin · Jan 15, 2003, 02:45 AM

Originally posted by megus:
Yes that's it!

But, observe that if you would like the Webserver-root located at /Library/WebServer/Documents/ to also "AllowOverride All" then you'll also have to make the change in the httpd.conf file located at /private/etc/httpd/httpd.conf

//megus

Megus,

(Sorry for the delayed reply, forums seemed to crash last night.)

Now you lost me a bit...

I'll keep reading the article through.

What is the Webserver-root? The topmost folder the webserver reads?

Thanks again

Simon

megus · Jan 15, 2003, 04:47 AM

If I understand correctly you have done the "AllowOverride All" change in the personal config-file located at /private/etc/httpd/users/yourShortName.conf.

This config change only allows .htaccess overrides inside your personal Sites-folder available at http://xxx.xxx.xxx.xxx/~yourShortName/

I just wanted to point out that if you for some reason wanted to allow .htaccess overrides in your webservers root-folder available at http://xxx.xxx.xxx.xxx/ you also need to edit the httpd.conf file and set AllowOverrides to All.

This also applies to any other user on your system, if there is more than you. To allow .htaccess overrides you'd need to edit their conf-files as well.

//megus

simonmartin · Jan 15, 2003, 01:38 PM

Originally posted by megus:
If I understand correctly you have done the "AllowOverride All" change in the personal config-file located at /private/etc/httpd/users/yourShortName.conf.

This config change only allows .htaccess overrides inside your personal Sites-folder available at http://xxx.xxx.xxx.xxx/~yourShortName/

I just wanted to point out that if you for some reason wanted to allow .htaccess overrides in your webservers root-folder available at http://xxx.xxx.xxx.xxx/ you also need to edit the httpd.conf file and set AllowOverrides to All.

This also applies to any other user on your system, if there is more than you. To allow .htaccess overrides you'd need to edit their conf-files as well.

//megus

Megus,

I think I follow that...

So, in order to affect the way Apache uses certain folders I need to place a .htaccess file within that folder giving Apache the correct instructions. The 'AllowOverride All' instruction is simply an easy way to ensure that the instructions are followed, rather than allowing individual commands to be 'Overridden' and changed.

If I wanted to override instructions for the root folder I have to edit the httpd.conf file.

Is that about right?

Simon