Home Home Page Sending SMS with use of the Internet Cursor for a site the hands. A part the second The status of the domain WML - Creation WAP of pages Safety at job with WebMoney The comparative test of efficiency of programming languages for WEB Use of UNION command Optimization of productivity of databases for Web Check of the form on JavaScript Fight with lists or application of classes for a conclusion of lists in PHP AJAX? Atlas! We do{make} the elementary similarity of Internet - shop. Than to correct a photo: 5 free-of-charge editors The directory on meta tegam All about AuthType or authorization in Apache Regular expressions are used for a complex manipulation by lines in PHP Protection of a site against uploading Use of sessions in PHP Links
topic
 

All about AuthType or authorization in Apache

Here I shall tell about opportunities Apache to protect contents of the server or his  parts.



Apache directives for the control of access


The control on IP


If you need to resolve or block simply access to any part of a site or all server as a whole for certain{determined} IP, use the following directives.


Attention! If you want to use these directives in a file .htaccess, check up, that for your host AllowOverride directive of a root file of configuration Apache would include option Limit


Order


Values: Order (allow, deny | deny, allow)


Order directive specifies the order in which reading from Allow directives and Deny will be made


* Allow, deny - Allow directives all over again are read. If the user no in this list he is blocked. If he is, Deny directives (process is not finished yet) further are read out. If the user is and there he is blocked. If it  there no, he is passed{missed}. T.e the user is passed{missed} only at presence only in list Allow, but not in Deny

* Deny, allow - Deny directives all over again are processed and those users who are in this list are eliminated. Any others are passed{missed}. T.e the user is passed{missed} always but if it  no in list Deny


Allow and Deny


Format of directives: (Allow | Deny) from (IP | IPs | all) (IP | IPs | all): (IP | IPs | all)


Allow directives and Deny define{determine} clients to whom to resolve or forbid access to the server.


Directives suppose use:


* Single IP (IP) - usual kind IP, for example, 127.0.0.1

* Groups IP (IPs) - group IP, for example, for access, only from a local area network, 192.168.1.0/24

* Any IP (all) - is designated by any IP


After a word from there can be any quantity{amount} of the specified directives divided{shared} by a blank


Examples


File .htaccess



Order allow, deny

* Deny from all * if you it write, even those addresses,

* Which are specified in Allow directives not will are missed

Allow from 192.168.1.0/2411.11.11.12


In this file access only for clients from a local area network or with IP 11.11.11.12 is underlined


Part of a file httpd.conf



...

<Directory "/home/Site.ru">

Order deny, allow

Deny from 33.250.11.25

</Diectory>

...


So we banim a site for any one IP

The control over the user or group


If you need to protect a site or a part of the server the password, use the following directives.



Attention! If you want to use these directives in a file .htaccess, check up, that for your host AllowOverride directive of a root file of configuration Apache would include option AuthType. As support is necessary for some directives (AuthUserFile and AuthGroupFile) mod_auth


AuthType


Values: AuthType (Basic | Digest)


Apache supports 2 types of protection of the maintenance{contents} (AuthType directive):


* Basic - base authorization. Encryption is used I on both parties{sides}, but the client passes the password not reliably ciphered, t. To the key of encryption is not used. It is large lack of this method. The algorithm of encryption Base64 is applied

* Digest - autentifikacija a special code (digest) which uses a key, particularly, a login name, the password, the area demanding autentifikaciju, the various information on search and a unique code of the given search which Apache appropriates{gives} to each connection. It is the unidirectional method, and too much information on both parties{sides}. But the main lack of this method that it  does not support any user browser, though now it already, probably, not so (the data for 2000 what to decipher it, to the foreign person needs). This method is usually used in the specialized systems


AuthName


Format of the directive: AuthName "String"


This directive specifies the text of the help which is displayed in a browser at an input{entrance} on the protected part of a site, see figure is higher


AuthUserFile, AuthGroupFile


Format of directives: (AuthUserFile | AuthGroupFile) "String"


Attention! Module Apache is necessary for job of these directives mod_auth which is connected by default


These directives define{determine}, accordingly, a way (absolute) to a file, storing{keeping} sheaf Imja:DES and a way (too absolute) to a file, storing{keeping} sheaf Gruppa:Imja the Name: the Name


AuthUserFile


Contains the information on allowable names of users and their passwords in format Imja:DES where DES is a name of algorithm of encryption. The file can be created the standard console program included Apache, htpasswd. The description of its{her} use look below


AuthGroupFile


It is necessary to specify this directive only, if you have specified value for Request directive (look below) equal group


This file contains the information on allowable groups users for an input{entrance}. A format of a file: Gruppa:Imja the Name: the Name. T.e only those users who exist also which are included into the groups described in Require directive (look below), can enter


Require


Values: Require (user the Name the Name: the Name | group Group Group: Group | valid-user


This directive defines{determines} a principle autentifikacii:


* User - only the users specified by the following through a blank, and specified the correct password, can enter

* Group - only the users who are included in groups, the specified following through a blank, and specified the correct password, can enter. The instruction{indication} of AuthGroupFile directive necessarily

* Valid-user - any user existing in file AuthUserFile, and the specified correct password, can enter


On it the directives necessary for method AuthType Basic, are listed. Other directives concerning to method AuthType Digest, I shall not list{transfer}, t. To they have uzkonapravlennoe action and in the general{common} systems are not used

Utility Apache htpasswd


This console program creates the files specified in AuthUserFile directive. The file stores{keeps} sheaf Imja:Parol` for access to the protected part of a site


Usually the program is delivered together with Apache and to be in a folder bin its{her} root folder


Format of a call of the utility:



htpasswd [-cdpsb] Put`KFajluParolej ImjaNuzhnogoPol`zovatelja


Parameters of the command line


* - with - to create a new file. If this parameter is not specified, and the file does not exist, the utility will give out a mistake and will under abnormal condition finish job. Attention! If the file already existed, he will be rewritten

* - d - the utility will use algorithm of encryption DES (in C it is function crypt ()). It is by default used in all OS, but not in Windows

* - m - to use algorithm of encryption MD5 which is the code by default in Windows

* - p - to save the password in the pure state, without encryption. Works only in Windows

* - s - the utility will use algorithm of encryption SHA

* - b - in a normal mode, without this option, the utility receives the password input in a standard entrance stream. At use of this option, after a way to a file of passwords there should be a password, and the utility will receive the password from this option. The utility will not wait for the user input, she at once will return management in the shell. An example: htpasswd-b .htpasswd smhtpass


Examples parolirovanija


File .htaccess



AuthType Basic

AuthName " You are entering Private area. Please enter your login and password "

AuthUserFile/home/Site.ru/www/PrivateDir/.htpasswd

* AuthGroupFile .htgroup * this directive here is not necessary,

* t. To we use autentifikaciju on users, but not on groups

Require user My root UUCP hacker guest


Here access is resolved{allowed} on a file .htpasswd for users My, root, UUCP, hacker and guest. Type of authorization Basic


Part of a file httpd.conf



....

<Directiory "/home/Site.ru/www/My">

AuthType Basic

AuthName " This is only my area "

AuthUserFile/home/Site.ru/www/PrivateDir/.htaccess

AuthGroupFile/home/Site.ru/www/My/.htgroup

Require group my root

</Directory>

....


Here access is resolved{allowed} on the same file with users, but only with those who included into groups my or root, certain{determined} in a file .htgroup


For creation of a file of passwords for the first example


We enter in shell and we write such commands



; We count, that the current folder is established on a folder with the utility htpasswd

; As we count, that a file of passwords which is required to be created, does not exist yet

* htpasswd-cb/home/Site.ru/www/PrivateDir/.htpasswd root rootpasswd

* htpasswd-b/home/Site.ru/www/PrivateDir/.htpasswd UUCP pass_rootcp

* htpasswd/home/Site.ru/www/PrivateDir/.htpasswd My

Password: mypasswd

Repeat password: mypasswd

Password created OK

; Similarly we create recordings for users hacker and guest


The conclusion


On it I shall finish the description here means of protection given by Apache web-server. All wishes or questions can leave on below-mentioned coordinates


For given time (July, 2006) I write Content Managing System (CMS) under PHP 4 +, MySQL 3.23.xx + and Apache 1.3 +, all wishing to see or join - write to me here