08448380779 Call Girls In Civil Lines Women Seeking Men
Apache2 BootCamp : Restricting Access
1. #7
Day #2
Restricting Access
Wildan Maulana
wildan.m@openthinklabs.com
http://workshop.openthinklabs.com
2. Overview
● How to restrict access based on the user, client
IP address, domain name, and browser version
● How to enable and configure Apache
authentication modules
● How to use the user management tools
provided with Apache
3. Authentication
● Authentication : establishes the identity of parties in a
communication
● Authentication in the Context of the Web :
– Use of passwords
– Use of certificates
● Authorization : deals with protecting access to resources, we
can authorize based on :
● IP address the user is coming from
● The user’s browser
● The content
● The user is trying to access
● Who the user is
4. Client Authentication
● The HTTP specification provides two
authentication mechanisms: basic and digest
The username and password are transmitted in clear text
The username and password are transmitted in digest
5. Client Authentication
User Management
File-based Database-based
authentication mechanisms authentication mechanisms
Supported in Apache Bundles
Supported in Third-party modules
LDAP (Lightweight Directory Access Protocol)
NIS (Network Information Services)
7. Apache Authentication Modules
Common Functionality
Apache provides three built-in directives related to authentication
that will be used with any of the authentication modules
AuthName AuthType Require
Example
Require user joe bob
Require group employee contractor
Require valid-user
8. Apache Authentication Modules
Module Functionality
Backend storage User management Authoritative information
Provide text or database files containing the username and
groups information
Supply tools for creating and managing users and groups in
the backend storage
Specify whether the results of the module are authoritative
9. File-Based Authentication
mod_auth
Provides basic authentication via text files containing
usernames and passwords, similar to how traditional
Unix authentication works with the /etc/passwd and /etc/groups files.
10. File-Based Authentication
Backend Storage
Directives
AuthUserFile Take a path argument, pointing to
the users file
AuthGroupFile Take a path argument, pointing to
the users file
/etc/apache.passwords
Examples /etc/apache.groups
Examples
admin:iFrlxqg0Q6RQ6
web: admin umar abdul aziz
11. File-Based Authentication
User Management
htpasswd -c file userid
htpasswd -c /usr/local/apache2/conf/htusers admin
Don't use -c options if you want
to add users to an existing password file
16. Database File-Based Access Control
User Management
On Windows On Unix
If you are using ActiveState Perl,
start the Perl package manager and type
install Crypt-PasswdMD5 ./dbmmanage dbfile adduser userid
perl ./dbmmanage.pl dbfile adduser userid
htdbm
Examples
dbmmanage /usr/local/apache2/conf/dbmusers adduser daniel employee,engineering
dbmmanage dbfile delete daniel
26. Access Control
● Access Rules
● IP Addresses
– A Partial IP Address
– A Network/Mask Pair
● Domain Name
● Environment Variables
● All Clients
27. Access Rules
IP Addresses
IP Addresses
Allow from 10.0.0.1 10.0.0.2 10.0.0.3
A Partial IP Address
Allow from 10.0.0.0/255.255.255.0
Deny from 10.0
Allow from 10.0.0.0/24
A Network/Mask Pair
28. Access Rules
Domain Name
Allow from example.com
Enabling access rules based on domain names will force Apache to do a
reverse DNS lookup on the client address, bypassing the settings of the
HostNameLookups directive
30. Access Rules
All Clients
Allow from all
Deny from all
31. Access Rules Evaluation
Deny,Allow <location /private>
Order Deny,Allow
Allow from 10.0.0.0/255.255.255.0 example.com
Deny from all
</location>
Allow,Deny
<location /some/location/>
Order Allow,Deny
Allow from all
Deny from host.example.com
</location>
32. Combining Access Methods
<Location /restricted>
Allow from 10.0.0.0/255.255.255.0
AuthType Basic
AuthName “Intranet”
AuthUserFile /usr/local/apache2/conf/htusers
AuthAuthoritative on
Require valid-user
Satisfy any
</Location>
33. Limiting Access Based on HTTP Methods
HTTP Methods :
GET,POST, PUT, DELETE, CONNECT,
OPTIONS, TRACE, PATCH, PROPFIND, PROPPATCH,
MKCOL, COPY, MOVE, LOCK, and UNLOCK.
<Directory /home/*/public_html>
AllowOverride FileInfo AuthConfig Limit
Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
<Limit GET POST OPTIONS PROPFIND>
Order allow,deny
Allow from all
</Limit>
<LimitExcept GET POST OPTIONS PROPFIND>
Order deny,allow
Deny from all
</LimitExcept>
</Directory>