GuidesSecuring Your Web Pages with Apache Page 10

Securing Your Web Pages with Apache Page 10




Unlike your system’s login system, which will probably kick
you out, disconnect you, lock your account, or do something
equally extroverted and paranoid (and log the fact!)
if you misspell your password a few times in a row, there
are no such controls on the Web. So someone could very
easily write a script that just banged away on your
system, trying endless combinations of usernames and passwords,
and nothing would automatically perk up and make rude noises.

If you still want to to it after reading the above and
the additional information in the Apache FAQ, well, on your own
head be it. You can do it with mod_access, and that’s
all I’m going to say about it. And that’s probably already too much,
too.

Which Database is Authoritative?

What if you want to mix and match and have multiple types of
authentication database within a single realm? How does Apache
figure out which one to check first, and how does it know to
consult another if the first one fails to find the credentials?

The answer has to do with authoritativeness. Each of the discretionary
control modules includes a directive named something like
AuthAuthoritative. Each module’s version of this directive
is named differently, so that it can be associated with that module
and no other, so we also have AuthDBAuthoritative,
AutDBMAuthoritative, and Anonymous_Authoritative.

If a module is considered authoritative, then when Apache gets a
“I don’t know this person” response, it won’t look any
further. If the module isn’t authoritative, the server can
proceed to consult another module.

Technical note: Actually, the decision isn’t made by the
server itself. Each module knows whether or not it’s authoritative
(based on the presence/absence/setting of its *Authoritative
directive), and so in the case of a failure it signals the stop/continue
answer to the server by returning either HTTP_UNAUTHORIZED
or DECLINED respectively.

By default, the modules tend to consider themselves authoritative until
you tell them otherwise, on the principle that it’s better to be safe
than sorry. You can make this explicit with a
AuthAuthoritative On line, or allow responsibility
sharing with AuthAuthoritative Off. (Use the
appropriate directive for the module in question!)

The htpasswd, htdigest, and
dbmmanage Utilities

These three utilities are considered ‘user’ tools, since you
don’t need to be the Webmaster in order to use them to create
access control files for your own Web directory. As user applications,
their documentation is in the man/man1 subdirectory
of your Apache server installation; you can read it with a
command such as:

  
    % man /usr/local/web/apache/man/man1/htpasswd.1
  

Given the assumptions stated
earlier, you should find all three of these applications in
the /usr/local/web/apache/bin/ directory, and the source
of their man pages in
/usr/local/web/apache/man/man1/.

Latest Posts

Related Stories