I have been running an Apache2 server (with MySQL and PHP) since forever, mainly to run MythWeb (a great plugin for MythTV), and the occasional CMS like Joomla! or Mambo.
Now I am also experimenting with Java, JavaScript, PHP and MySQL, and I would like to be able to do some from my work as well. So I opened port 80 on my connection. However, without any kind of protection, this means that anybody who knows my IP, can just use MythWeb to delete all my recording.
There are two option in securing your webserver:
1. Use PHP (or equivalent language) to create a login system
2. Put security parameters in the Apache2 configuration.
Since I am still beginning with PHP etc, I opted for the second option. My server is running Ubuntu 7.04. It is possible to use .htaccess files in the root of your webserver to set passwords etc. But I read that it is better to set passwords in httpd.conf. Ubuntu puts this file in /etc/apache2/. Note that by default httpd.conf is not used anymore, right now Apache uses the /etc/apache2/apache2.conf file. But anything that you put in the httpd.conf will be applied by Apache2. And doing so, has the benefit that your apache2.conf stays nice and clean.
Create a password with the htpasswd command:
htpasswd -c <username> /some/location/for/passwordfile
It will ask to give a password, and will then put it in the specified location.
This is what I added to the httpd.conf file:
<Directory>
AuthType Basic
AuthName "Please enter username and password"
AuthUserFile /some/location/for/passwordfile
Require valid-user
</Directory>
The first line sets this policy for /var/www/ and lower directories. The third line is the message shown to users, the fourth line specifies where the created password file is set.
No comments:
Post a Comment