PHWinfo - Afficher un message

05/10/2006, 19h49

Andy wrote:
> In apache i have the following in my main apache config file httpd.conf and
> my password in a htaccess file.
>
> <VirtualHost *>
> DocumentRoot /usr/home/xxxx
> ServerName www.xxxx. co. uk
> DirectoryIndex index.htm index.html index.php
> <Directory "/usr/home/xxxx/">
> Options -Indexes
> AllowOverride All
> AuthType Basic
> AuthName "Admin Area"
> AuthUserFile "/usr/home/xxxx/.htpasswd
> Require valid-user
> </Directory>
> </VirtualHost>
>
>
> Can anyone tell me is this pretty good security and setup correctly?.
> Would i be better putting the above config into a htaccess file rather than
> the main httpd.conf ?
> Anything i should change?.
>
> Thank you
> Andy

The thing that I noticed is "AuthUserFile "/usr/home/xxxx/.htpasswd" -
your .htpasswd file is in your DocumentRoot. It does not need to be
there and, I believe, would be more protected if outside your DocumentRoot.

Quote from Apache doc:

Security:
Make sure that the AuthUserFile is stored outside the document tree
of the web-server; do not put it in the directory that it protects.
Otherwise, clients may be able to download the AuthUserFile.
Also be aware that null usernames are permitted, and null passwords
as well (through Apache 1.3.20). If your AuthUserFile includes a line
containing only a colon (':'), a 'Require valid-user' will allow access
if both the username and password in the credentials are omitted.

HTH,
Jim

Jim

05/10/2006, 19h49	#3
Jim Hayter Messages: n/a Hébergeur:	Re: Is my directory secure? Andy wrote: > In apache i have the following in my main apache config file httpd.conf and > my password in a htaccess file. > > <VirtualHost *> > DocumentRoot /usr/home/xxxx > ServerName www.xxxx. co. uk > DirectoryIndex index.htm index.html index.php > <Directory "/usr/home/xxxx/"> > Options -Indexes > AllowOverride All > AuthType Basic > AuthName "Admin Area" > AuthUserFile "/usr/home/xxxx/.htpasswd > Require valid-user > </Directory> > </VirtualHost> > > > Can anyone tell me is this pretty good security and setup correctly?. > Would i be better putting the above config into a htaccess file rather than > the main httpd.conf ? > Anything i should change?. > > Thank you > Andy The thing that I noticed is "AuthUserFile "/usr/home/xxxx/.htpasswd" - your .htpasswd file is in your DocumentRoot. It does not need to be there and, I believe, would be more protected if outside your DocumentRoot. Quote from Apache doc: Security: Make sure that the AuthUserFile is stored outside the document tree of the web-server; do not put it in the directory that it protects. Otherwise, clients may be able to download the AuthUserFile. Also be aware that null usernames are permitted, and null passwords as well (through Apache 1.3.20). If your AuthUserFile includes a line containing only a colon (':'), a 'Require valid-user' will allow access if both the username and password in the credentials are omitted. HTH, Jim Jim