|
| PORTAIL | ANNUAIRE | ARTICLES | COMPARATEUR HÉBERGEURS | DEVIS | FORUMS | RÉDUCTEUR D'URL |
|
|
|
|
||||||
| alt.apache.configuration Apache web server configuration issues. |
 |
|
|
LinkBack | Outils de la discussion |
05/10/2006, 19h00
|
#1 (permalink) |
Messages: n/a
Hébergeur: |
Is my directory secure?
In apache i have the following in my main apache config file httpd.conf and
my password in a htaccess file. <VirtualHost *> DocumentRoot /usr/home/xxxx ServerName www.xxxx. co. uk DirectoryIndex index.htm index.html index.php <Directory "/usr/home/xxxx/"> Options -Indexes AllowOverride All AuthType Basic AuthName "Admin Area" AuthUserFile "/usr/home/xxxx/.htpasswd Require valid-user </Directory> </VirtualHost> Can anyone tell me is this pretty good security and setup correctly?. Would i be better putting the above config into a htaccess file rather than the main httpd.conf ? Anything i should change?. Thank you Andy |
|
|
05/10/2006, 19h37
|
#2 (permalink) |
|
Messages: n/a
Hébergeur: |
Re: Is my directory secure?
"Andy" <me@privacy.net> wrote in
news:12iai49pop9qc04@corp.supernews.com: > In apache i have the following in my main apache config file > httpd.conf and my password in a htaccess file. > > <VirtualHost *> > DocumentRoot /usr/home/xxxx > ServerName www.xxxx. co. uk > DirectoryIndex index.htm index.html index.php > <Directory "/usr/home/xxxx/"> > Options -Indexes > AllowOverride All > AuthType Basic > AuthName "Admin Area" > AuthUserFile "/usr/home/xxxx/.htpasswd > Require valid-user > </Directory> > </VirtualHost> > > > Can anyone tell me is this pretty good security and setup correctly?. > Would i be better putting the above config into a htaccess file rather > than the main httpd.conf ? > Anything i should change?. > > Thank you > Andy > > > > > > Your configuration does not require an .htaccess file. All of your directives are in the httpd.conf file. In fact, the password does not go in the .htaccess file anyway, if used, it is in the stated .htpasswd file. My recommendation, however, is to not have your .htpasswd file in your /use/home/xxxx/ directory tree. Put it somewhere outside of the http space. ----== Posted via Newsfeeds.Com - Unlimited-Unrestricted-Secure Usenet News==---- http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups ----= East and West-Coast Server Farms - Total Privacy via Encryption =---- |
|
|
|
05/10/2006, 19h49
|
#3 (permalink) |
|
Messages: n/a
Hébergeur: |
Re: Is my directory secure?
Andy wrote:
> In apache i have the following in my main apache config file httpd.conf and > my password in a htaccess file. > > <VirtualHost *> > DocumentRoot /usr/home/xxxx > ServerName www.xxxx. co. uk > DirectoryIndex index.htm index.html index.php > <Directory "/usr/home/xxxx/"> > Options -Indexes > AllowOverride All > AuthType Basic > AuthName "Admin Area" > AuthUserFile "/usr/home/xxxx/.htpasswd > Require valid-user > </Directory> > </VirtualHost> > > > Can anyone tell me is this pretty good security and setup correctly?. > Would i be better putting the above config into a htaccess file rather than > the main httpd.conf ? > Anything i should change?. > > Thank you > Andy The thing that I noticed is "AuthUserFile "/usr/home/xxxx/.htpasswd" - your .htpasswd file is in your DocumentRoot. It does not need to be there and, I believe, would be more protected if outside your DocumentRoot. Quote from Apache doc: Security: Make sure that the AuthUserFile is stored outside the document tree of the web-server; do not put it in the directory that it protects. Otherwise, clients may be able to download the AuthUserFile. Also be aware that null usernames are permitted, and null passwords as well (through Apache 1.3.20). If your AuthUserFile includes a line containing only a colon (':'), a 'Require valid-user' will allow access if both the username and password in the credentials are omitted. HTH, Jim Jim |
|
|
|
| Outils de la discussion | |
|
|
