Securing your Web server, Part 2

By Chuck Musciano, Unix Insider |  Operating Systems

Last month we started a three-part series on web server security, beginning with
the basics of Web access control. The miraculous Web lets you
go read that entire column, of course, but I'll recap the major
points:


  • Web access control is based upon the domain name and/or IP address
    of the client requesting a document from the server.



  • Most Unix-based servers use a file named access.conf
    to define a set of access rules that determine which browsers are
    allowed to access the server



  • Using a directory-based syntax in this file, a separate set of
    rules can be defined for each document directory on your server.

Pros & cons

There are several advantages to the single access.conf
file. Most importantly, it centralizes all of your access rules, making
it easy to control the entire site. It is also easy to secure the file
itself, since it need only be readable by the server daemon and you.

Unfortunately, these benefits also can be headaches. Many servers are
actually shared environments, with different document directories
managed by different authors. Each author wants to control his or her
own access rules, but doesn't want other authors stepping on their portion
of the access.conf file.

In addition, each change to the access.conf file
necessitates either starting or restarting the server daemon, which
usually requires root access on a properly configured server. Needless
to say, you don't want all your authors running about with the root
password.

To eliminate these concerns, the httpd-based servers
support a separate access control file that can be located in each
document directory on your server. These local files let individual
authors control the access rules for their directories.
Even better, the file is read dynamically by the server,
eliminating the need for a server restart after each rule change.

Enabling local control

By default, these local access control files are disabled until you
explicitly enable them in your access.conf file. To do
that, you'll need to add an extra directive, AllowOverride, to
each <directory> tag in the file.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Operating SystemsWhite Papers & Webcasts

See more White Papers | Webcasts

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question
randomness