October 15, 2001, 1:58 PM — Last month we started a three-part series on web server security, beginning with
the basics of Web access control. The miraculous Web lets you
go read that entire column, of course, but I'll recap the major
- Web access control is based upon the domain name and/or IP address
of the client requesting a document from the server.
- Most Unix-based servers use a file named
to define a set of access rules that determine which browsers are
allowed to access the server
- Using a directory-based syntax in this file, a separate set of
rules can be defined for each document directory on your server.
Pros & cons
There are several advantages to the single
file. Most importantly, it centralizes all of your access rules, making
it easy to control the entire site. It is also easy to secure the file
itself, since it need only be readable by the server daemon and you.
Unfortunately, these benefits also can be headaches. Many servers are
actually shared environments, with different document directories
managed by different authors. Each author wants to control his or her
own access rules, but doesn't want other authors stepping on their portion
In addition, each change to the
necessitates either starting or restarting the server daemon, which
usually requires root access on a properly configured server. Needless
to say, you don't want all your authors running about with the root
To eliminate these concerns, the httpd-based servers
support a separate access control file that can be located in each
document directory on your server. These local files let individual
authors control the access rules for their directories.
Even better, the file is read dynamically by the server,
eliminating the need for a server restart after each rule change.
Enabling local control
By default, these local access control files are disabled until you
explicitly enable them in your
access.conf file. To do
that, you'll need to add an extra directive,
<directory> tag in the file.