updating from 10.1.x to 10.2 turns off password protection for apache served websites

[couzteau]

i just noticed that after updating my system to 10.2/jaguar the websites i was serving on my machine where accessible without password protection.

the file /private/etc/httpd.httpd.conf
needs to be changed to turn password protection back on:

# This controls which options the .htaccess files in directories can
# override. Can also be "All", or any combination of "Options", "FileInfo",
# "AuthConfig", and "Limit"
#

AllowOverride None

the last line needs to be:

AllowOverride All

all my .htaccess files were left untouched. no need to change anything there.

cheerz

 

[ulrik]

just one thing about .htaccess files

.htaccess files are much slower than putting access restriction into the httpd.conf itself.

.htaccess is a quick and dirty way to protect a directory, the best way is using httpd.conf

AllowOverride simply defines wether .htaccess files may override acces permission given in httpd.conf.

everyone from the apache development team advices not to use .htaccess files.

I would not set global AllowOverriden to Yes, never!

Set it in the directory entry in the httpd.conf to yes for the directories in which you want to use .htaccess files (if you still want to use them), but setting it a global yes is a huge security hole, this is why it was reset to no by Jaguar!

 

[couzteau]

ulrik, can you be more precise or give an example on how to modify httpd.conf?

I'm by far a not an apache expert, and i couldn't quickly find the information necessary in the apache documentation.

thanx

 

[ulrik]

it's simple:

In the Apache conf, you can defince acces privileges to directories, for example like this:

<Directory "yourdir">
AllowOverride none
AuthName "This is displayed in the pop up box"
AuthType Basic (easiest way)
AuthUserFile /etc/httpd/conf/users (path to the user file for apache)
require valid-user (any user in the user file may access this directory
</directory>

In this case, no .htaccess files will be parsed when a directory is opened (since they are not allowed to override the setting in httpd.conf).

You can also limit the access to some users, like
require root, foo, bar

In this case, only root, foo, and bar would be able to access the directory.

The apache group adviced you to use this way.

Head over to Apache.org or google for some more information, there are excellent tutorials about this, also, there are various configuration tools available over at versiontracker.com.

If you don't plan on using the server in a heavy load-environment, you can also stay with the .htaccess files, all I wanted to warn is setting the global AllowOverride to yes in httpd.conf...this is quite insecure, since anyone who has write access to the directory structures (maybe co-workers) can block any directory they want..

 

[couzteau]

thanx, very helpful.

i'm afraid that the osx 10.2-updater will also disable a configuration as ulrik described, because my impression was that the updater simply replaces the file
/private/etc/httpd.conf
for some reason. i might be wrong but that was my impression, because
i was quite surprised to find the websites i host on my machine unprotected after updating, that's why i started this thread.

so even with ulriks improved setup i assume i would have had the same problem.

cheerz

 

[ulrik]

I didn't change my httpd.conf...

 

[couzteau]

another reason to do it your way.