Server Plugin for .htaccess Access Control
1. Module Description
This module is a Netscape server plugin to support the access control functionality
of Apache/NCSA-style .htaccess files in the server content tree.
This release supports only the .htaccess directives listed in Appendix
A, silently ignoring all others. It supports only flat text user and group
files at this time.
2. Activating .htaccess Checking
Modify the server's obj.conf file to load, initialize, and activate
the plugin module, located in the directory:
<server root>/https-<server name>/config
At the top of obj.conf, after other Init directives, add
the lines:
Init fn="load-modules" funcs="htaccess-init,htaccess-find" \
shlib="<server-root>/plugins/htaccess/bin/htaccess.so"
Init fn="htaccess-init" [groups-with-users=yes]
to cause the module to be loaded and initialized when the server is started.
Replace <server root> with the path to your server root.
Note that the file extension of the shared library will follow the convention
of the native operating system, e.g. .so, .dll, or .sl.
The optional argument, groups-with-users=yes, specifies that
any file referenced by an AuthUserFile directive will contain both users
and groups, in the form:
username:DES-encrypted-password:comma-separated-list-of-groups
This format is also assumed if both AuthUserFile and AuthGroupFile directives
are used, and both specify the same filename. This format is much
more efficient for checking group membership of users than separating user
and group information into different files.
To activate .htaccess file processing for all directories managed
by the server. Add the PathCheck directive:
PathCheck fn="htaccess-find"
to the default server object, which is delimited by:
<Object name="default">
...
</Object>
Generally it should be placed as the last PathCheck directive
in the object. To activate .htaccess file processing for particular
server directories, place the PathCheck directive similarly in
the corresponding object definition in obj.conf. New server directories
are generally created using the "Content Mgmt" functions provided by the
Administration Server.
Finally, stop and then start your server. Subsequent accesses to the
server will be subject to .htaccess access control in the specified
directories.
3. Notes
-
To use .htaccess-style files with a name other than ".htaccess",
specify the PathCheck directive as:
PathCheck fn="htaccess-find" filename="<filename>"
where <filename> is the desired file name, e.g. .acl,
.htacl.
-
The Administration Server will warn that manual edits have been applied
the next time it is used to administer the server, after obj.conf
has been editted. Click the "Apply" button to accept the manual changes.
-
.htaccess files can be used in combination with the server's standard
access control mechanism. The standard access controls are always applied
before any .htaccess access control, regardless of the ordering
of PathCheck directives. User authentication should not be required
using both standard and .htaccess access control when HTTP "Basic"
authentication is used, or else users will be prompted indefinitely for
authentication, first in one realm, and then the other. It is possible
to use SSL client authentication via the standard server access control,
and also require HTTP "Basic" authentication via an .htaccess file.
4. Security Considerations
By default, server support for HTTP PUT is disabled. It is activated via
the "Content Mgmt|Remote File Manipulation" function in the Administration
Server. Great care should be taken in allowing PUT access to directories
containing .htaccess files, since it will allow them to be replaced.
PUT access can be prevented on all files in a directory via the "Access
Control|Restrict Access" function. Set the default access for "Write" to
"Deny" via the radio buttons, then click the associated "Permissions" button
if you want to allow write access to particular users.
The best way to restrict write access for only .htaccess
files is to create a configuration style for them, and then apply standard
server access control to that configuration style. The steps to do this
are:
-
Select the "Config Styles|New Style" function in the Administration server,
enter a unique style name, e.g. "htaccess", and click "OK".
-
Select "Config Styles|Assign Style", enter the URL prefix wildcard as *.htaccess,
use the selector box to select the style created in the previous step,
and click "OK".
-
Under "Config Styles|Edit Style", click on the "Restrict Access" link.
This will enter the "Access Control|Restrict Access" form to apply standard
server access control to the configuration style. Restrict write access
to the style as you would for a directory. You may also wish to restrict
read access to prevent users from viewing the .htaccess file contents.
Appendix A - Supported .htaccess Directives
The following .htaccess directives are supported in this release:
allow
Syntax:
allow from host host ...
where host is all, to allow access from all client hosts,
or is all or the last part of a DNS host name,
or is a full or partial IP address
Must be enclosed within a <Limit> range.
Effect:
Allows access to the specified hosts. Normally appears inside a <Limit>
range.
AuthGroupFile
Syntax:
Effect:
Specifies that the named group file is to be used for any group definitions
referenced in a require group directive.
Note that if the filename specified in an AuthGroupFile directive is
the same as the filename in an AuthUserFile directive, the file is assumed
to contain users and groups in the form:
username:DES-encrypted-password:comma-separated-list-of-groups
AuthUserFile
Syntax:
AuthUserFile filename
where filename is the name of file containing user definitions in the
form:
username:password
where username is a user login name, and password is the DES-encrypted
password.
Must not appear within a <Limit> range.
Effect:
Specifies that the named user file is to be used for any user names
referenced in a require user or require valid-user directive.
Note that the use of groups-with-users=yes in the Init
fn=htaccess-init directive in obj.conf, or specifying an AuthGroupFile
directive with the same filename, causes that file to be assumed to be
in the format:
username:DES-encrypted-password:comma-separated-list-of-groups
AuthName
AuthType
deny
Syntax:
deny from host host ...
where host is all, to deny access from all client hosts,
or is all or the last part of a DNS host name,
or is a full or partial IP address
Must be enclosed within a <Limit> range.
Effect:
Denies access to the specified hosts. Normally appears inside a <Limit>
range.
<Limit>
order
require
Syntax:
Effect:
require group requires the authenticated user to be a member of one
of the specified groups.
require user requires the authenticated user to be one of the specified
users.
require valid-user requires an authenticated user.