Chapter 10. Access control
Now that we have a way to identify users we need to specify policies. As with ac-
cess_module the restrictions on access can only be specified in a <Directory> block
or in a delegated configuration file.
The simplest policy, called “valid user” is to permit access to any user who can au-
thenticate against the web password file.
<Directory /var/www/CHALK>
AuthType Basic
AuthName "Restricted area"
AuthUserFile /etc/httpd/access/passwd
Require valid-user
</Directory>
Figure 10-7. httpd.conf: Implementing the “valid user” policy
Syntax summary: implementing the “valid user” policy
<Directory /var/www/CHALK>...</Directory>
This is the standard block for restricting a set of commands to a directory tree.
The commands in this block could appear in a delegated configuration file.
AuthType Basic
This defines the protocol used for the exchange of userid and password. Every
browser supports this protocol, but it does send passwords in plain text. A supe-
rior protocol, called “Digest” exists and is supported by modern browsers. See
the Section called Variations on a theme of user identification for details.
AuthName "Restricted area"
This identifies the realm applying to the files in the directory tree. This string
appears in the challenge for the userid and the password and is used by the
browser to work out which previously given userid and password it should send
without having to prompt the user again.
AuthUserFile /etc/httpd/access/passwd
This identifies the file used to contain userids and passwords. This cannot be the
system /etc/passwd file!
Require valid-user
This specifies the policy. Any user validated against the password file may access
the pages.
Given this setup (and a reload of the server’s configuration file) we can see the effect
it has on our web server. Our attempt to access the index.html page results in a
challenge for userid and password.
75
Komentáře k této Příručce