Today and tomorrow, we're going to cover a few more fundamentals that you will need to master before we can build some of our upcoming web projects. Today's tasks assume that you already have an Apache Web Server up and running and that you have installed Webmin which we covered last week. As in past columns, our preference is that you first at least read through our previous ISP-In-A-Box tutorials (available as a PDF collection here) so that you have a basic understanding of how to do things, but that's up to you. Our three projects for today and tomorrow are assuring that directories without a default web page never display, learning how to password-protect web site directories, and mastering how to configure Apache to serve up multiple web sites from a single web server, yours.

Preventing Display of Web Site Directories With No Default Web Page. As delivered by Apple with your new Mac, the default Apache configuration tells your web server to display a directory listing of any web site directory that does not have a default web page (index.html or index.php). That means that, if you create subdirectories below /Library/WebServer/Documents, the contents of each one will be shown to any visitor that guesses the name of the directory. If you happen to have your tax returns stored there, you see the problems this might cause. To demonstrate what I'm talking about, let's create a directory and then access it with a web browser. Open a Terminal window and switch to root access: sudo su. Now create a directory called emrem under your main web site: mkdir /Library/WebServer/Documents/emrem. Switch to your web browser and access the new site: http://localhost/emrem/. See what I mean. If you had filled emrem with documents, they would be accessible to anyone on the Internet. The same default applies to your personal web site at http://localhost/~username and subdirectories created in your Sites folder. For security's sake and your own peace of mind, I prefer defaults which specify that the contents of directories not be displayed unless you expressly authorize it. So here's how to fix it. Switch back to your Terminal window with root access. Move to the Apache configuration directory: cd /etc/httpd. Now let's edit the Apache config file carefully: pico httpd.conf. Search for the word "indexes": Ctrl-W, indexes, then enter. We're looking for every line in the config file that begins with the word "Options" and contains the word "Indexes." This probably won't apply for the first match of the word "Indexes" so move the next occurrence of the term: Ctrl-W then enter. You should get a match on this one. Position the cursor under the "I" in Indexes and press CTRL-D until the entire word is deleted. Then search for the next match, and repeat the drill until you get to the bottom of the file. Now save your changes: CTRL-X, Y, then enter. Now stop and then restart Apache for your changes to take effect (covered in our Apache tutorial). Then access http://localhost/emrem/ again, and you should get an access denied message.

Password-Protecting Web Site Directories. There also will be times when you want to build web sites on your server which are available over the Internet, just not to everybody. The easiest way to accomplish this is to prompt for a username and password to log in to certain sites before any access is provided. Apache handles this for any web browser, but you first have to enable it. Then you need to build a password file and store it where Apache can find it, but your web site vistors cannot. And finally, we need to insert an .htaccess file in every directory that you want to password-protect for Internet access.

Configuring default htaccess file. To get started, Ctrl-Click here and Download the Linked htaccess File to your Desktop. Do not save the file with a leading period in the file name. We'll do that later. Open Finder, click on your local hard disk, and navigate to the /Library/WebServer folder. Now Click-And-Drag the htaccess file on your Desktop to the /Library/WebServer folder. Close your Finder window, and then open a Terminal window. Switch to root user access: sudo su. Provide your admin password if prompted. Now we want to clean up the ownership and permissions for our sample htaccess file so move to the directory where we put the file: cd /Library/WebServer. Make root the owner of the file: chown root htaccess. Make admin the group for the file: chgrp admin htaccess. Now set the file permissions for world read access only: chmod 774 htaccess.

Configuring Apache for Password-Protected Directories. Now we have to configure Apache so that we can password-protect directories. The default Apache configuration would ignore our .htaccess file. Using your Terminal window with root access, move to the Apache configuration directory: cd /etc/httpd. Now let's edit the config file carefully: pico httpd.conf. Search for the word ".htaccess": Ctrl-W, .htaccess, then enter. This will position the cursor on a comment about using .htaccess files to override Apache settings. Immediately below the comment is a line which begins with the word "AllowOverride." We want to replace the word after AllowOverride with the word "All" (without quotes). Move the cursor to the beginning of the word to be deleted and press Ctrl-D until the word is deleted. Then type All. Save the config file: CTRL-X, Y, then enter. Now stop and then restart Apache for your changes to take effect (covered in our Apache tutorial).

Building a Password File. The password file is where Apache looks to determine whether one of your web site visitors (including you) is allowed access. There are a couple tricks to this. First, you want to put the file where Apache can read it, but your web visitors cannot. And you want to be careful not to insert blank lines in the file with just a colon. That basically lets everyone in. The format for the file is username:password, each on a separate line. And the password are encrypted. Here's how to do it. Open a Terminal window and switch to root access: sudo su. Now let's move to the directory where we'll put the password file: cd /usr/local. We're going to name our password file users.pw to match the htaccess file that you already downloaded. To create the file and erase any existing file without warning type: htpasswd -c users.pw admin. Think up a password you can remember, and you'll be prompted to type it twice. Now let's verify that the file was created: cat users.pw. You should see the word admin, then a colon, and then your encrypted password. To add additional users to your existing file, just type: htpasswd -b users.pw username password. Remember, if you accidentally use the htpasswd -c syntax a second time, you will overwrite your existing file and all of its entries. So be careful.

Password-Protecting A Directory. The way you password-protect a given directory on your web site is to copy the htaccess file we downloaded earlier into the desired directory, and name it .htaccess (with a leading period). So let's try it. Move to the nerd directory we built previously: cd /Library/WebServer/Documents/nerd. Now copy the htaccess file into the directory: cp /Library/WebServer/htaccess .htaccess. Close your web browser and reopen it to http://localhost/nerd/ and you should be prompted for a username and password. Type in admin and the password you made up, and you should be admitted. If you're not prompted for a username and password, you probably forgot to restart your Apache web server after updating the Apache config file. If you can't get in with the the username and password you thought would work, just recreate the file, and try again. Suppose you change your mind and want to remove password protection from a directory. Switch to root access with Terminal: sudo su. Move to the directory: cd /Library/WebServer/Documents/nerd. And then delete the .htaccess file: rm .htaccess. You may have to change our browser and reopen it for the changes to take effect.

Be Sociable, Share!

This article has 2 comments

  1. Great set of articles!

    For the password protected directories, I found that the user.pw file and .htaccess files had to be set root.www rather than root.admin under Tiger for this to work correctly (httpd daemons are user root and www). The docs also recommend chmod 640 to at least the .htaccess files so world can’t read them and it doesn’t seem to hurt for user.pw as well.

    Dave

  2. This won’t work for personal sites eg. http://www.yourdomain.com/~user/ as long as in the httpd.conf file the user.conf is included without editing it to ‘AllowOverride All’. Taking this in to acccount it will work for the user’s sites, as well

    Lukas