Controlling Access to Web Servers
How to Control Access?To control one's access to a web server can be done in two ways, namely via the Internet addresses the user and authenticate users. Web server will accept or reject a connection request from a user via a web browser, based on the Internet address of the user. If a user has an internet address listed in the 'black list' web server, the user will not be able to access the web server except to replace the Internet address to another address that is not included in the list of 'black list'.
In access control using authentication, the user is asked to authorize the memasukin user name and password. This username and password should have been registered on the server, if it fails it will automatically shut down the web server user permissions, and the user must repeat the authorization to succeed in order to access the web server.
Access arrangements can also be used by using a combination of both methods.
Access Controlled With What?
In the web server there is a file that can be used to control access to the web server. These files are known as Access Control File or ACF. There are two pieces of the ACF that can be used globally ACF has access.conf and ACF file name used for the directory, the file name. Htaccess. The second name is the actual file can be set in accordance with the wishes, but by default the name of the two is like that. Name the two files can be set via the web server configuration file, srm.conf.
Almost all the software for the web server has ACF files form the same, be it Apache, NCSA, CERN, as well as others. Here is a common example of the ACF file, and access.conf. Htaccess:
 |
| access.conf |
 |
| htaccess |
If you want to set access to specific directories exist, then it can be used. Htaccess. Use it. Htaccess to share and delegate access settings on each piece, for example if the server is owned by addressing the various divisions, and for each division wants to regulate the access of each. Files. Htaccess should be placed in each directory. Setting access to the file is not available, therefore the file should be placed in a directory.
Regulate access based on Internet address.
On the basis of the Internet address, the administrator can allow or disallow a person to access the web server, regardless of the name of the user. And this will work fine on all web browsers, such as the facility does not authenticate users.
Access arrangements in the ACF file contained on the restricted part <Directory> and </ Directory>, while for the orders contained in part limited by <Limit> and </ Limit>. Here are the commands that can be used to manage access:
| order | Used to determine the reading order of allow and deny commands. The default is deny, allow. | |
| alow,deny | Commands allow evaluated before deny | |
| deny,allow | Commands deny evaluated before allow | |
| allow | Specifies the Internet address to obtain access rights. allow from host (host1 host2 host3 ...) |
|
| deny | Specifies the Internet address to access prohibited. deny from host (host1 host2 host3 ...) |
|
| host | domain-name | Only the host that owns the domain is a closed / denied access on the web server. Example: itb.ac.id |
| Host name | Name host. Example: xxx.itb.ac.id | |
| Ip address | IP address of a host. Example: 167.205.22.108 | |
| Part of ip address | 1-3 The first byte of the IP address to determine a given subnet / closed access to the web server. Example: 167.205.22 | |
| ALL | This means that all the hosts closed access to the web server |
Outside the Limit part but there is a command in the section Directory Options and AllowOverride. Options are used to set up more facilities are allowed in while the web server is used to determine if the AllowOverride. Access.conf htaccess can override or not.
 |
| sample access.conf |
- Command is used to tell the httpd order to evaluate the first order deny before allow, and do allow exceptions to section.
- Deny from all, then shut down access to all hosts.
- Allow from ITB.ac.id, mean change from all to all domains except itb.ac.id.
| Deny from all Allow from ac.id net.id co.id |
User authentication
In this way, every time a user will access a directory, then it will be faced with two questions a user name and password. Database for names and passwords have nothing to do with the user account on the server, so for authentication on the web server does not need to have an account on the server.
Not all web server user authentication facilities. One software for web servers that have these facilities is NCSA web server. For basic configuration, the source for user authentication is not supplied, it is therefore necessary to take the source of the NCSA web server completely. Source for user authentication is located in the directory htpasswd.c support
But keep in mind that the web browser is used to support user authentication. If not then the user can not be authorized. Most of the web browser now supports user authentication, including lynx running on unix.
Database username and password located in a hypertext file by default named. Htpasswd. The file name can be replaced by other names as you wish. Here is an example of the file contents. Htpasswd:
htpasswd-c. htpasswd name_user
FOptions-c is used if the file. Htpasswd still exist, henceforth no need to use that option. Once the command is executed it will be prompted for a password from the user.
Here is the contents of the file access.conf has changed to handle these user authentication.
This configuration can be used on the ACF for the directory,. Htaccess, if it is desired specifically for directory authentication. Caption for the above commands are as follows:
| Authuserfile | To determine the location and file name of the database user / password |
| Authgroupfile | To determine the location and file name of the user group |
| Authname | Is a form that will be given prompt for authentication |
| Authtype | Command to determine the type of authorization used |
| Require | At the limit, allow and deny replaced with require. This section is to inform httpd that just a name on the list that can access this directory. |
The above configuration is intended for personal authentication. Notice the AuthGroupFile are redirected to / dev / null, the standard unix this means it is missing. If you want to create an authentication group shall be determined by a file containing information about the user's group and should be mentioned in the ACF. Here is an example of a modified access.conf for the benefit of the group authentication.
AuthGroupFile has changed from / dev / null into a file called. Htgroup and located didirektori / usr / local / httpd / conf. The contents of the file. Htgroup are as follows:
nama_group1: user1 user2 user3 ... user-n
nama_group2: user_a user_b user_c ... user-n
nama_group2: user_a user_b user_c ... user-n
