Apache Web-Serving with Mac OS X, Part 6
Pages: 1, 2, 3
Hostname or IP Access Control
The following lines load this module:
LoadModule access_module libexec/httpd/mod_access.so
AddModule mod_access.c
The access module controls who can visit your Apache Web server, and we gave a few examples of doing so at the end of Part 3. Past what we've talked about, there's not much more to discuss, except for the following powerful collaboration.
A little bit later, we're going to talk about "environment variables." An environment variable is just a magical term for floating bits of data passed around every time Apache serves a Web page. For instance, when you access this site using a browser, an invisible piece of data named HTTP_USER_AGENT is created. This HTTP_USER_AGENT contains a value, like "Internet Explorer" or "Mozilla" or "Opera" or what have you. Below, I've included some common environment variables and what they could be assigned:
HTTP_USER_AGENT = Mozilla/4.0 (compatible; MSIE 5.0; Mac_PowerPC)
REMOTE_ADDR = 127.0.0.1
REQUEST_URI = /cgi-bin/printenv
Astute readers may remember running a script called test-cgi back in Part 2, which actually prints out a number of common environment variables. To see a full list created during each and every browser request to your local Apache server, run the printenv script by going to http://127.0.0.1/cgi-bin/printenv.
You're asking why all this matters. Well, with an Apache module called mod_setenvif (which we'll describe more in-depth later), you can create your own environment variables. I hear your shouts of "So!?" I know. Bear with me.
By creating your own environment variables, you can use the Allow and Deny directives from mod_access to restrict visitors based on more than just IPs or hostnames (as we've previously demonstrated). Let me show you an example:
SetEnvIfNoCase User-Agent "^EmailWolf" shelbyville
<Directory /Users/multar/Sites>
Order Allow,Deny
Allow from all
Deny from env=shelbyville
</Directory>
With the above simplicity, we're now denying access to our site from any User-Agent with the name "Email Wolf." This User-Agent, along with many others, is often labeled a "bad robot" as it sniffs around for email addresses to add to spam databases. Here we're detecting whether the access is coming from a known bad bot, and if so, we set an environment variable named shelbyville. Our Deny from env=shelbyville says, "Hey! If there's an environment variable named shelbyville, deny them access!"
We'll explain the SetEnvIfNoCase line more in the next article, but you can read more about stopping email harvesters with evolt.org's Using Apache to Stop Bad Robots, and the sequel, Stopping Spambots II: The Admin Strikes Back.
Username-Based Access Control
The following lines load this module:
LoadModule auth_module libexec/httpd/mod_auth.so
AddModule mod_auth.c
You'll remember mod_auth from Part 4 of our omnibus, where we chatted about password protecting certain directories. We walked through creating an .htpasswd file, which contained all our usernames, and then we created an .htaccess file like so:
AuthName "Uber Goober Ad Campaign"
AuthType Basic
AuthUserFile /Library/WebServer/.htpasswd
Require valid-user
With the above .htaccess file sitting in a directory, we're restricting access to that directory with a password. If any valid-user from the AuthUserFile enters the correct username and password, then we let them in -- everyone else is denied. As in our previous article, if you want to use features like AuthGroupFile or the other require directives, then I'm going to push you rudely to Apache's Web site -- they give a decent tutorial there.
There are two more authentication modules related to mod_auth, and they're normally commented in your Apache configuration file. The relevant lines look like so:
#LoadModule dbm_auth_module libexec/httpd/mod_auth_dbm.so
#LoadModule digest_module libexec/httpd/mod_digest.so
#AddModule mod_auth_dbm.c
#AddModule mod_digest.c
We won't be touching on these here -- they're commented for a reason. Most of the time, if you have special needs for authentication involving different file structures, this is where you'd look. The module mod_auth_dbm covers storing the password information in a DBM file, whereas module mod_digest "implements an older version of the MD5 Digest Authentication specification which will probably not work with modern browsers."
There may be some interest in anonymous access control, though. This feature allows you to "authenticate" users, but to do so without knowing who the user is. You can use anonymous control in conjunction with other access control methods (like Allow, Deny, and AuthUserFile).
Why would you want something like this? Perhaps you've got a large amount of documents you don't want indexed by search engines -- you could try a robots.txt file, but some engines don't listen to them. With anonymous access control, you can allow anyone who'll take the time to read your directions.
The actual module lines for anonymous access control are commented in your configuration file, so to follow along with these examples, you'll need to uncomment them and then restart Apache. I also assume you're throwing the examples in an .htaccess file (instructions on how to use .htaccess files are in Part 4). The module lines look like so:
#LoadModule anon_auth_module libexec/httpd/mod_auth_anon.so
#AddModule mod_auth_anon.c
With the above uncommented and Apache restarted, plop the following into your .htaccess and save to the directory you want to protect (I'll save my copy into /Users/deedee/Sites):
AuthName "anonymous/your email"
AuthType Basic
Require valid-user
Anonymous orko bender
Anonymous_Authoritative on
|
Previously in the Series
Apache Web-Serving with Mac OS X: Part 1 Apache Web-Serving with Mac OS X: Part 2 Apache Web-Serving with Mac OS X: Part 3 Apache Web-Serving with Mac OS X, Part 4 |
You should recognize the first three directives, as they're typical to what we've seen before (before we gave AuthType a whimsical name -- in this case, we're using it as mini-instructions for the visitor). The Anonymous directive controls what usernames should be considered "anonymous" -- in this case, we've got "orko" and "bender," but we could just as easily have chosen "overtkill," "charizad," and "slimer" too.
The Anonymous_Authoritative controls whether we want to pass unauthorized usernames and passwords off to another authentication scheme for processing. If we say "on," then anonymity is king -- either the visitor logs in with "orko" or "bender" or they're not allowed access.
On the other hand, if we say "off" then we can add in some of what we already know -- authentication via passwords. Take a look at the configuration below. If the user does not log in with "heenie" or "retrogirl" then the username is passed off to the AuthUserFile, where it's also checked against. If it doesn't exist in that file either, then the user is denied.
AuthName "anonymous/your email"
AuthUserFile /Library/WebServer/.htpasswd
AuthType Basic
Require valid-user
Anonymous heenie retrogirl
Anonymous_Authoritative off
As is typical, you can be as serene or as complicated as you want. The following configuration will allow any user to get a directory listing. Any user listed in the AuthUserFile can get access to all .jpg files, as well as any anonymous user logging in with "mrs_decepticon" or "spiderj" assuming they enter a valid email address (one with a "@" and "."). Finally, only the "eustace" user can download MP3 files:
AuthType basic
AuthName "anonymous/your email"
AuthUserFile /Library/WebServer/.htpasswd
Anonymous mrs_decepticon spiderj
Anonymous_Authoritative off
Anonymous_VerifyEmail on
<Files *.jpg>
Require valid-user
</Files>
<Files *.mp3>
Require user eustace
</Files>
You can, of course, get even more convoluted, restricting by IP address or hostname, environment variables, and "oh, the madness!" Just make sure you comment your craziness -- it's certainly easy to get confused as to who has access to what.
Huh? What's That Noise?
Something startles you out of your reverie -- a rather rude employee down the hall slamming doors or doing some other bit of mundania. Shaking your head and murmuring about "15 minutes to get back to the zone," you stand up to stretch your unused limbs of movement. Some ornament on the wall blinks and jumps off a badly painted cliff. You can't believe the time -- not even half the day has gone by.
With your module exploration nearly finished, you figure you'll be done by the end of the workday. Keep watch for "Apache Web-Serving with Mac OS X, Part 7," where we'll finish our spelunking and increase our Web-serving knowledge in places where most haven't delved.
If you're feeling especially adventurous, hunt down the 20 comic book and cartoon characters spread throughout this article. Each character is from a comic book or cartoon I personally read or watch (some easy, like "scary godmotherish" being from Jill Thompson's "Scary Godmother"; some delightfully esoteric). Your task: identify which book or show they come from. The person who emails me the most correct entries will be mentioned in the next article, as well as receiving something random in the mail from yours truly. Good luck!
Kevin Hemenway is the coauthor of Mac OS X Hacks, author of Spidering Hacks, and the alter ego of the pervasively strange Morbus Iff, creator of disobey.com, which bills itself as "content for the discontented."
Return to the Mac DevCenter.
You must be logged in to the O'Reilly Network to post a talkback.
Showing messages 1 through 27 of 27.
-
path for modules
2005-06-29 13:29:37 secretagent1337 [Reply | View]
Page 1 of the article states that the path to the module files is /usr/libexec/apache. I found that on OS X 10.3.9 the path is actually /usr/libexec/http.
-
Mistake in the AliasMatch example
2005-04-28 04:36:30 UltraBob [Reply | View]
Great series! I found a mistake in your little side example of an AliasMatch directive:
AliasMatch ^/~penfold/docs/(.*) "/Developer/Documentation/"
should be:
AliasMatch ^/~penfold/docs/(.*) "/Developer/Documentation/$1"
-
OpenSSL
2003-04-25 07:37:00 anonymous2 [Reply | View]
I'm tring to learn how to secure a form on our site. Everthing I'm reading tells me to use openssl.
I want to run openssl, do I have to download it and install it or does it come installed on OSX? If I have to download it which version would I down load? I see 4 or 5 different downloads and instaltions.
Thanks for any help,
Dom..
-
port-forward
2003-01-06 11:34:31 anonymous2 [Reply | View]
can anyone tell me how to do this or where to find info on this. i am behind a firewall care of my isp.
thanks for your time
jon -
port-forward
2003-11-10 19:35:26 anonymous2 [Reply | View]
if you want to forward all info going to port 21 to say, 1500, you would use the following in terminal.
ssh -L 21:127.0.0.1:1500 127.0.0.1 -n -f -N
There is a catch. Port 22 needs to be open for this to work. I don't know of a way to do it without, but if anyone knows, I could use it.
-
Intranet Only????
2002-12-17 21:09:49 anonymous2 [Reply | View]
I can't seem to connect to my site through a computer outside my network... this sounds dumb, but is this set up allowing ONLY intranet connections? what am I doing wrong? everything else has been great though...
-
What about email?
2002-12-06 14:53:29 keithflux [Reply | View]
I am setting up a web server, with all the great help I have learned here...I am having dynamicDNS point to my domain...Now how do I setup email using my new domain?
I have seen the article for 10.2 sendmail...but is there a way to do it on 10.1.5?
thanks
-
Problems POSTing data to PHP scripts
2002-10-20 19:42:54 anonymous2 [Reply | View]
The info provided is great. I have everything installed in MacOS X 10.1.5 and PHP and MySQL seem to work great (by great, I mean it works almost like my linux box), except for one major problem: phpMyAdmin cannot create or update data. In a simple html form with POSTed data, I cannot update any of my tables. If I use the mysql client in the Terminal app, everything works fine (just like it does in linux). In fact, the same scripts running on my linux box works great, accepting the POST'ed data like it should and updating databases and tables like it should. But in MacOS X, none of the POSTed data gets accepted by the PHP scripts. What's the deal? -
Problems POSTing data to PHP scripts
2003-01-30 20:58:57 anonymous2 [Reply | View]
You need to to place the following line in /usr/local/lib/php.ini:
register_globals = on
then sudo apachectl graceful to restart apache -
Problems POSTing data to PHP scripts
2003-02-16 11:28:50 qwave [Reply | View]
...or you could start using the new PHP 4 global varaiables handling. You will need this for your PHP scripts if you have to use other servers using PHP4 whre you don't have access to the php.ini file.
Using the new PHP4 way of accessing global variables will improove security of your PHP scripts.
-
OS X Server 10.2.1 & server aliases
2002-10-07 17:48:49 anonymous2 [Reply | View]
If you do ever do an article on Virtual Hosts (have them running) there are a number of tricky points. In particular the information provided with the "Server Settings" application is missing a lot.
For example, suppose I want to have Apache (OS X Server 10.2.1) respond for both www.whateverdomain.com and whateverdomain.com serving files1
and www.whateverdomain2.com and whateverdomain2.com serving files2 etc.
I do not see how to do this with the "Server Settings" program.
Some questions:
1. For example, can I enter "www.halloween.com, halloween.com" in the "Name" section? It didn't seem to work.
2. I could create a second site (e.g. have two entries in the "Sites" list) for each name, one "www.domain1.com" and the other "domain1.com" but that is silly to do.
3. Are there other options from within ServerSettings?
I can do it with the Apache server directive "ServerAlias" in the Mac OS X server httpd config file and what I did as a stop-gap measure. Obviously I would prefer to avoid doing things with the text files as it is much easier to mess things up!
I don't see a discussion of this in any of the OS X Server guides that came with 10.2 so it might be a good topic!
:-)
-
what about Virtual Hosts?
2002-09-18 11:22:37 tatlar [Reply | View]
Kevin,
Love the articles! They have helped me no end.
However, I would really like to see some info on setting up Virtual Hosts - I have tried to do this already, but without success, and have had to shelf the project and put up with the error messages I am getting! Apple's OS X Server help pages are useless, and I like your style.
Any chance of some tips???
Keep up the good work,
- Tatlar -
what about Virtual Hosts?
2002-10-10 22:31:02 kiddailey [Reply | View]
I forgot to mention that this change affects even your localhost and ip-based urls... so typing in http://localhost or the localhost ip will try to look for a corresponding folder :)
It's not perfect, but it works! -
How to setup virtual hosts
2002-10-10 22:24:36 kiddailey [Reply | View]
Tatlar:
I grew impatient and figured out a way to do this myself -- it was extremely easier than I thought it would be. Standard disclaimer applies: it worked for me, but I take no responsibility :)
Step 1:
-------
Load up your http.conf file (/etc/httpd/httpd.conf) in your favorite text editor, and uncomment the following lines by removing the pound sign (#):
#LoadModule vhost_alias_module libexec/httpd/mod_vhost_alias.so
#AddModule mod_vhost_alias.c
Step 2:
-------
Search for the following line:
UseCanonicalName On
... and turn it off by changing it to:
UseCanonicalName Off
Step 3:
-------
Add the following line right below the last one you modified in step 2:
VirtualDocumentRoot /Library/WebServer/Documents/%0
Basically this says reroute to the folder that matches the server name. i.e. http://www.foo.com -> /Library/WebServer/Documents/www.foo.com/ In theory, you could use any folder, but I chose to simply repurpose my webserver documents directory.
Step 4:
-------
Save the file and restart your web server (turn web sharing off and then on again).
Now the trick to getting this to work completely is to simply create folders for each domain name you want to host virtually. For example, say you have two sites: www.foo.com and www.bar.com. In your webserver documents folder, you'd simply create folders with the same names:
/Library/WebServer/Documents/www.foo.com
/Library/WebServer/Documents/www.bar.com
And put the files for each site in the respective folders.
Magic!
Note that you might need to tweak this to get www.foo.com and foo.com to point to the same place (using aliasing, I'd imagine). You can read all about the vhost_alias module and VirtualDocumentRoot directive at http://httpd.apache.org/docs/mod/mod_vhost_alias.html
-
Enabling WebDav?
2002-09-11 20:00:10 joefaber [Reply | View]
I saw some rather brief instructions on the Apple support message boards, but I'd love to find something that was a little more step-by-step about how to enable WebDav on Apache... I want to serve up my iCal calendar... Any suggestions where to look?
thanks!
j
-
Symlink vs OS X aliasing
2002-08-29 16:58:13 chfriley [Reply | View]
Will the Mac OS X version of Apache ever following Finder Aliases as it does symlinking? (Or does it already and I am just missing it?)
:-)
-
Apache tanks
2002-08-28 12:02:35 ellem [Reply | View]
Where do people talk about Apache? I can't find any newsgroups; is there a mailing list? Help.
**********
Date/Time: 2002-08-28 14:38:58 -0400
OS Version: 10.1.5 (Build 5S66)
Host: localhost
Command: httpd
PID: 383
Exception: EXC_BAD_ACCESS (0x0001)
Codes: KERN_PROTECTION_FAILURE (0x0002) at 0x00000001
Thread 0 Crashed:
#0 0x4be5d294 in S_new_xpvnv
#1 0x4be5f7dc in Perl_sv_2nv
#2 0x4be011f8 in perl_construct
#3 0x001ead20 in perl_startup
#4 0x001ea930 in perl_module_init
#5 0x0000edb8 in ap_init_modules
#6 0x00006750 in standalone_main
#7 0x000070e0 in main
#8 0x00001f18 in _start
#9 0x00001d48 in start
PPC Thread State:
srr0: 0x4be5d294 srr1: 0x0200f030 vrsave: 0x00000000
xer: 0x0000000c lr: 0x4be5d274 ctr: 0x4be5dcc0 mq: 0x00000000
r0: 0x00000001 r1: 0xbffff8e0 r2: 0x0009f0c2 r3: 0x00000001
r4: 0x00000006 r5: 0x00000000 r6: 0x00000000 r7: 0x20746f20
r8: 0x00000000 r9: 0x4becd274 r10: 0x4bebc708 r11: 0x00000018
r12: 0x4be5d0c8 r13: 0x00000000 r14: 0x00000000 r15: 0x00000000
r16: 0x00000000 r17: 0x00000000 r18: 0x00000000 r19: 0x00000000
r20: 0x00000000 r21: 0x00000000 r22: 0x00000000 r23: 0x00000000
r24: 0x00000000 r25: 0x00000002 r26: 0x00000001 r27: 0x0009f0c0
r28: 0x00000006 r29: 0x00000000 r30: 0x4bec5abc r31: 0x4be5d274
**********
-
How To Enable "mod_perl"????
2002-07-08 09:53:24 imalgen [Reply | View]
Hello....
I have the built in Apache/1.3.20, running on OS X version 10.1.... Everyting is working so far :)......
But now I would like to use some perl scripts.... I'm guessing that I have to enable this 'mod_perl module', thingie, right? The
one that you find in 'httpd.conf' file... or is there more to it..... Any help or instructions would be most appreciated.... Thanks.
Jon...
-
Great .. but I also need FTP Control
2002-07-05 02:02:43 redleader [Reply | View]
Hi, firstly thnaks for the great articles 1...6 :-)
The only item I want to do not is ensure that Users accessing their ~users area by FTP or file sharing access, only get acess to the folder and below.
Hope you can help on that. I'll then have a full ISP web serving solution / simulation for our college!
tasc@jamesrothschild.net
-
mod_rewrite
2002-05-03 10:33:49 mhuber@terrawebdesign.com [Reply | View]
Hi
has anyone successfully used mod_rewrite on OSX? With the standard apple apache server I could not setup .htaccess to rewrite urs properly.
Thanks for your help
-
how about...
2002-05-02 15:19:59 greenfruit [Reply | View]
how to set up a php/mysql bulletin board. i am a NOVICE, but for the life of me, i cant get ANY working.
-
Very informative
2002-04-27 18:31:30 geffino [Reply | View]
I'd simply like to thank the author for the wonderful articles thus far presented in this series (1-6). I've learned a great deal in a very short period of time. I just discovered the series earlier today and had everything from the first six installments up and functinoal within a couple of hours.
Cheers,
JH
-
Mod_Digest
2002-04-25 23:50:01 aly77 [Reply | View]
I have been reading conflicting reports as to whether or not it is possible to use Digest Authentication with Apache on Mac OS X. Up to date -- today, April 2002 - do the browsers Explorer 5.0 and Netscape Communicator 4.7 support Digest? And if so, can you give details on the correct syntax to use for the .htaccess file and the .htdigest file. Also, could you explain how the AuthGroupFile works and where to put it, ie, do you put it at the top level or at the level that you want to limit groups, or both? I have 3 groups and need to put permissions on several directories, I have read the concepts in books and web sites over and over, but they only mention 1 group. Will the users need to type in passwords a second time for entrance into deeper files, or will the user names included in the AuthGroupFile be sufficient? -
Mod_Digest
2002-04-26 04:55:30 Kevin Hemenway |
[Reply | View]
Before you go on, you may want to read this report concerning IE and Digest authentication. In a nutshell, the report says that IE won't work with Digest authentication unless the underlying server is IIS. As for NS 4.7, I can't tell you - I never investigated it much further after I read "will probably not work with modern browsers". I try to stay away from stuff that doesn't work everywhere.
As for the AuthGroupFile, you can put it anywhere you want - it'll only become active if you use a "require group" directive, as opposed to a "require user" directive (which dips into AuthUserFile).
Concerning your directory hierarchy: .htaccess files do not merge, so only the "nearest" .htaccess file will be taken into consideration, whether that be in the current directory, the parent directory, or the great great great grandparent directory. If you put an .htaccess file in the ggg grandparent directory, then it will affect all subdirectories beneath it, unless of course, another .htaccess appears in them.
If there is only ONE .htaccess file in the ggg grandparent directory, then the user won't need to be authenticated for any of the subdirectories. If, however, they authenticate in the ggg grandparent directory, and then dip into a subdirectory that has its own .htaccess file (with a diff. authentication scheme perhaps), then authentication would probably occur again (honestly, that's a guess, though -I've not tested it just now).
