Apache Web Serving with Jaguar, Part 4
Pages: 1, 2
User-Based Configurations
Patti. Dear, dear Patti. The cutest secretary in the world, but also a rabid collector of fax cover sheets. Being on the boss' good side has granted her the privilege of running a personal web site, where she can share the dirt on Californian headers and Alabama footers. We didn't touch upon user-based configurations in the first three articles, but Mac OS X approaches them a bit differently than you'll find in most Apache installations.
In most pre-installed or from-source installations, user-based web serving like http://127.0.0.1/~patti/ is handled generically -- for every user on the system, be it two or two thousand, the same configuration applies. If an administrator wanted to change the capabilities of user "mimi," he'd usually have to create a specific <Directory> block within the httpd.conf file.
Mac OS X makes this a lot easier by creating a config file for each user of the system. These files are located in /etc/httpd/users/ and take the form of username.conf. If I open patti.conf, for instance, I see:
<Directory "/Users/patti/Sites/">
Options Indexes MultiViews
AllowOverride None
Order allow,deny
Allow from all
</Directory>Note that this looks very similar to the directory we've been modifying for our GatesMcFarlaneCo site:
<Directory "/Library/WebServer/Documents">
Options Includes Indexes FollowSymLinks MultiViews
AllowOverride None
Order deny,allow
Deny from all
Allow from gatesmcfarlaneco.org
</Directory>Because of the similarities, everything we've learned in the previous articles can also be applied to these user-specific directories. Take a look at the modified patti.conf below, which allows SSI and CGI, as well as unrestricted access from the outside world:
<Directory "/Users/patti/Sites/">
Options Includes Indexes Multiviews
AllowOverride None
Order allow,deny
Allow from all
</Directory>
ScriptAlias /~patti/cgi-bin/ "/Users/patti/Sites/cgi-bin/"With the above configuration, Patti can web serve with the best of 'em, adding message boards or discussion groups to each specimen of her faxtastic collection. By modifying only the patti.conf file, we can turn features on or off for only her directory, without affecting the main GatesMcFarlaneCo configuration.
Changing Your Configuration With .htaccess Files
As you've run through these various tweaks and twiddles of the Apache configuration file, one thing has always remained true: to make the changes active, you've had to stop and start Apache after each edit. Not only is this tedious and subject to forgetfulness, it's also avoidable with a little thing called an .htaccess file.
The .htaccess file, when enabled, allows you to control and override a large portion of the Apache configuration without having to stop and start after every change. Once you've instructed Apache to enable .htaccess control, you no longer have to be a privileged user (like an administrator) to enact changes.
Think of .htaccess files as user-modifiable Apache configurations that only affect the directories in which they reside. Let's search through our Apache configuration file and see what we find. Our first result for .htaccess is actually a comment:
# This controls which options the .htaccess files
# in directories can override. Can also be "All",
# or any combination of "Options", "FileInfo",
# "AuthConfig", and "Limit".
AllowOverride NoneBy now, this should be old hat to you -- this AllowOverride directive is contained within the <Directory> block we've been messing with for the main GatesMcFarlaneCo intranet. Since .htaccess files can override a large portion of the Apache web server configuration, they're incredibly powerful, but also dangerous. A foolhardy user could easily disable or misconfigure parts of their site due to an incorrect directive. As such, .htaccess files have different levels of control. One of these levels is None -- in other words, .htaccess files have no control over any part of the Apache configuration and are simply ignored. You can find more information about the different levels of control in the AllowOverride documentation at the Apache site.
For now, change the AllowOverride line to:
AllowOverride AllThis allows us to override everything available to us within our .htaccess file. In this case, we're changing the AllowOverride line for the /Library/WebServer/Documents directory. If you're looking to give your user directory .htaccess control, be forewarned -- the process is not as perfect as you'd expect. You can turn on the .htaccess feature simply enough, but some directives that rely on Apache's DocumentRoot, like ErrorDocument, will fail. Sometimes, you can cheat -- in the case of ErrorDocument, you can refer to a URL instead of a local file.
For one final time, stop and start the Apache web server. Now what?
.htaccess files are plain text files, placed in the directory in which you want them to be active. We're going to create a quick and dirty example now, so open up a text editor and save an empty .htaccess file into the /Library/WebServer/Documents directory. After you've done that, take a look at the example .htaccess file below, which has been commented for the sake of your childlike innocence:
# override the ErrorDocument defined in our
# main Apache configuration file. use "404.html"
# instead. if this .htaccess file is going to be
# active under a user directory, this line will
# need to be modified to something like (replaced
# with your real domain/IP and username, of course):
# ErrorDocument 404 http://domain.or.ip/~user/404.html
ErrorDocument 404 /404.html
# hey, someone typo'd our contact page, so we'll
# permanently redirect "contct.html" to the correct
# filename, "contact.html". if using this under a
# user directory, modify to "/~user/contct.html",
# and be sure to tweak the URL appropriately.
Redirect /contct.html http://localhost/contact.html
# RedirectMatch's are useful to do mass redirections
# based on certain match criteria. in this
# example, we're redirecting ALL .html files in
# this directory to .shtml files with matching names.
# .htaccess files are read from top to bottom, so if
# someone mistypes "contct.html", they'll be redirected
# to contact.html with the above line, and then
# redirected to contact.shtml with this line.
RedirectMatch (.*)\.html$ $1.shtmlAs mentioned, you can use most directives that you've learned throughout this series. For example, if you wanted to turn on SSI, stop Apache from autogenerating indexes, and allow access to only people from oreilly.com, you could add the following:
Options Includes -Indexes
Order deny,allow
Deny from all
Allow from oreilly.com.htaccess files apply to the current directory and all subdirectories, as long as none of the subdirectories have their own .htaccess file. If one does exist, the contents of that .htaccess file are used instead. Be aware, however, that creating an .htaccess file under OS X may be harder than you think. Since "dot files" are considered special, you'll be hard pressed to actually create one using the Finder -- you'll be admonished that they're reserved for system use. As such, you should either create them through the Terminal with touch .htaccess, or else work on a file named htaccess and then mv htaccess .htaccess when you're ready.
Password Authentication
One of the most common uses of .htaccess files is password-protecting a directory. When protected directories are accessed, a visitor's browser will prompt for a username and password. If the visitor authenticates correctly, they're allowed in -- if not, an error 401 is triggered, and the visitor is denied.
So yes, Dan from Marketing, we did get your email (and its annoying and frequent follow-ups), and yes, we're going to password protect the "super-secret ad campaign" directory you've been working oh-so-hard on (snicker, snicker, Reese's Pieces).
|
Related Reading Mac OS X Hacks |
To start the process, we're first going to create the user database. This database will contain all of the usernames and passwords that will be authenticated against -- they're not keyed to any specific directory, so you could use one database for three hundred users spread across two dozen directories. To create the database, get into your Terminal and gaze blurry-eyed at the command below:
htpasswd -c /Library/WebServer/.htpasswd danIt's nice and innocent, right? htpasswd is the name of the utility that creates and modifies this user database of ours. The -c says "if this database doesn't exist, create it." /Library/WebServer/.htpasswd is the full path to our database file, and you'll want to take special notice that it's outside of Apache's DocumentRoot (which, in OS X, is defined as /Library/WebServer/Documents). Sticking the file outside of the DocumentRoot ensures that no one can view this database from the Web. Finally, dan is the user that you want to add to the database. An output of this command is below:
htpasswd -c /Library/WebServer/.htpasswd dan
New password: ********
Re-type new password: ********
Adding password for user danYou'll want to make sure that when you add new users to an existing database file that you do not use the -c flag. Doing so will overwrite your existing file with a brand new one. Not so good, bub. Adding another user is a simple process (note the lack of the -c flag):
htpasswd /Library/WebServer/.htpasswd mishka
New password: *********
Re-type new password: *********
Adding password for user mishkaIf you look at /Library/WebServer/.htpasswd, you'll see the added users:
dan:Vcv7xTIIW6g7U
mishka:3c4T6IdfWweUNext, it's really just a matter of telling Apache what directory we want to secure. Open (or create) your .htaccess file, and add the following:
AuthName "Uber Goober Ad Campaign"
AuthType Basic
AuthUserFile /Library/WebServer/.htpasswd
require valid-userAuthName will be shown as the title or description of the password box that a visitor's browser will show and, in Apache lingo, is called a "realm." AuthType is set to the standard Basic authentication. (A Digest authentication exists, but is outside of the scope of this article.) AuthUserFile should be self-explanatory.
The require line deserves some discussion. With it, you can tell Apache to allow any user in the AuthUserFile access (as we've done above), or you can tell Apache to allow only certain people access. In the example below, only the users "dan" and "mishka" can authenticate to realms with the name "Uber Goober Ad Campaign." Any other users in the AuthUserFile will be denied:
require user dan mishkaUsers can also be defined by groups -- for example, you could place "dan," "mishka," and "morbus" into a group called "Marketing," and "themadman," "ashcraft," and "sprocket" into a group called "Design." From there, you could restrict access by group instead of username. For these configurations and more about digest authentication, refer to Apache's Authentication, Authorization, and Access Control docs.
Tomcat and Secure Servers
Some of the smarmier developers at GatesMcFarlaneCo (Matt and Jeff, particularly) are fans of Java servlets secured with SSL technology. I could cover those here, but Apple has already released some rather good articles on the subject over at their Internet Developer site. I heartily recommend you check out "Using mod_ssl" and "Java and Tomcat" (parts I and II).
Conclusion
A lot of rather nifty things can be done with a stock Apache install, and we've only touched on a few of the more common features above. We haven't played with how to modify the appearance of Apache's auto-indexes, how to use the mod_speling module to duplicate our spelling Redirect, or even how to set up fake virtual hosts to more adequately mimic ISP environments.
Yet, we must move on. As we look at the list of requests for the GatesMcFarlaneCo intranet, only two or three remain, and they all involve something spooky called a "database." What is this monstrosity? What's EssQueueEll? Juan es muy guapo! (Bonus points to those who figure out the tenuous connection between this and the Hitchhiker trilogy joke.) How do I install it, and even worse, what do I do upon success? Find out in part five of our Web Serving trilogy, available a few scant days after you start sweating with impatience.
Kevin Hemenway is the coauthor of Mac OS X Hacks, author of Spidering Hacks, and the alter ego of the pervasively strange Morbus Iff, creator of disobey.com, which bills itself as "content for the discontented."
Return to the Mac DevCenter.
You must be logged in to the O'Reilly Network to post a talkback.
Showing messages 1 through 28 of 28.
-
Problems with .htaccess
2004-07-24 18:41:54 mel_david [Reply | View]
OK, I have so far followed all the tutorials from Part 1 to half-way through Part 4 without any problems.
Then when .htaccess files were introducedand I kept getting errors.
I had made the .htaccess file for a directory using BBEdit and once I'd renamed the file from htaccess to .htaccess and tried to access that direcoty via my browser I get an internal server error. This infuriated me for hours and was about to give up on the whole tutorial altogether. My affair with Apache was going to be short-lived, or so I thought.
...
Then as a last measure, I rewrote the .htaccess file from scratch using TextEdit and the "Make Plain Text" option, and renamed it in the Terminal. Voila it now works. I was able to get Password Authentication to finally work as well as other directives such as ErrorDocument.
*dances around the room with glee*
What I want to know though is why can't I use BBEdit to make a working .htaccess file? It seems the problem is that Apache it is not recognising line breaks from .htaccess files made by BBEdit.
Could somebody please explain why. Thanks in advance.
-
Access through my home folder
2004-02-16 02:44:21 justjon [Reply | View]
Hello everybody,
I've been following along with the tutorials and no longer seem to be able to access any pages inside my home folder. All pages in the actual server root folder are fine but any in my home folder get a "Can't find URL message". I've reinstated the default Apache configuration but still no joy. If anyone has got any ideas it would be greatly apprechiated.
-
Easier editing of .htaccess files
2004-01-24 08:29:45 nat0 [Reply | View]
I thought of a better way of getting around the .htaccess files being invisible in the finder.
1. Make a text file called htaccess
2. Right click on the text file and make an alias of it
3. Head over to the terminal and type: mv /path/to/htaccess /path/to/.htaccess
4. Back into the finder: rename htaccess alias to htaccess and voila
you now have a .htaccess file that can be opened with the gui text editor of your choice from the finder (though the alias which is not hidden)
Enjoy!
-
Robust
2003-11-13 17:54:35 anonymous2 [Reply | View]
I need to deploy a web site for a small company and was wondering if Jaguar and Apache are robust enough to handle it.
I don't want to use NT for price and security reasons and have nothing against Linux but I have no Linux experience so OS X is looking mighty sweet right now.
Any thoughts....I'm thinking an E-Mac and Jaguar would make a pretty sweet little web server and could execute the CGI and PHP scripts I need.
-
.htaccess in user/Sites
2003-11-02 19:27:44 pearsonjc [Reply | View]
Loved the article, and was successful in turning on user authentication for the /library/webserver/documents/ directory. I put the same .htaccess file in the ~username/sites/ directory but it did not "turn on" authentication behavior. I tried using both IE and Safari with no luck.
-
cgi/perl ... a marble missing?
2003-08-21 23:30:03 anonymous2 [Reply | View]
I like my perl scripts, and thanks to Jaguar and to the great articles here, I can now scribble away after a few tweaks, and test my cgi scripts on the same CPU. HOWEVER, I use modules (.pm) to save on my code in various scripts. In short, I get an ISE 500 during testing - my PMs are not linked (?). my script.cgi exists, has all permissions, and runs dandy in terminal with linked PMs.
What's missing? I deduct it's something in apache's config? -
cgi/perl ... a marble missing?
2003-08-22 08:50:26 anonymous2 [Reply | View]
The problem was a bit more complicated, and obvious to the eye of a friend of mine. BBEdit does save/handle files according to the system they're made on. Meaning, my windows created files have that nasty different carriage return, wich puts sand into the perfectly working gear of perl. You wouldn't notice it until you look at it with vi.
So I do an Emily Litella: that's very different...nevermind.
So, now stop throwing your No.2s and pocket protectors at me, I did switch away from winblows.
-
Making this work with OS X Server
2003-08-21 07:40:28 anonymous2 [Reply | View]
Can anyone comment on making Password Authentication work with .htaccess files and OS X Server?
Comments in the .httpd.conf file suggest that the approach presented here is (or might be depending upon what's present?) overridden by the macosxserver.conf file.
I've got a working server, but presently, macosxserver.conf seems to be empty.
Thanks, j mcd
-
.htaccess
2003-08-06 12:15:31 forgotmyscript [Reply | View]
I also love this site and this article. Very well written. I am having one problem though. I am quite new to all of this. I am doing well though. When I went to create a .htaccess with "touch .htaccess" in terminal the file went into my user directory. I would like to put it into /library/webserver/documents where it should be but the file is very stubborn and will not go. How do I move it there or just create one there? also, a htaccess file then use mv htaccess .htaccess says file does not exist. Thanks for the help....
-
Do anything different using Virtual Host ?
2003-07-14 10:08:51 anonymous2 [Reply | View]
I can't get auth to work. I get this error, "This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required." Any help, greatly appreciated.
steve edge
-
passwd auth "i only get internal server error 500"
2003-06-09 22:19:17 anonymous2 [Reply | View]
i've followed your instructions on passwd auth and i only get an internal server error 500. i've tryed various browsers and i get the same results. does anyone have any advice.
thanks, -
passwd auth "i only get internal server error 500"
2003-07-16 09:25:27 anonymous2 [Reply | View]
same problem for me...i checked the error log and it says, "[Wed Jul 16 08:44:08 2003] [alert] [client 127.0.0.1] /Library/WebServer/Documents/.htaccess: AuthName takes one argument, The authentication realm (e.g. "Members Only")... -
passwd auth "i only get internal server error 500"
2003-10-10 03:15:26 anonymous2 [Reply | View]
i had the same problem - i'd created the .htaccess file lazily, by pasting from the webpage into bbedit... :)
my fix was to ensure that the file was saved with unix line endings, and to "zap gremlins" in bbedit (i.e. delete non-ascii characters, control characters, null characters / filter line feeds).
good luck,
gjh
-
Birthday Present?
2003-05-30 06:19:48 anonymous2 [Reply | View]
Today is my Birthday. What I'd really like is an Apache Web Serving with Jaguar, Part 5 article. *smile*
PS - I love this site.
-
Dumb problem
2003-05-24 20:11:46 afghanwhiggle [Reply | View]
I know that the solution is probably simple, but I'm new to this and I can't figure it out.
The problem is, when I try to uncomment the lines in my httpd.conf file, using pico, and either command O, or just exit and try to save the changes (modify buffer) it says 'cannot open file for writing' i am just trying to create a custom error html page.
I've tried to modify it with Apache on and off, with no success, what am I doing wrong?
Thanks for the help in advance! -
Dumb problem
2003-05-28 00:46:01 anonymous2 [Reply | View]
You are not using %sudo pico /etc/http/httpd.conf
you are opening the file with pico but don't have write privledges there so you have to sudo and provide your administrator password. I've done it to and when it told me can't open to write I realized I wasnt' the admin who can write to the /etc/ directory. that is your problem. too bad it won't tell you when it opens the file so we wouldn't waste time editing something we can't save....
Kevin, Japan.
-
Been Following Series, Now Server Broken?
2003-05-19 18:20:30 anonymous2 [Reply | View]
Hello there,
I've been avidly following this series, in order to set up a personal web page, and QTSS, but now that my mac is on a home network, nothing seems to load for non-local machines, and my QTSS start-up screen will not start the server, just gives me the same screen over and over again.
I would really like to have my content back up! All my friends back home are wondering where my web pages went! Can you please help???
Thanks in advance!
-
mirroring?
2003-05-19 06:49:51 anonymous2 [Reply | View]
Is is possible to create a mirror with Apache? I have an Intranet server and I would like it to upload any changes to our external webserver. Is this possible?
-
couldn't get .htaccess working but...
2003-05-11 21:08:08 anonymous2 [Reply | View]
I found my mistake and now realize to be careful with spaces in unix. a habit when typing I guess. Thanks Kevin for a great series. I have learned so much about Apache from your articles. One question though. IE prompted for name and password on my lan but Safari didn't. When this happens is our only alternative to use IE? How would we authenticate with other browsers? If there was a command in one of the menus I wasn't sure about it. I was on the girlfriends powerbook and it was in Japanese.
Mac OS X Hacks has some great things in it. glad I bought it. -
couldn't get .htaccess working but...
2003-06-24 04:12:14 anonymous2 [Reply | View]
The only thing I can think of is that you have already authorised access to the directory in Safari. If you visit another page and then return, Safari will remember the original login info so you don't have to type it in again.
Quit Safari, fire it up again and then go back to the directory in question. Does the .htaccess file work its magic now? Of course, you may have also checked the 'Remember this password' check-box on a previous visit so the login info is now in your key chain. However, you should still see the authentication sheet. Safari will have dutifully filled in the info ready for you to OK.
If it still misbehaves try changing the required user for the directory you want to secure. Perhaps create a new "test' user first and only allow that particular user access by updating the .htaccess file accordingly.
Safari has always worked fine for me so hope something here helps :)
I think we all have waited long enough for Part5.
Untill then I'll just read the old Apache Web-Serving with Mac OS X, hope there arn't too many differences between those articles and how I should deploy this stuff in panther.