Since 10 November our faculty has a new website! The old website will still be available at oldwww.fi.muni.cz for now. Something is broken? Please report it to webmaster@fi.muni.cz or use our webform.

translated by Google

This site may serve as a stepping stone when deploying access restrictions to the site. If you are serious about security, it is necessary to study the issue in more detail, at least on Apache website .

Securing pages with a password

In the directory to which you want to protect your password with password, create a file .htaccess . Include the following:

First, we force the encrypted connection so that the password is not transmitted as plain text. We will achieve that by a directive SSLRequireSSL :

SSLRequireSSL
The second option is to redirect unencrypted encrypted requests:
RewriteEngine On
RewriteBase /
RewriteCond %{HTTPS} !=on                             
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [R,L]
The next file content will be:
AuthName "
jmeno oblasti"
AuthType Basic
AuthUserFile 
/cesta/k/souboru/s/hesly
require valid-user
Item AuthName specifies the name of the protected area that will be displayed to the accessing clients when the password is queried (the multiword string must be quoted ). Item AuthUserFile refers to a file where all allowed usernames and passwords are defined. For illustration, let's assume that .htaccess with the following content is located in the directory /home/xnovak99/public_html/censored :
AuthName "Libri prohibiti"
AuthType Basic
AuthUserFile /home/xnovak99/public_html/.htpasswd
require valid-user
It then specifies that access to files in the subtree security (URL begins https://www.fi.muni.cz/~xnovak99/security) is authorized only after entering a valid username and password according to the information in the file .htpasswd .

The file should go through AuthUserFile has the following text shape:

jmeno1: 
zakodovane_heslo1

jmeno2: 
zakodovane_heslo2
...
Passwords for each valid logon name must be encoded by the classic Unix cipher crypt ; to generate it can be used, for example, Pearl or C function crypt() or utility htpasswd . An example of a password file:
bond:Xy9KgHmOmCESc
trubka:qWKFFmkF7LPjQ
Therefore, if a candidate for a protected area called "bond" and a "James" or a "trumpet" and the "dcs.48" are reported, he will be given access.

The password file must be accessible to the Web server, so readable for the user apachefi . In your case, then, you can make permissions r for others and must be in a directory that is already from the root ( / ) through permissions x for others. A more secure way is to use ACL: setfacl -m u:apachefi:r .htaccess . The same is true of files in a password-protected area - they must be accessible in the file system as well as non-secure pages. It is clear, therefore, that this type of protection applies only to people who do not have a UN Unix account. You can also use these ACLs or other sophisticated methods if you want to keep them safe from these users.

Kerberos

One of them is the use of Kerber. This system is used on faculty machines or on Fadmin to authenticate users. Nothing prevents you from using it to authenticate users of your site. The only limitation is that you must have a valid login. The password is used by faculty.

Example .htaccess configuration example:
AuthType Kerberos
AuthName "Kerberos Login"
KrbAuthRealm FI.MUNI.CZ
KrbMethodNegotiate off
KrbVerifyKDC on
Krb5Keytab /etc/httpd/kerberos/httpd.keytab
require user login1@FI.MUNI.CZ login2@FI.MUNI.CZ
Use require valid-user would successfully authenticate anyone with a valid FI login.

Kerberos + LDAP

If you want to make the page available to members of some faculty groups (there must be a Unix group, see aisa$ getent group ), LDAP authentication must be used (Kerberos authentication remains).

Configuration for Kerberos looks the same as in the previous example, just add this line:

KrbLocalUserMapping on

Configuring authorization with LDAP:

AuthLDAPUrl "ldaps://ldap.fi.muni.cz ldap1.fi.muni.cz/ou=People,dc=fi,dc=muni,dc=cz?uid"
AuthLDAPGroupAttribute memberUid
AuthLDAPGroupAttributeIsDN off

Access groups or individual users can then be added using a combination RequireAny , Require ldap-user and Require ldap-group , for example

<RequireAny>
    Require ldap-group cn=
JMENO_SKUPINY,ou=Group,dc=fi,dc=muni,dc=cz
    Require ldap-group cn=
JMENO_JINE_SKUPINY,ou=Group,dc=fi,dc=muni,dc=cz
    Require ldap-user 
LOGIN_UZIVATELE
</RequireAny>

Managing access to pages by address / client name

In the directory that you want to handle, create a file .htaccess and add the following lines to it:

Require ip 
IP1 IP2 …
Require host 
hostname1 hostname2 …

Only clients explicitly assigned using Require … they will have access to the given subtree. Parameters can be any number (separated by a space). The parameter may be

If you need to allow access to all but some of the selected machines / domains, there is a directive available <RequireAll> . Avoiding Domain Access nekde.cz would look like this:

<RequireAll>
    Require not host nekde.cz
    Require all granted
</RequireAll>

For more detailed information, Apache documentation 2.4 .