Restricted Access

“Restrict access to our website , give permission only thru authentication, please do it as soon as
possible “, That's what my Boss told me .Some people are taking data from our website and then
misusing it to our disadvantage. Our department should be protected . Though I hate it but now I have
to do it . The whole special web portal which was added to our website couple of months back is to be
restricted now. The portal has more than three hundred files. Apart from htm , html files there are
excel ,word, pdf, power point and even some text files. The clients of these pages are all across our
country through company WAN.

All these files were earlier residing in a windows IIS server which my department inherited then. The
server had the windows file sharing facility. Each group of file was maintained by different groups of
our department. They edit / update their files using windows file sharing. Some worked from far flung
projects . As long as the windows were running life was easy for them. Some groupp even uploaded
their own fancy html file (Mostly designed on Microsoft Frontpage). It was an wired world .

But gradually it was felt that the server was getting slow and sometimes dead slow.
The IT department chiped in , they sanitized more than two hundred virus infected files.
The server regained it's performance and the life became easy again.

But by the turn of next week the viruses came back with more numbers and the portal was almost
stalled. The IT department became busy and they cured little more than three hundred virus infections.
After two days of intense sanitizing the server was up and running.

But again next week the server was down. The IT head told us to remove file sharing all at once as it
was the main reason of repeated virus infection. He was in fact very right.

The server was up but the

members were dissatisfied as now they have to go to the server physically to update their pages.
Nobody liked this way of updation. Those from projects now send their updation over email to
someone who in turn replace it in the server.

Therefore ,the idea struck to my mind ! How, If I transfer the entire portal to one of my Linux servers?
So I dropped the 250 MB portallll into the '/var/www/html/example/wwwroot/' directory of my Fedora
Core-4 LAMP (Linux Apache Mysql PHP) server. The server has the capability of running PHP, DOM
, JAVA Python and PERL files . Little check from network revealed that the portal was all working
from the Linux server without any problem. (see my earlierrr blog on 'wwwroot on linux' ).

For accessing / updating from network I just gave the directory an ftp permission and wrote a small
batch file on the windows computers. By clicking the batch file the ftp window opens for FC-4 server.
The users can then drag and drop their updations or cut & paste as well.

After running it parallel for a week people gave in and the new linux FC-4
PC became the new location of this portal. The project people could use the batch file as well for
updation.
As long as the portal was running I was least bothered about the content of this portal. Most of the files
were unprofessional htm or html files, opens excel word powerpoint or pdf files. Boss was extremely
happy as there was no more virus infections.

But now the entire directory needs to be protected from unauthorized viewing.

Instead of going to protect individual files one by one I decided to protect the directory straightt-cut
using the htaccess faculty of the Apache webserver.

By default 'htaccess' in the apache is off. To make it on find the 'AllowOverride None' line in the
httpd.conf file and make it "AllowOverride All" . Now every timee the Apache fetches a page from
any directory it searches for the ground rule in the .htaccess file residing in that directory or the
directoryhierarchy.. That means if the .htaccess file is there in the parent directory all the sub
directories will follow the same rule. Save the httpd.conf file and restart apache.

# /etc/init.d/httpd restart
Shutting down httpd: [ OK ]
Starting httpd: httpd: 191.254.175.51 for Server Name
[ OK ]
[root@localhost example]#

Now open an editor (my favorite one is gedit ) and write the following lines and then save it as
.htaccess in the directory you want to have restricted access.
# gedit

AuthUserFile /home/bera/website-portal/.htpassword
Authname "WROS Secure Area / or whatever you want to write here"
AuthType Basic
require valid-user

give a read permission to this file.

#chmod 755 /home/bera/website-portal/.htaccess

------------- that's all for now -------------------------------

Now every timeeee somebody access the said directory, the apache will find the .htaccess file for
ground rules and then it will go to the /home/bera/website-portal/.htpassword for matching the
username & password. In the .htpassword file you can have as many user & password set as you want.

So now the only job left is to create the .htpassword file in /home/bera/website-portal/

Go to that directory and open a super terminal.

# cd /home/bera/website-portal/
[root@localhost example]# htpasswd -cm .htpassword bera
New password:
Re-type new password:
Adding password for user bera

[root@localhost example]# htpasswd -m .htpassword bera1

New password:
Re-type new password:
Adding password for user bera1
[root@localhost example]#

option '-cm' means create a new file and once that file is created we can add as many user & password
as we want by '-m' option.

Now here is the content of the .htpassword file. All users have been added with MD5 encrypted
password.

bera:$apr1$Rb2UL09H$K3VZpJbqzi21/2J47tncD/
bera1:$apr1$8RNwCVnI$6xl/FiwuW7FJPAgjBmlAt.

Every time you add a new user & password the content of this file will be changed.

Now time for field testing.....

Go to a network , open a browser and enetr the following URL

http://191.254.175.51/wwwroot/ (The directory I wanted to restrict for viewing...)
The first thing the apache will do is open an authentication window . Enter the right username and
password the page will open else it will stop.

So easy ! Isn't it ? However, the other directories will be accessible as usual without any password.

OH yes remember to tell your people about the user name and password to access the site.

S. Bera
Powai