Stylish design

No Comments Written by Robert on April 9, 2008 – 3:26 am

There are two quite separate issues relating to access. First, if you are running on a Linux/ Unix system, the normal controls on file access apply – your web servers will not be able to serve files that they do not have permission to read. Second, there are the controls that the web server can apply to restrict access by client domain, or in support of HTTP authentication.

On a Linux/Unix system, your Apache will be running with some specified Unix useridentifier; this user-id determines which files can be read. If you launch your own Apache server, it will run with your user-id and will be able to access all your files. (Such a private server cannot use the standard port 80; by default it will use port 8080, although this port number can be changed in the configuration file.) An ‘official’ Apache web server that runs at port 80 must be launched by the system’s administrator (it requires ‘root’ privilege). Such a server will run with an effective user-id that is chosen by the system’s administrator – typically ‘www’, or ‘nobody’. If you are using such a server, you have to have permission to place your web files in the part of the file space that it uses, and you must set the privileges on your files to include global read permission. Many of the mistakes made by beginners involve incorrect Unix access permissions for their files.

The Apache server allows you to provide selective access to resources using restrictions on a client’s address, through a requirement for a password, or by a combination of both these methods. Typically, different policies are applied to resources in different directories, but you can have additional global constraints (it is for example possible to specify that clients may never access a file whose name starts with ‘.ht’ – such names are commonly used for Apache password files and some configuration files).

Controls on resources can be defined either in the main httpd.conf runtime configuration file or in .htaccess files located in the directories holding the resources (or holding the subdirectories with resources). Generally, it is best to centralize all controls in the main httpd.conf file. There are two problems with .htaccess files. First, they do add to the work that a web server must perform. If a server is asked for a resource located somewhere in the file space below a point where an .htaccess file might be defined, the server must check the directory, its parent directory, and so on back up the directory path. If an .htaccess file is found, the server must read and apply the restrictions defined in that file. The second problem is that these .htacess files may reduce the security of your web site. This is particularly likely to occur if you allow individual users to maintain files in their private directories and further allow them to specify their own access controls.

Popularity: 30% [?]