There was a requirement from IT Infrastructure Team that the Apache Logs has always been cumbersome to maintain as it gets full due to heavy rush at the server end. They needed a utility to rotate the logs as per their requirement.
I explored tools for apache logs maintenance and finally got a chance to try out something.Here is my finding:
rotatelogs is a simple program for use in conjunction with Apache's piped logfile feature. For example:
CustomLog "|rotatelogs /var/logs/logfile 86400" common
This creates the files /var/logs/logfile.nnnn where nnnn is the system time at which the log nominally starts (this time will always be a multiple of the rotation time, so you can synchronize cron scripts with it). At the end of each rotation time (here after 24 hours) a new log is started.
CustomLog "|rotatelogs /var/logs/logfile 5M" common
This configuration will rotate the logfile whenever it reaches a size of 5 megabytes.
ErrorLog "|bin/rotatelogs /var/logs/errorlog.%Y-%m-%d-%H_%M_%S 5M"
This configuration will rotate the error logfile whenever it reaches a size of 5 megabytes, and the suffix to the logfile name will be created of the form errorlog.YYYY-mm-dd-HH_MM_SS.
■ Synopsis
■ Options
■ Portability
Synopsis
rotatelogs [ -l ] logfile [ rotationtime [ offset ]] | [ filesizeM ]
Options
-l (2.0.51 and later)
Causes the use of local time rather than GMT as the base for the interval. Note that using -l in an environment which changes the GMT offset (such as for BST or DST) can lead to unpredictable results!
logfile
The path plus basename of the logfile. If logfile includes any '%' characters, it is treated as a format string for strftime(3). Otherwise, the suffix .nnnnnnnnnn is automatically added and is the time in seconds. Both formats compute the start time from the beginning of the current period.
rotationtime
The time between log file rotations in seconds.
offset
The number of minutes offset from UTC. If omitted, zero is assumed and UTC is used. For example, to use local time in the zone UTC -5 hours, specify a value of -300 for this argument.
filesizeM
The maximum file size in megabytes followed by the letter M to specify size rather than time. Use this parameter in place of both rotationtime and offset.
Portability
The following logfile format string substitutions should be supported by all strftime(3) implementations, see the strftime(3) man page for library-specific extensions.
%A full weekday name (localized)
%a 3-character weekday name (localized)
%B full month name (localized)
%b 3-character month name (localized)
%c date and time (localized)
%d 2-digit day of month
%H 2-digit hour (24 hour clock)
%I 2-digit hour (12 hour clock)
%j 3-digit day of year
%M 2-digit minute
%m 2-digit month
%p am/pm of 12 hour clock (localized)
%S 2-digit second
%U 2-digit week of year (Sunday first day of week)
%W 2-digit week of year (Monday first day of week)
%w 1-digit weekday (Sunday first day of week)
%X time (localized)
%x date (localized)
%Y 4-digit year
%y 2-digit year
%Z time zone name
%% literal `%'
Note: Do create the logs directory under /var directory.
For testing, Just restart the httpd service and you will see these directories:
[root@localhost logs]# ls -la
total 28
drwxr-xr-x 2 root root 4096 2009-10-26 01:45 .
drwxr-xr-x. 23 root root 4096 2009-10-26 01:13 ..
-rw-r--r-- 1 root root 632 2009-10-26 01:43 errorlog.2009-10-25-20_13_59
-rw-r--r-- 1 root root 632 2009-10-26 01:44 errorlog.2009-10-25-20_14_15
-rw-r--r-- 1 root root 0 2009-10-26 01:13 logfile
-rw-r--r-- 1 root root 310 2009-10-26 01:21 logfile.1256500257
-rw-r--r-- 1 root root 381 2009-10-26 01:39 logfile.1256501364
-rw-r--r-- 1 root root 81 2009-10-26 01:44 logfile.1256501673
[root@localhost logs]#
Sunday, October 25, 2009
Friday, October 23, 2009
Apache:SSH Public key based authentication – Howto
This howto covers generating and using ssh keys for automated:
a) Login
b) Make backups
c) Run commands from shell etc
Task: Generating ssh keys
1) Log on to your workstation ( for example log on to workstation called admin.fbsd.nixcraft.org as vivek user). Please refer the following sample setup - You will be log in, on your local system, AS THE USER you wish to make passwordless ssh connections.
My Setup
(Click image to enlarge)
2) Create the Cryptographic Key on FreeBSD workstation, enter:
$ ssh-keygen -t rsa
Assign the pass phrase (press [enter] key twice if you don't want a passphrase). It will create 2 files in ~/.ssh directory as follows:
* ~/.ssh/id_rsa : identification (private) key
* ~/.ssh/id_rsa.pub : public key
3) Use scp to copy the id_rsa.pub (public key) to rh9linux.nixcraft.org server as authorized_keys2 file, this is know as Installing the public key to server.
$ scp .ssh/id_rsa.pub vivek@rh9linux.nixcraft.org:.ssh/authorized_keys2
4) From FreeBSD workstation login to server:
$ ssh rh9linux.nixcraft.org
5) Changing the pass-phrase on workstation (if needed):
$ ssh-keygen -p
6) Use of ssh-agent to avoid continues pass-phrase typing
At freebsd workstation type:
$ ssh-agent $BASH
$ ssh-add
Type your pass-phrase
From here, whenever connecting to server it won’t ask for password.
Above two commands can be added to ~/.bash_profile so that as soon as I login into workstation I can set the agent.
7) Deleting the keys hold by ssh-agent
a) To delete all keys
$ ssh-add -D
b) To delete specific key
$ ssh-add -d key
c) To list keys
$ ssh-add -l
a) Login
b) Make backups
c) Run commands from shell etc
Task: Generating ssh keys
1) Log on to your workstation ( for example log on to workstation called admin.fbsd.nixcraft.org as vivek user). Please refer the following sample setup - You will be log in, on your local system, AS THE USER you wish to make passwordless ssh connections.
My Setup
(Click image to enlarge)
2) Create the Cryptographic Key on FreeBSD workstation, enter:
$ ssh-keygen -t rsa
Assign the pass phrase (press [enter] key twice if you don't want a passphrase). It will create 2 files in ~/.ssh directory as follows:
* ~/.ssh/id_rsa : identification (private) key
* ~/.ssh/id_rsa.pub : public key
3) Use scp to copy the id_rsa.pub (public key) to rh9linux.nixcraft.org server as authorized_keys2 file, this is know as Installing the public key to server.
$ scp .ssh/id_rsa.pub vivek@rh9linux.nixcraft.org:.ssh/authorized_keys2
4) From FreeBSD workstation login to server:
$ ssh rh9linux.nixcraft.org
5) Changing the pass-phrase on workstation (if needed):
$ ssh-keygen -p
6) Use of ssh-agent to avoid continues pass-phrase typing
At freebsd workstation type:
$ ssh-agent $BASH
$ ssh-add
Type your pass-phrase
From here, whenever connecting to server it won’t ask for password.
Above two commands can be added to ~/.bash_profile so that as soon as I login into workstation I can set the agent.
7) Deleting the keys hold by ssh-agent
a) To delete all keys
$ ssh-add -D
b) To delete specific key
$ ssh-add -d key
c) To list keys
$ ssh-add -l
Apache:Howto Linux / UNIX setup SSH with DSA public key authentication (password less login)
I have Linux laptop called tom and remote Linux server called jerry. How do I setup DSA based authentication so I don’t have to type password?
Solution:
DSA public key authentication can only be established on a per system / user basis only i.e. it is not system wide. You will be setting up ssh with DSA public key authentication for SSH version 2 on two machines:
#1 machine : your laptop called tom
#2 machine : your remote server called jerry
Command to type on your laptop/desktop (local computer)
First login to local computer called tom and type the following command.
Step #1: Generate DSA Key Pair
Use ssh-keygen command as follows:
$ ssh-keygen -t dsa
Output:
Enter file in which to save the key (/home/vivek/.ssh/id_dsa): Press [Enter] key
Enter passphrase (empty for no passphrase): myPassword
Enter same passphrase again: myPassword
Your identification has been saved in /home/vivek/.ssh/id_dsa.
Your public key has been saved in /home/vivek/.ssh/id_dsa.pub.
The key fingerprint is:
04:be:15:ca:1d:0a:1e:e2:a7:e5:de:98:4f:b1:a6:01 vivek@vivek-desktop
Caution: a) Please enter a passphrase different from your account password and confirm the same.
b) The public key is written to /home/you/.ssh/id_dsa.pub.
c) The private key is written to /home/you/.ssh/id_dsa.
d) It is important you never-ever give out your private key.
Step #2: Set directory permission
Next make sure you have correct permission on .ssh directory:
$ cd
$ chmod 755 .ssh
Step #3: Copy public key
Now copy file ~/.ssh/id_dsa.pub on Machine #1 (tom) to remote server jerry as ~/.ssh/authorized_keys:
$ scp ~/.ssh/id_dsa.pub user@jerry:.ssh/authorized_keys
Command to type on your remote server called jerry
Login to your remote server and make sure permissions are set correct:
$ chmod 600 ~/.ssh/authorized_keys
Task: How do I login from client to server with DSA key?
Use scp or ssh as follows from your local computer:
$ ssh user@jerry
$ ssh user@remote-server.com
$ scp file user@jerry:/tmp
You will still be asked for the passphrase for the DSA key file each time you connect to remote server called jerry, unless you either did not enter a passphrase when generating the DSA key pair.
Task: How do I login from client to server with DSA key but without typing a passhrase i.e. password-less login?
Type the following command at shell prompt:
$ exec /usr/bin/ssh-agent $SHELL
$ ssh-add
Output:
Enter passphrase for /home/vivek/.ssh/id_dsa: myPassword
Identity added: /home/vivek/.ssh/id_dsa (/home/vivek/.ssh/id_dsa)
Type your passhrase once. Now, you should not be prompted for a password whenever you use ssh, scp, or sftp command.
If you are using GUI such as Gnome use the command:
$ ssh-askpass
OR
$ /usr/lib/openssh/gnome-ssh-askpass
To save your passphrase during your GNOME session under Debian / Ubuntu, do as follows:
a) Click on System
b) Select Preferences
c) Select Session
d) Click on New
e) Enter "OpenSSH Password Management" in the Name text area
f) Enter /usr/lib/openssh/gnome-ssh-askpass in the command text area.
Howto Linux / UNIX setup SSH with DSA public key authentication
g) Click on close to save the changes
h) Log out and then log back into GNOME. After GNOME is started, a dialog box will appear prompting you for your passphrase. Enter the passphrase requested. From this point on, you should not be prompted for a password by ssh, scp, or sftp.
Solution:
DSA public key authentication can only be established on a per system / user basis only i.e. it is not system wide. You will be setting up ssh with DSA public key authentication for SSH version 2 on two machines:
#1 machine : your laptop called tom
#2 machine : your remote server called jerry
Command to type on your laptop/desktop (local computer)
First login to local computer called tom and type the following command.
Step #1: Generate DSA Key Pair
Use ssh-keygen command as follows:
$ ssh-keygen -t dsa
Output:
Enter file in which to save the key (/home/vivek/.ssh/id_dsa): Press [Enter] key
Enter passphrase (empty for no passphrase): myPassword
Enter same passphrase again: myPassword
Your identification has been saved in /home/vivek/.ssh/id_dsa.
Your public key has been saved in /home/vivek/.ssh/id_dsa.pub.
The key fingerprint is:
04:be:15:ca:1d:0a:1e:e2:a7:e5:de:98:4f:b1:a6:01 vivek@vivek-desktop
Caution: a) Please enter a passphrase different from your account password and confirm the same.
b) The public key is written to /home/you/.ssh/id_dsa.pub.
c) The private key is written to /home/you/.ssh/id_dsa.
d) It is important you never-ever give out your private key.
Step #2: Set directory permission
Next make sure you have correct permission on .ssh directory:
$ cd
$ chmod 755 .ssh
Step #3: Copy public key
Now copy file ~/.ssh/id_dsa.pub on Machine #1 (tom) to remote server jerry as ~/.ssh/authorized_keys:
$ scp ~/.ssh/id_dsa.pub user@jerry:.ssh/authorized_keys
Command to type on your remote server called jerry
Login to your remote server and make sure permissions are set correct:
$ chmod 600 ~/.ssh/authorized_keys
Task: How do I login from client to server with DSA key?
Use scp or ssh as follows from your local computer:
$ ssh user@jerry
$ ssh user@remote-server.com
$ scp file user@jerry:/tmp
You will still be asked for the passphrase for the DSA key file each time you connect to remote server called jerry, unless you either did not enter a passphrase when generating the DSA key pair.
Task: How do I login from client to server with DSA key but without typing a passhrase i.e. password-less login?
Type the following command at shell prompt:
$ exec /usr/bin/ssh-agent $SHELL
$ ssh-add
Output:
Enter passphrase for /home/vivek/.ssh/id_dsa: myPassword
Identity added: /home/vivek/.ssh/id_dsa (/home/vivek/.ssh/id_dsa)
Type your passhrase once. Now, you should not be prompted for a password whenever you use ssh, scp, or sftp command.
If you are using GUI such as Gnome use the command:
$ ssh-askpass
OR
$ /usr/lib/openssh/gnome-ssh-askpass
To save your passphrase during your GNOME session under Debian / Ubuntu, do as follows:
a) Click on System
b) Select Preferences
c) Select Session
d) Click on New
e) Enter "OpenSSH Password Management" in the Name text area
f) Enter /usr/lib/openssh/gnome-ssh-askpass in the command text area.
Howto Linux / UNIX setup SSH with DSA public key authentication
g) Click on close to save the changes
h) Log out and then log back into GNOME. After GNOME is started, a dialog box will appear prompting you for your passphrase. Enter the passphrase requested. From this point on, you should not be prompted for a password by ssh, scp, or sftp.
Apache:How To Back Up a Web Server ?
I'm busy experimenting with Red Hat Enterprise Linux based Apache web server. I want to backup my Apache webserver, MySQL and PostgreSQL database to another disk called /backup and then copy it to other offsite backup ssh server called backup.example.com.
I started this morning with a piece of refreshment in Breakfast and soon caught hold of one of my friend online.He was Domino from Netherland and we met through one of linux forum. He wanted me to help him with the same and I started writing.
Here we go...
There are many tools under Linux / UNIX to backup a webserver. You can create a simple shell script to backup everything to /backup directory. You can also copy /backup directory content offsite using ssh and scp tool.
Step # 1: Create /root/backup.sh script
Use the following shell script:
#!/bin/bash
# A Simple Shell Script to Backup Red Hat / CentOS / Fedora / Debian / Ubuntu Apache Webserver and SQL Database
# Path to backup directories
DIRS="/home/vivek/ /var/www/html/ /etc"
# Store todays date
NOW=$(date +"%F")
# Store backup path
BACKUP="/backup/$NOW"
# Backup file name hostname.time.tar.gz
BFILE="$(hostname).$(date +'%T').tar.gz"
PFILE="$(hostname).$(date +'%T').pg.sql.gz"
MFILE="$(hostname).$(date +'%T').mysql.sq.gz"
# Set Pgsql username
PGSQLUSER="ajeet"
# Set MySQL username and password
MYSQLUSER="ajeet"
MYSQLPASSWORD="myPassword"
# Remote SSH server setup
SSHSERVER="backup.example.com" # your remote ssh server
SSHUSER="ajeet" # username
SSHDUMPDIR="/backup/remote" # remote ssh server directory to store dumps
# Paths for binary files
TAR="/bin/tar"
PGDUMP="/usr/bin/pg_dump"
MYSQLDUMP="/usr/bin/mysqldump"
GZIP="/bin/gzip"
SCP="/usr/bin/scp"
SSH="/usr/bin/ssh"
LOGGER="/usr/bin/logger"
# make sure backup directory exists
[ ! -d $BACKUP ] && mkdir -p ${BACKUP}
# Log backup start time in /var/log/messages
$LOGGER "$0: *** Backup started @ $(date) ***"
# Backup websever dirs
$TAR -zcvf ${BACKUP}/${BFILE} "${DIRS}"
# Backup PgSQL
$PGDUMP -x -D -U${PGSQLUSER} | $GZIP -c > ${BACKUP}/${PFILE}
# Backup MySQL
$MYSQLDUMP -u ${MYSQLUSER} -h localhost -p${MYSQLPASSWORD} --all-databases | $GZIP -9 > ${BACKUP}/${MFILE}
# Dump all local files to failsafe remote UNIX ssh server / home server
$SSH ${SSHUSER}@${SSHSERVER} mkdir -p ${SSHDUMPDIR}/${NOW}
$SCP -r ${BACKUP}/* ${SSHUSER}@${SSHSERVER}:${SSHDUMPDIR}/${NOW}
# Log backup end time in /var/log/messages
$LOGGER "$0: *** Backup Ended @ $(date) ***"
Customize it according to your needs, set username, password, ssh settings and other stuff.
Step # 2: Create ssh keys
Create ssh keys for password less login from your server to another offsite server hosted at your own home or another datacenter. See following faqs for more information:
http://linuxhunt.blogspot.com/2009/10/apachehowto-linux-unix-setup-ssh-with.html
http://linuxhunt.blogspot.com/2009/10/apachessh-public-key-based.html
Step #3: Create Cron job
Setup a cronjob to backup server everyday, enter:
# crontab -e
Append following code to backup server everyday at midnight:
@midnight /root/backup.sh
I started this morning with a piece of refreshment in Breakfast and soon caught hold of one of my friend online.He was Domino from Netherland and we met through one of linux forum. He wanted me to help him with the same and I started writing.
Here we go...
There are many tools under Linux / UNIX to backup a webserver. You can create a simple shell script to backup everything to /backup directory. You can also copy /backup directory content offsite using ssh and scp tool.
Step # 1: Create /root/backup.sh script
Use the following shell script:
#!/bin/bash
# A Simple Shell Script to Backup Red Hat / CentOS / Fedora / Debian / Ubuntu Apache Webserver and SQL Database
# Path to backup directories
DIRS="/home/vivek/ /var/www/html/ /etc"
# Store todays date
NOW=$(date +"%F")
# Store backup path
BACKUP="/backup/$NOW"
# Backup file name hostname.time.tar.gz
BFILE="$(hostname).$(date +'%T').tar.gz"
PFILE="$(hostname).$(date +'%T').pg.sql.gz"
MFILE="$(hostname).$(date +'%T').mysql.sq.gz"
# Set Pgsql username
PGSQLUSER="ajeet"
# Set MySQL username and password
MYSQLUSER="ajeet"
MYSQLPASSWORD="myPassword"
# Remote SSH server setup
SSHSERVER="backup.example.com" # your remote ssh server
SSHUSER="ajeet" # username
SSHDUMPDIR="/backup/remote" # remote ssh server directory to store dumps
# Paths for binary files
TAR="/bin/tar"
PGDUMP="/usr/bin/pg_dump"
MYSQLDUMP="/usr/bin/mysqldump"
GZIP="/bin/gzip"
SCP="/usr/bin/scp"
SSH="/usr/bin/ssh"
LOGGER="/usr/bin/logger"
# make sure backup directory exists
[ ! -d $BACKUP ] && mkdir -p ${BACKUP}
# Log backup start time in /var/log/messages
$LOGGER "$0: *** Backup started @ $(date) ***"
# Backup websever dirs
$TAR -zcvf ${BACKUP}/${BFILE} "${DIRS}"
# Backup PgSQL
$PGDUMP -x -D -U${PGSQLUSER} | $GZIP -c > ${BACKUP}/${PFILE}
# Backup MySQL
$MYSQLDUMP -u ${MYSQLUSER} -h localhost -p${MYSQLPASSWORD} --all-databases | $GZIP -9 > ${BACKUP}/${MFILE}
# Dump all local files to failsafe remote UNIX ssh server / home server
$SSH ${SSHUSER}@${SSHSERVER} mkdir -p ${SSHDUMPDIR}/${NOW}
$SCP -r ${BACKUP}/* ${SSHUSER}@${SSHSERVER}:${SSHDUMPDIR}/${NOW}
# Log backup end time in /var/log/messages
$LOGGER "$0: *** Backup Ended @ $(date) ***"
Customize it according to your needs, set username, password, ssh settings and other stuff.
Step # 2: Create ssh keys
Create ssh keys for password less login from your server to another offsite server hosted at your own home or another datacenter. See following faqs for more information:
http://linuxhunt.blogspot.com/2009/10/apachehowto-linux-unix-setup-ssh-with.html
http://linuxhunt.blogspot.com/2009/10/apachessh-public-key-based.html
Step #3: Create Cron job
Setup a cronjob to backup server everyday, enter:
# crontab -e
Append following code to backup server everyday at midnight:
@midnight /root/backup.sh
Apache: Giving Users their Own URL
Exploring more on Apache and continuing with my Cookbook, I started with this topic and set it up in just 5 minutes. This time I tried setting up webpage for all users and this is what I finally got it working !!!
File: /etc/httpd/conf/httpd.conf
Line 352:
UserDir public_html
And remove the hash sign:
368 AllowOverride FileInfo AuthConfig Limit
369 Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
370
371 Order allow,deny
372 Allow from all
373
374
375 Order deny,allow
376 Deny from all
377
378
379
Restart the Apache Service.
Try Browsing : http://localhost/~ajeet
But it wont work.
Reason: Permission Issue
Create few users like ajeet, john, eric etc
#useradd ajeet
#passwd ajeet
#cd /hom/ajeet
#mkdir public_html
#cd public_html
#mkdir {ISO1,ISO2,ISO3)
Grant Permission:
#chmod o+x /home /home/ajeet
#chmod o+x /home/ajeet/public_html
Try Browsing http://localhost/~ajeet
Index of /~ajeet
[ICO] Name Last modified Size Description
[DIR] Parent Directory -
[DIR] ISO/ 23-Oct-2009 23:11 -
[DIR] ISO2/ 23-Oct-2009 23:11 -
[DIR] ISO3/ 23-Oct-2009 23:11 -
Apache/2.2.11 (Fedora) Server at localhost Port 80
So User can have their own Webpage.
Happy Apaching !!!
File: /etc/httpd/conf/httpd.conf
Line 352:
UserDir public_html
And remove the hash sign:
368 AllowOverride FileInfo AuthConfig Limit
369 Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
370
371 Order allow,deny
372 Allow from all
373
374
375 Order deny,allow
376 Deny from all
377
378
379
Restart the Apache Service.
Try Browsing : http://localhost/~ajeet
But it wont work.
Reason: Permission Issue
Create few users like ajeet, john, eric etc
#useradd ajeet
#passwd ajeet
#cd /hom/ajeet
#mkdir public_html
#cd public_html
#mkdir {ISO1,ISO2,ISO3)
Grant Permission:
#chmod o+x /home /home/ajeet
#chmod o+x /home/ajeet/public_html
Try Browsing http://localhost/~ajeet
Index of /~ajeet
[ICO] Name Last modified Size Description
[DIR] Parent Directory -
[DIR] ISO/ 23-Oct-2009 23:11 -
[DIR] ISO2/ 23-Oct-2009 23:11 -
[DIR] ISO3/ 23-Oct-2009 23:11 -
Apache/2.2.11 (Fedora) Server at localhost Port 80
So User can have their own Webpage.
Happy Apaching !!!
Apache: Authenticating Directory Structure
This morning I started with authenticating the portion of my Directory Structure.
This is what I did:
File: /etc/httpd/conf/httpd.conf
Directory /
Options FollowSymLinks
AllowOverride All
/Directory
Directory "/var/www/html"
Options Indexes FollowSymLinks
AllowOverride AuthConfig
Order allow,deny
Allow from all
/Directory
Thats what we really need to be done with httpd.conf
Lets Create a New Directory Structure:
#cd /var/www/html
#mkdir pdfs
#cd pdfs
#mkdir (RHEL4,RHEL4.2,RHEL5,RHEL5.2}
#cd RHEL5
#mkdir {RPMS,SRC,SOURCE,ISO}
#cd ISO
[root@localhost RHEL5]# ls -la
total 24
drwxr-xr-x. 6 apache apache 4096 2009-10-23 19:02 .
drwxr-xr-x. 6 apache apache 4096 2009-10-19 09:41 ..
drwxr-xr-x 5 apache apache 4096 2009-10-23 19:35 ISO
drwxr-xr-x 2 apache apache 4096 2009-10-23 18:08 RPMS
drwxr-xr-x 2 apache apache 4096 2009-10-23 18:08 SOURCES
drwxr-xr-x 2 apache apache 4096 2009-10-23 18:08 SRC
[root@localhost RHEL5]#
[root@localhost ISO]# ls -la
total 24
drwxr-xr-x 5 apache apache 4096 2009-10-23 19:35 .
drwxr-xr-x. 6 apache apache 4096 2009-10-23 19:02 ..
-rw-r--r-- 1 root root 106 2009-10-23 19:35 .htaccess
drwxr-xr-x 2 apache apache 4096 2009-10-23 19:02 ISO1
drwxr-xr-x 2 apache apache 4096 2009-10-23 19:02 ISO2
drwxr-xr-x 2 apache apache 4096 2009-10-23 19:02 ISO3
[root@localhost ISO]#
[root@localhost ISO]# ls -la
total 24
drwxr-xr-x 5 apache apache 4096 2009-10-23 19:35 .
drwxr-xr-x. 6 apache apache 4096 2009-10-23 19:02 ..
-rw-r--r-- 1 apache apache 106 2009-10-23 19:35 .htaccess
drwxr-xr-x 2 apache apache 4096 2009-10-23 19:02 ISO1
drwxr-xr-x 2 apache apache 4096 2009-10-23 19:02 ISO2
drwxr-xr-x 2 apache apache 4096 2009-10-23 19:02 ISO3
[root@localhost ISO]#
Under .htaccess file entry includes:
[root@localhost ISO]# cat .htaccess
AuthType Basic
AuthName "Authentication Required"
AuthUserFile /var/www/html/htpasswd
Require user jan
[root@localhost ISO]#
Now Create htpasswd file under /var/www/html directory as:
htpasswd -bcm /var/www/html/htpasswd jan jan123
Now Try Browsing :
http://localhost/pdfs
This is what I did:
File: /etc/httpd/conf/httpd.conf
Directory /
Options FollowSymLinks
AllowOverride All
/Directory
Directory "/var/www/html"
Options Indexes FollowSymLinks
AllowOverride AuthConfig
Order allow,deny
Allow from all
/Directory
Thats what we really need to be done with httpd.conf
Lets Create a New Directory Structure:
#cd /var/www/html
#mkdir pdfs
#cd pdfs
#mkdir (RHEL4,RHEL4.2,RHEL5,RHEL5.2}
#cd RHEL5
#mkdir {RPMS,SRC,SOURCE,ISO}
#cd ISO
[root@localhost RHEL5]# ls -la
total 24
drwxr-xr-x. 6 apache apache 4096 2009-10-23 19:02 .
drwxr-xr-x. 6 apache apache 4096 2009-10-19 09:41 ..
drwxr-xr-x 5 apache apache 4096 2009-10-23 19:35 ISO
drwxr-xr-x 2 apache apache 4096 2009-10-23 18:08 RPMS
drwxr-xr-x 2 apache apache 4096 2009-10-23 18:08 SOURCES
drwxr-xr-x 2 apache apache 4096 2009-10-23 18:08 SRC
[root@localhost RHEL5]#
[root@localhost ISO]# ls -la
total 24
drwxr-xr-x 5 apache apache 4096 2009-10-23 19:35 .
drwxr-xr-x. 6 apache apache 4096 2009-10-23 19:02 ..
-rw-r--r-- 1 root root 106 2009-10-23 19:35 .htaccess
drwxr-xr-x 2 apache apache 4096 2009-10-23 19:02 ISO1
drwxr-xr-x 2 apache apache 4096 2009-10-23 19:02 ISO2
drwxr-xr-x 2 apache apache 4096 2009-10-23 19:02 ISO3
[root@localhost ISO]#
[root@localhost ISO]# ls -la
total 24
drwxr-xr-x 5 apache apache 4096 2009-10-23 19:35 .
drwxr-xr-x. 6 apache apache 4096 2009-10-23 19:02 ..
-rw-r--r-- 1 apache apache 106 2009-10-23 19:35 .htaccess
drwxr-xr-x 2 apache apache 4096 2009-10-23 19:02 ISO1
drwxr-xr-x 2 apache apache 4096 2009-10-23 19:02 ISO2
drwxr-xr-x 2 apache apache 4096 2009-10-23 19:02 ISO3
[root@localhost ISO]#
Under .htaccess file entry includes:
[root@localhost ISO]# cat .htaccess
AuthType Basic
AuthName "Authentication Required"
AuthUserFile /var/www/html/htpasswd
Require user jan
[root@localhost ISO]#
Now Create htpasswd file under /var/www/html directory as:
htpasswd -bcm /var/www/html/htpasswd jan jan123
Now Try Browsing :
http://localhost/pdfs
Thursday, October 22, 2009
Apache: Deny access to certain file types
How to deny access to certain file types.
Useful: to deny access to certain files that contain private information (log files, source code, password files, etc.).
I a previous tip (Hide a file type from directory indexes) I have showed how we can hide some files from appearing in directory indexes. Even if the files will not appear in directory indexes this will not imply that access to the files will be denied and if a remote user knows the exact location of the file, he will still be able to access the file from a browser… How can someone find out about the location of the private file? well this doesn’t really matter too much, but he might see paths, or files, shown in a warning messages, or the files might be browsable (there is no hiding of the files in the directory indexes).
So if there are ’special files’ that you want to not be served in any case to remote users then you will have to deny access to them.
In order to achieve this we will be using the standard apache module mod_access that will allow us to define rules for various contexts (, , and sections). In this case we will be interested in the section.
Allow/Deny Directive in
Your apache might contain in the default configuration (or at least it would be nice) a configuration similar to the following one that will deny access from the browser to .htaccess files:
Order allow,deny
Deny from all
This is a simple example of how we can deny access to a single file by its name. If you don’t have such a configuration, then it might be a good idea to add it .
Let’s see how we can deny access to several files; let’s consider that we want to deny access to all files with the extension .inc (includes in our php application). In order to achieve this we will add the following configuration lines in the appropriate context (either global config, or vhost/directory, or from .htaccess):
Order allow,deny
Deny from all
Similar to this we can deny access to whatever files we might need
Useful: to deny access to certain files that contain private information (log files, source code, password files, etc.).
I a previous tip (Hide a file type from directory indexes) I have showed how we can hide some files from appearing in directory indexes. Even if the files will not appear in directory indexes this will not imply that access to the files will be denied and if a remote user knows the exact location of the file, he will still be able to access the file from a browser… How can someone find out about the location of the private file? well this doesn’t really matter too much, but he might see paths, or files, shown in a warning messages, or the files might be browsable (there is no hiding of the files in the directory indexes).
So if there are ’special files’ that you want to not be served in any case to remote users then you will have to deny access to them.
In order to achieve this we will be using the standard apache module mod_access that will allow us to define rules for various contexts (
Allow/Deny Directive in
Your apache might contain in the default configuration (or at least it would be nice) a configuration similar to the following one that will deny access from the browser to .htaccess files:
Order allow,deny
Deny from all
This is a simple example of how we can deny access to a single file by its name. If you don’t have such a configuration, then it might be a good idea to add it .
Let’s see how we can deny access to several files; let’s consider that we want to deny access to all files with the extension .inc (includes in our php application). In order to achieve this we will add the following configuration lines in the appropriate context (either global config, or vhost/directory, or from .htaccess):
Order allow,deny
Deny from all
Similar to this we can deny access to whatever files we might need
Subscribe to:
Posts (Atom)