Lab 9
Web Server Security
Due: April 30th by 2359
Can be turned in before the final exam on May 2nd with no penalty. Zero credit if turned in after the exam.
Introduction
This lab will explore a few ways to secure a website using tools on the web server itself. You will briefly explore Apache Web Server settings, and implement your own password database that encrypts user passwords.
Directory Requirements
- Make a new Lab09 directory.
- Copy my wunderground.pl script from /home/nchamber/public_html/it452/examples/webservers/wunderground.pl and put it in your Lab09 directory.
- Create a .htaccess file in Lab09 (Tip: Windows may not directly allow you to create a ".htaccess" file (because the name begins with a period). You can, however, make a file with Notepad++ and then save it with this name. Be sure to choose "All files" (not "Text files") from the file types in the Save dialog window.).
Mind your Permissions!
- When you create .htaccess, you need to turn on read permissions (or you'll see Internal Server Error).
- When you create a password file, you need to turn on read permissions (or you'll see Internal Server Error).
- When you create a Lab09 directory, you need to turn on read permissions (or you'll see strange errors).
- chmod 644 filename
Your Apache Server Tasks
- Re-Write: create a re-write so that the wunderground.pl script has a nice URL. For example, you want the user to be able to type in a "nice" URL like:
http://intranet.cs.usna.edu/~mXXXXXX/Lab09/weather/21401/
and (silently) the web server should call something like
http://intranet.cs.usna.edu/~mXXXXXX/Lab09/wunderground.pl?zipcode=21401
You should not change the Perl file or edit it in any way.
- Redirect: create a URL redirect so that you redirect people looking for any file containing the token "passwd" to a fun page mocking their lame attempts to find a password file in your directory. Create a new subdirectory called blocked, and put nicetry.html in there. Write the redirect rule so that typing in http://intranet.cs.usna.edu/~mXXXXXX/Lab09/passwds.txt into a browser redirects to "blocked/nicetry.html". This should not be a silent rewrite.
- Password: add "Basic" password protection to your index.html file, via .htaccess. Follow the short tutorial below!
Password Management
Goal: make at least two users with valid access to your Lab09 directory. One should be "test" with password "test". The other can be whatever you want.
Creating basic directory passwords is a very useful ability, but should not be used as a long-term solution.
This is a quick and dirty way to block general Web access from a portion of your site while you develop it.
Apache web servers use our .htaccess to turn password protection on, and a password file often called .htpasswd to store the usernames and passwords
Step 1: ssh into zee if you haven't already. Change directories to Lab09.
Step 2: Create a password file with one user!
htpasswd -c /home/mXXXXX/webpasswds USERNAME
Step 3: Change permissions to be world-readable, so the web server can open it.
Step 4: Open your .htaccess file. Add the basic authorization commands to turn on passwords for this directory, and tell the web server to use your newly generated passwords file.
AuthType Basic
AuthUserFile /home/mXXXXXX/webpasswds
AuthName "Some Welcome/Warning Message That You Desire"
require valid-user
Step 5: Go to your Lab09 directory in a browser. Did it ask for your user/passwd? If you see a server error, make sure both .htaccess and webpasswds are world-readable (+r).
Step 6: Now add a second user to your password file (we simply remove the -c flag).
htpasswd /home/mXXXXX/webpasswds USERNAME
Step 7: Test that both users have access, and all others are blocked. You are finished!
Deliverables
***Show Dr. Chambers your working weather URL, and the blocked directory.
***If you don't finish during lab time, then e-mail him your Lab09 URL and a valid username/password that works. He will assume your weather/zipcode URL is the same as above and test that.