Koozali.org: home of the SME Server

Obsolete Releases => SME Server 7.x => Topic started by: sal1504 on October 15, 2007, 06:37:57 PM

Title: securing user website
Post by: sal1504 on October 15, 2007, 06:37:57 PM
i am not sure if what i want to do is possible. i have searched the forums and have found nothing on this. i have a primary web page http://www.something.com and a user web page http://www.soemthing.com/userpage. this is working fine, but what i want is two things. the first is that i want the userpage http://www.soemthing.com/userpage to only be accessed when only using https://www.something.com/userpage. i do not want http://www.soemthing.com/userpage accessable at all. the second thing is when accessing the userpage i want the person to have to use their personal user name and password and not the generic one user name and one password setup. if this is possible any information on how to set this up would be greatly appreciated.
Title: Re: securing user website
Post by: jfarschman on October 15, 2007, 06:58:31 PM
Sal,

  Well written.

  There are two things you want.  First... make the page only accessible via https.  I'd handle that with a rewrite in the httpd.conf file.  it would look soemthing liek this:

Code: [Select]
RewriteRule ^/userpage https://%{HTTP_HOST}/userpage
Ray Mitchell did a nice write up of how to do this.  I found it by searching "HTTP redirect" and reading this informative post: http://forums.contribs.org/index.php?topic=32345.0

http://distro.ibiblio.org/pub/linux/distributions/smeserver/contribs/rmitchell/smeserver/howto/https%20ibay%20forced%20redirection%20HOWTO%20for%20sme%20server.htm


  The second is a little more complicated and leaves me asking a question.  How did you create your userpages?  Are they ibays?  If so you cannot have an ibay and a user with the same name  :???:  So are you using a special contrib to accomplish this?
Title: Re: securing user website
Post by: cactus on October 15, 2007, 08:22:18 PM
the second thing is when accessing the userpage i want the person to have to use their personal user name and password and not the generic one user name and one password setup. if this is possible any information on how to set this up would be greatly appreciated.
I don't know hot to incorporate it in your setupas I do not know if you use a contrib and what template shares your userpage, but to use the pwauth library which is used to authenticate users against the local password database needs at least the following instructions inside the VirtualHost container:
Code: [Select]
AddExternalAuth pwauth /usr/lib/httpd/modules/pwauth
SetExternalAuthMethod pwauth pipe

And then to define the location you can use this (it will also work with the <Directory></Directory> tags):

Code: [Select]
<Location /userpage>

        Options None
        AllowOverride None
        order deny,allow
        deny from all
        allow from all

        AuthName "Authentication prompt here"
        AuthType Basic
        AuthExternal pwauth
        require user username1 username2
        Satisfy all

</Location>
Above is not tested but more a general guide line.
Title: Re: securing user website
Post by: sal1504 on October 15, 2007, 09:30:02 PM
thanks for the quick reply that's the best part of this forum.
what i did was create a ibay called empweb for the employees secured data site. i named it empweb. so currently i can go to http://www.somename.com/empweb and input a common user name and password. like i said what i want is only https://www.somename/empweb, which i think has been answered but i have not tried, and to allow the user to input their smeserver username and password. by the way if it helps this is ver7.2. i hope this clarifies what i want to do a little better.

also i have several hardware configurations that work with sme7.2 where is the best place to post this information for others to use?
Title: Re: securing user website
Post by: cactus on October 15, 2007, 10:04:50 PM
thanks for the quick reply that's the best part of this forum.
what i did was create a ibay called empweb for the employees secured data site. i named it empweb. so currently i can go to http://www.somename.com/empweb and input a common user name and password. like i said what i want is only https://www.somename/empweb, which i think has been answered but i have not tried, and to allow the user to input their smeserver username and password. by the way if it helps this is ver7.2. i hope this clarifies what i want to do a little better.

also i have several hardware configurations that work with sme7.2 where is the best place to post this information for others to use?
You will have to make a custom template based on the ibay templates and make an exception to implement the settings you would like to have... this is not done 1... 2... 3...

The easiest option I guess is this:
1. Log in as root user on a SME Server shell
2. Create the directory tree for the custom-template we will generate:
Code: [Select]
mkdir -p /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf3. Copy the fragment we need to the custom template folder:
Code: [Select]
cp /etc/e-smith/templates/etc/httpd/conf/httpd.conf/90e-smithAccess40ibays /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf4.Now comes the magic. Using your favorite editor we need to edit the /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/90e-smithAccess40ibays. We need to modify the last part of the custom template fragment that reads:
Code: [Select]
        if ($pass)
        {
            $OUT .= "    AuthName \"$properties{'Name'}\"\n";
            $OUT .= "    AuthType Basic\n";
            $OUT .= "    AuthExternal pwauth\n";
            $OUT .= "    require user $key\n";
            $OUT .= "    Satisfy $satisfy\n";
        }
to
Code: [Select]
        if ($pass)
        {
            $OUT .= "    AuthName \"$properties{'Name'}\"\n";
            $OUT .= "    AuthType Basic\n";
            $OUT .= "    AuthExternal pwauth\n";
            if ($key eq 'ibayname') {
                $OUT .= "    require user username\n";
            }
            else
            {
                $OUT .= "    require user $key\n";
            }
            $OUT .= "    Satisfy $satisfy\n";
        }
Replace the text ibayname with the ibayname you would like to have a different setting as well as the text username in above fragment with the username(s) you would like to have access using spaces to separate them.

Now if you have not already done so, set a password for the ibay. This password will not be used and is overwritten with the option we have created using above instruction. If you already had a password set for the ibay you will have to issue the following code
Code: [Select]
signal-event ibay-modify ibaynameIf you did not set a password setting a password now through the server-manager should automatically apply the changes for you. Setting a password is a requirement for this option to work...

Note: This only changes the access over the internet (e. g. using the webbrowser) and will not modify filesystem access (e. g. using explorer)

Disclaimer:I just wrote down this code and did not test this... so things might brake as I am only human as well :-).
Title: Re: securing user website
Post by: sal1504 on October 15, 2007, 11:19:39 PM
i'll give it a try this evening and let you know how it went. thanks again for the quick response
Title: Re: securing user website
Post by: raem on October 16, 2007, 12:36:01 AM
sal & jfarschman

I also did a nice howto for htaccess, but implemented the sme server way (the howto is still OK for sme7.x by the way).

http://distro.ibiblio.org/pub/linux/distributions/smeserver/contribs/rmitchell/smeserver/howto/htaccess%20configuration%20with%20custom%20templates%20HOWTO%20for%20sme%20server.htm

Title: Re: securing user website
Post by: cactus on October 16, 2007, 07:34:04 AM
sal & jfarschman

I also did a nice howto for htaccess, but implemented the sme server way (the howto is still OK for sme7.x by the way).

http://distro.ibiblio.org/pub/linux/distributions/smeserver/contribs/rmitchell/smeserver/howto/htaccess%20configuration%20with%20custom%20templates%20HOWTO%20for%20sme%20server.htm


Ray, are you considering putting this in the wiki?
Title: Re: securing user website
Post by: raem on October 16, 2007, 11:47:46 AM
cactus

>...are you considering putting this in the wiki?

Yes one of these days, I had just not got around to it yet. There are always plenty of other things to do.
Probably a few of the other howtos or excerpts from them could also go into the Wiki.
Feel free if you want to do it before I get around to it.
Title: Re: securing user website
Post by: raem on October 16, 2007, 12:19:00 PM
cactus

OK you got me going.
I added these pages, which at present are just links to the earlier Howtos.
I will update them fully later.

http://wiki.contribs.org/Htaccess_configuration

http://wiki.contribs.org/Https_redirection

http://wiki.contribs.org/Spam_blocking_tutorial

also this one

http://wiki.contribs.org/Print_queue_monitor_user_access

and this too

http://wiki.contribs.org/Qmhandle_mail_queue_manager

also added this

http://wiki.contribs.org/Virus_blocking_tutorial
Title: Re: securing user website
Post by: cactus on October 16, 2007, 04:49:21 PM
cactus

OK you got me going.
Very nice!