Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: Apache Security - directory access only after authentication |
|
| Author |
|
Goldsmith
Joined: 05 Oct 2021
Posts: 1
|
 Posted: Tue 05 Oct '21 9:58 Post subject: Apache Security - directory access only after authentication |
 |
|
Hi All,
I'm running a few smaller websites (Joomla, Wordpress) on Microsoft IIS and because of MS's licencing policies I am switching over to switch to Linux/Apache.
So far, so good, the websites run well and fast.
One thing I haven't figured out yet is a security feature that I use in IIS.
Background: Even Joomla and Wordpress are getting regular security updates I'm nearly sure there are quite some zero day exploits out there so I want to reduce the attack surface as much as possible.
What I'm doing in Windows/IIS (simplified):
The php workers for website1 run with user "worker1" when somebody accesses the website anonymously. This user gets NTFS (file level) permissions read-only for all files regarding website1. Additionally the user gets read/write permissons on temp and log folders. That's it.
Now when I log into the Joomla/Wordpress backend I can't do any updates/uploads or change anything important because I'm lacking file system permissions. I can only change content of the website in the database.
What I did to be still able to change files using the backends: I set up a site https://www.website1.com/auth that forces server level authentication (independent from Joomla/Wordpress backends). So I'm logging on with user "admin1" (Windows authentication).
For "admin1" I added additional read/write permissons for all folders for website1.
My web browser keeps the authentication token and IIS "knows" now that I'm no longer an anonymous internet user and when I go back to the Joomla/Wordpress backends I'm no longer restricted to the file system permissions I set up for "worker1" worker process user because IIS is now using admin1 permissions for this session and I can upload files, change config, etc.
This is extremely simple to do in IIS and Windows with few clicks and it's drastically reducing the attack surface on the websites.
Now finally the question:
Can I do something like this in Linux/Apache? And if yes, how?
(thank you for reading all this text  ) |
|
| Back to top |
|
maba
Joined: 05 Feb 2012
Posts: 64
Location: Germany, Heilbronn
|
| Posted: Mon 11 Oct '21 6:23 Post subject: |
|
|
What about using a .htaccess file and the combination of mod_ldap and mod_auth_ntlm?
mod_ldap is part of the standard distribution.
mod_auth_ntlm is available from apachehaus. Just search for "apachehaus ntlm authentication" using your favorite search engine. |
|
| Back to top |
|
|
|
|
|
|
