[Tfug] The Apache security saga ALMOST done!

Jim March 1.jim.march at gmail.com
Wed Jul 8 14:05:52 MST 2009


Folks,

Thanks to the support you gave the last go-round, I have my issues
almost completely sorted out.  I'm going to install Dyndns next but I
don't think that will be trouble.

My Apache setup now works in that if I try and access the ZM console
website from the local camera machine, it will do so and require a
password.  Kewl.  Same goes if I come in across the net from a
completely outside source (my laptop on the Verizon cellmodem).  But
if I come in through another machine on the local net connected to the
same router, I'm still blocked.  I suspect I still have a bit more to
learn about the .htaccess file.

First, turns out it's working to the degree it is with just one
.htaccess file, at the same /var/www level the index.html file is.

Here's the .htaccess file now - I've added line numbers so I can ask
what's going on at a couple of lines:

---
1 AuthType Basic
2 AuthName "Restricted Files"
3 # (Following line optional)
4 AuthBasicProvider file
5 AuthUserFile /usr/local/apache/passwd/passwords
6 Require user zmuser
7 # secure htaccess file
8 <Files .htaccess>
9 order allow,deny
10 deny from all
11 allow from 127.0.0.1
12 allow from 192.168.0.1/24
13 allow from [ip address of the Qwest router, with the router told to
route IP stuff coming in there to the fixed IP addy of the camera
server, 192.168.0.53]
14 </Files>
---

OK. At line 11, I'm successfully telling it to accept access from the
local server console, right?

Line 12 I don't understand - is "1/24" a RANGE?  Should I up that to
"1/255"?  Thing is, the wireless connections to the router are DHCP
from a range of 192.168.0.2 through 192.168.0.52...static starts at
.53 (where the server is) and goes up.  So, the two other locally
connected DHCP Windows machines (one WiFi, one Ethernet) *should* be
attached somewhere around 192.168.0.2 or .3 or .4 or so.  Meaning, if
"1/24" is an IP address range, my two Windows boxes should be inside
it?

But they're blocked.  I've tried going to 192.168.0.53 and going to
the same IP address that works coming in from the outside.  No joy
either way - it will actually show the login screen popup, but won't
accept the valid username/password that works on the server console or
from the outside world.

So how do I get to the server from a local net station and how do I
allow that in .htaccess?

Since the password process is working, should I just switch to "allow
from all" at line 10?  Would that still mean the username/password is
respected?

If this was my box, I'd show you the IP addy at line 13, but...it's
not so I can't.  Sorry.

Thanks!

Jim




More information about the tfug mailing list