[users@httpd] .htaccess and the cgi-bin

[Steve Winter <st...@roadshow.org>]

Greetings all,
 
I'm new to this list, and reasonably new to apache, which I'm currently
working through the installation of on a Win2k server machine.
 
So far I've been able to get things working mostly as I desire through a
number of very useful web based tutorials, but have now run up against a
couple of issues which I can't seem to find anything on the net to help
me with, so I hope that someone here will be kind enough to assist.
 
I have two issues, both of which relate to the use of .htaccess.
 
1.  I would like to be able to secure a sub folder of the cgi-bin so
that it requires authentication to access any of the scripts contained
there within.  I've tried putting a copy of an .htaccess file which I
know is properly configured in there, however it still allows
unrestricted access.  Is there any 'trick' to configuring .htaccess for
cgi-bin folders, is it simply 'not possible' or is it just that I'm
lousing things up...??..
 
2.  Our organisation hosts websites free of charge for approx 120 New
Zealand schools, and to date have received a number of requests to be
able to password protect areas of their site, which I have been able to
do for them manually, however I would like to transfer much of the
administration of this to the individual schools to maintain. For each
school I've set up an .htpasswd file in their root directory, and
provided a web based form which enables them to encrypt passwords to add
to that file, which they can access via ftp as it's in their root
folder.  My concern comes in that in the .htaccess file I seem to have
to provide an explicit reference to the location of the file on my hard
drive (of the type c:/server/roadshow/schools/yourschool/.htpasswd).
Now I don't really want all of these users to have that much information
about the structure of my hard drive, so I wanted to have .htaccess
reference .htpasswd through a relative reference, however I can't seem
to figure out how to do that...is it possible...??
 
Thanks for taking the time to read through my requests.  I hope that
someone may be able to help me.
 
Kind regards
Steve
 
 
+------------------------------------------------------------------+
            Steve Winter, Assistant Director
  National Science-Technology Roadshow Trust
                P.O. Box 12662, Wellington
                          New Zealand
 
                   Phone +64 27 434 1577
                      Fax +64 8 326 3263
 
                   http://www.roadshow.org <http://www.roadshow.org/> 
+-------------------------------------------------------------------+
 

Re: [users@httpd] .htaccess and the cgi-bin

["J. Greenlees" <ja...@shaw.ca>]

Steve Winter wrote:
> Jaqui,
> 
> Thanks for your reply...
> 
> 
>>>1.  I would like to be able to secure a sub folder of the cgi-bin so
>>>that it requires authentication to access any of the 
>>>scripts contained ...
>>
>>have you allowed overrides through the .htaccess in the 
>>configuration file?
> 
> 
> Doh...!...thanks for that...I'd overlooked the fact that the cgi-bin had
> it's own <directory> settings, and would therefore require it's own
> OverRide setting...
> 

suspected you had overlooked that. ;)

> Can you, or anyone else, offer advice on my other issue;
> 
> Our organisation hosts websites free of charge for approx 120 New
> Zealand schools, and to date have received a number of requests to be
> able to password protect areas of their site, which I have been able to
> do for them manually, however I would like to transfer much of the
> administration of this to the individual schools to maintain. For each
> school I've set up an .htpasswd file in their root directory, and
> provided a web based form which enables them to encrypt passwords to add
> to that file, which they can access via ftp as it's in their root
> folder.  My concern comes in that in the .htaccess file I seem to have
> to provide an explicit reference to the location of the file on my hard
> drive (of the type c:/server/roadshow/schools/yourschool/.htpasswd).
> Now I don't really want all of these users to have that much information
> about the structure of my hard drive, so I wanted to have .htaccess
> reference .htpasswd through a relative reference, however I can't seem
> to figure out how to do that...is it possible...??
>
hmm, not sure but you may be able to use relative paths with symlinks on.
(probably wrong though.)
my server is linux based so setting that up is actually easier, I just 
add a user with limited rights to the system and let them play around in 
the sandbox of thier space. ( actually, since the sites on my system are 
for freely available items made by my customers I allow more access than 
I would otherwise. ( my clients can browse each others sites in ftp 
client, since they all have the same access to the site's advertising 
the downloads )) [ graphics community sites ]


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: [users@httpd] .htaccess and the cgi-bin

[Steve Winter <st...@roadshow.org>]

Jaqui,

Thanks for your reply...

> > 1.  I would like to be able to secure a sub folder of the cgi-bin so
> > that it requires authentication to access any of the 
> > scripts contained ...
> have you allowed overrides through the .htaccess in the 
> configuration file?

Doh...!...thanks for that...I'd overlooked the fact that the cgi-bin had
it's own <directory> settings, and would therefore require it's own
OverRide setting...

Can you, or anyone else, offer advice on my other issue;

Our organisation hosts websites free of charge for approx 120 New
Zealand schools, and to date have received a number of requests to be
able to password protect areas of their site, which I have been able to
do for them manually, however I would like to transfer much of the
administration of this to the individual schools to maintain. For each
school I've set up an .htpasswd file in their root directory, and
provided a web based form which enables them to encrypt passwords to add
to that file, which they can access via ftp as it's in their root
folder.  My concern comes in that in the .htaccess file I seem to have
to provide an explicit reference to the location of the file on my hard
drive (of the type c:/server/roadshow/schools/yourschool/.htpasswd).
Now I don't really want all of these users to have that much information
about the structure of my hard drive, so I wanted to have .htaccess
reference .htpasswd through a relative reference, however I can't seem
to figure out how to do that...is it possible...??

Thanks again,
Steve


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] .htaccess and the cgi-bin

["J. Greenlees" <ja...@shaw.ca>]

Steve Winter wrote:
~snip~

> 1.  I would like to be able to secure a sub folder of the cgi-bin so 
> that it requires authentication to access any of the scripts contained 
> there within.  I've tried putting a copy of an .htaccess file which I 
> know is properly configured in there, however it still allows 
> unrestricted access.  Is there any 'trick' to configuring .htaccess for 
> cgi-bin folders, is it simply 'not possible' or is it just that I'm 
> lousing things up...??..
have you allowed overrides through the .htaccess in the configuration file?


#
# AccessFileName: The name of the file to look for in each directory
# for access control information.
#
AccessFileName .htaccess

#
# The following lines prevent .htaccess files from being viewed by
# Web clients.  Since .htaccess files often contain authorization
# information, access is disallowed for security reasons.  Comment
# these lines out if you want Web visitors to see the contents of
# .htaccess files.  If you change the AccessFileName directive above,
# be sure to make the corresponding changes here.
#
# Also, folks tend to use names such as .htpasswd for password
# files, so this will protect those as well.
#
<Files ~ "^\.ht">
     Order allow,deny
     Deny from all
</Files>
also, you will need to set up and configure an authorisation file, with 
a list of users authorised to access the directory.
and a password file to keep thier passwords in.


>  
> 2.  Our organisation hosts websites free of charge for approx 120 New 
> Zealand schools, and to date have received a number of requests to be 
> able to password protect areas of their site, which I have been able to 
> do for them manually, however I would like to transfer much of the 
> administration of this to the individual schools to maintain. For each 
> school I've set up an .htpasswd file in their root directory, and 
> provided a web based form which enables them to encrypt passwords to add 
> to that file, which they can access via ftp as it's in their root 
> folder.  My concern comes in that in the .htaccess file I seem to have 
> to provide an explicit reference to the location of the file on my hard 
> drive (of the type c:/server/roadshow/schools/yourschool/.htpasswd).  
> Now I don't really want all of these users to have that much information 
> about the structure of my hard drive, so I wanted to have .htaccess 
> reference .htpasswd through a relative reference, however I can't seem 
> to figure out how to do that...is it possible...??
>  
> Thanks for taking the time to read through my requests.  I hope that 
> someone may be able to help me.
>  
> Kind regards
> Steve
>  
>  
> +------------------------------------------------------------------+
>             Steve Winter, Assistant Director
>   National Science-Technology Roadshow Trust
>                 P.O. Box 12662, Wellington
>                           New Zealand
>  
>                    Phone +64 27 434 1577
>                       Fax +64 8 326 3263
>  
>                    http://www.roadshow.org <http://www.roadshow.org/>
> +-------------------------------------------------------------------+
>  



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org