Apache notes

I have been using the Apache web server for many years. Even after a short sojourn with lighttpd (which seemed for a time the best way to deploy rails), I came back to it.

First off, I have to recommend reading the official Apache 2.2 documentation. As documentation goes, it ain't bad, although it is a lot to swallow all at once.
There are skads of articles you can find on apache topics using google searches.

As of early 2009, I am running Apache 2.2.9

These are my notes on some things I commonly need to do.

Password protecting directories

The generic advice will tell you do use an .htaccess file. The better advice will tell you to handle all this in your apache config files (provided you have access to them), for performance reasons. Either in the .htaccess file or the config file you put a section like so:

<Directory />
        AuthUserFile /www/stuff/passwords
        AuthName Bozos circus
        AuthType Basic
        <Limit GET>
           require valid-user
           require user bozo
        </Limit>
</Directory>

Along with this you need the password file referenced in the above. Use the htpasswd command to generate it. What I use is:

htpasswd -bc zzz bozo clown

On my system this yields:

bozo:oBxAv./e98qnI

Place this line in the passwords file, restart the web server and, voila. (well maybe voila, there is more than meets the eye here).

A tip for https security

Having been burned by this, I encourage you to pay attention. You may set up a web site to be served via http on port 80 and https on port 443 (as most people do). Then you may set up a section of said website to be handled via https. If you do, be sure and do the following to turn off plain old http access to it:

    <Location "/secret/">
	Order deny,allow
	Deny from all
    </Location>

Password protection and rails

Like so many things, this was quite simple once it was pointed out. In a nutshell, the thing to do is to move the apache Auth directives into the Proxy section.
Best of all: it works!

Rails (in my case deployed via mongrel) introduces a new twist into the password protection business. It would seem that the proxy handoff to mongrel happens well before any authentication checking, so all my attempts to place Auth directives in a directory section were for naught, but see the simple tip above.

Someone, somewhere suggested the following scheme to solve the above problem.
I mention it here, because it smells like a good rails trick I might want to use someday for other things entirely. In short, we have our controller use the method before_filter to trigger a call to our controller method authenticate. We then have our authenticate method do this:

authenticate_or_request_with_http_basic { |user,pass|
	user=="bozo" && pas == "clown"
}

Have any comments? Questions? Drop me a line!

Adventures in Computing / tom@mmto.org