Protecting Your Sites Folder

by Robert Daeley

One of the spiffier parts of Mac OS X that I latched onto quickly (back in the heady days after the Public Beta) was the built-in Apache webserver with its one-click activation. My favorite part was being able to edit a file or web app on my local computer -- usually a laptop, so I could edit anywhere -- and then testing it there in a 'live' server environment, before uploading it to the real webserver and breaking things. Combined with the included php and MySQL, not to mention the other big guys like perl and Python, having a portable development box is a pretty cool thing.

Of course, when you turn on Apache via the Web Sharing option in System Preferences, you are basically turning your computer into a webserver to whoever happens to have access to you over the network, whether LAN or the greater Internet. Most of the time, this is not that much of a concern. But it's useful, not to mention more secure, to make your development directory inaccessible to anyone else.

Assuming you are using your user account's Sites folder, here's a super-quick method to make it unreachable to anyone except users on your computer. You will need to have admin access on the computer in question. You should also know your way around the Terminal and command-line.

Get started by turning off Web Sharing under your System Preferences. Then bring up the Terminal program and cd into /etc/httpd/users

Now, there's only one file we need to edit in this folder: foobar.conf, where foobar is your short username, the same as the name of your Home folder (e.g. /Users/foobar).

First, make a backup of the file by copying it like this:

sudo cp foobar.conf foobar.conf.bak

You'll need to enter your admin password. Next, open the foobar.conf file in your favorite text editor, which, if it's the same editor as mine, will mean using this command:

sudo vi foobar.conf

Once the file is open, you'll find this:

<Directory "/Users/foobar/Sites/">
Options Indexes MultiViews
AllowOverride None
Order allow,deny
Allow from all
</Directory>


Edit the text so it looks like this:

<Directory "/Users/foobar/Sites/">
Options Indexes MultiViews
AllowOverride None
# Order allow,deny
# Allow from all
Order deny,allow
Deny from all
Allow from 127.0.0.1
</Directory>


What we've done here is to comment out a couple of lines using the # sign, so they'll be ignored (technically you could delete them, but leave them there for reference). And we've told Apache to apply the following two rules in the order of denying access, then allowing access. The last two additions deny access to everybody, then allow access to your local computer.

Save the file and close your editor. Restart Apache by turning on Web Sharing again. You're done! Now you can do whatever development you like inside your Sites folder and not worry about anyone else accessing it.

We've just scratched the surface of what you can accomplish in that .conf file, or for that matter in the httpd.conf file one directory up. Just make sure to backup your files before editing, make sure to only make one edit at a time so you can easily undo any damage, and do your homework before poking around in there. Hey, a good place to start would be the O'Reilly Apache book. ;D But you can also read up on the popular webserver at the apache.org site.

Got any favorite Apache tweaks on Mac OS X? Share 'em!


9 Comments

mrwon
2005-09-15 10:54:10
Only partially secure?
What this doesn't mention is that it seems that once you turn on Web Sharing, you turn it on for each account simultaneously.


Don't I then have to repeat this procedure for each user on the computer to get those accounts secured as well?


But...How do I then make it so that the http://localhost address is also secured?

mrwon
2005-09-15 11:47:15
Only partially secure?
Me again.


Okay, I edited the # Controls who can get stuff from this server. section of the httpd.conf file to look like the foobar.httpd.conf file and it seems to be working, although I haven't been able to test it remotely.


Since I'm on dialup, editing websites with things like server-side includes on a remote server is a royal pain. So I'm looking to configure Apache to allow me to do that type of development on this machine securely.


My LAN setup uses my main Mac as a server and a bunch of old PCs and a Mac mini to connect to the internet through it.


I"m assuming, judging from the speedy page loads from the other machines, that the local access to my Mac's webpages is directly over the LAN rather than out to the internet and back.


Because I need to be able to preview pages in IE 6 via a PC on the LAN, I presume I need to allow access to at least one other local computer. I've added the IP addresses of the other machines on my LAN to that httpd.conf file and the foobar.httpd.conf file like so:


Options Indexes MultiViews
AllowOverride None
# Order allow,deny
# Allow from all
Order deny,allow
Deny from all
Allow from 127.0.0.1
Allow from 1xx.xxx.xxx.aaa
Allow from xxx.xxx.xxx.bbb
Allow from xxx.xxx.xxx.ccc


(That's from the foobar.httpd.conf file, the httpd.conf file looks somewhat different)


My new question is: Will this allow someone not on my LAN but with an identical IP address as one of the allowed computers to access my served pages over the internet?

qka
2005-09-15 17:07:16
Only partially secure?
My new question is: Will this allow someone not on my LAN but with an identical IP address as one of the allowed computers to access my served pages over the internet?


Theoretically, no one else in the world should have the same routable IP address as you. Typically, computers on your LAN would have private, or nonroutable IP addresses. Typically these would be assigned by your local DHCP server. These are duplicated in the world, but because the are nonroutable, they cannot be accessed by anyone not on your LAN. So for all intents and purposes, they are unique. (For more information, refer to any basic networking textbook.)


Private addresses are in the ranges:
10.0.0.0 to 10.255.255.255
172.16.0.0 to 172.31.255.255
192.168.0.0 to 198.168.255.255


So if the address on your allowed list is in these ranges, no one outside your LAN will be able to access your served pages.


Also be aware that as computers on your LAN are rebooted, they may be assigned different IP addresses by the DHCP server. This may cause them to no longer have access to your served pages. (DHCP stands for DynamicHost Configuration Protocol) A fixed IP address, even if not routable, is a solution.


Good Luck with it!

mrwon
2005-09-15 17:29:39
Only partially secure?
Thanks!


I wasn't aware of that routable/non-routable distinction.


Re: the DHCP server assigning new addresses, I agree that it's much more predictable to assign each machine a fixed address, since most of them aren't going anywhere. Makes it much easier to ping, administer via VNC etc.


After many newbie fits and starts, I actually got it working too.


Shamefully, I've never read a networking manual. Ah, the travails of being a pseudo Mac geek. Trial and error so often eventually succeed that I get used to not knowing what I did to enable electronic harmony.


"One of these button combos has got to work!"


Uh...not a recommended long-term solution though :-D

daeley
2005-09-15 19:46:27
Only partially secure?
Don't I then have to repeat this procedure for each user on the computer to get those accounts secured as well?


Yes, each individual user has their own .conf file which would need to have this done to it, if you wanted to do it piecemeal -- i.e. some Sites folders protected, some not.



But...How do I then make it so that the http://localhost address is also secured?


Using this Apache config method, it's just about as easy to protect your /Library/WebServer/Documents directory. The /etc/httpd/httpd.conf file controls access there -- open it in your editor of choice and find the line that contains "Controls who can get stuff from this server," which will probably be around line 409. Just below this (411, 412), you'll find the Order allow,deny and Allow from all lines just like in your foobar.conf file. Comment those two lines out, then add the same new lines as before:


Order deny,all


Deny from all


Allow from 127.0.0.1

daeley
2005-09-15 19:54:47
Only partially secure?
Whoops, I replied to your first message without reading this one -- so you already figured out the httpd.conf file, excellent. :)


One handy aspect of the Allow from xxx.xxx.xxx.xxx directive or Deny from... for that matter is that you can use an asterisk as a wildcard in the IP address. Thus, if you wanted to allow everyone on your subnet access you could do something like:


Allow from xxx.xxx.xxx.*


to take care of what you're wanting to do, I think.

boufon
2005-09-15 23:33:10
there is no foobar.conf
The /etc/httpd/users directory is empty. There is no file inside !
Is foobar.conf created automaticaly or manually ?
daeley
2005-09-16 09:50:23
there is no foobar.conf
Hi -- well, it should be created automatically. I believe you can manually create it, however, using the lines listed in the article.
marios buttner
2006-05-15 12:28:24
regarding mrwan's post number two:


I believe that those security issues can allready be issued from the router device you are using.
For instance using a linksys WAG354g device (not talking even about wireless here) you should have NAS enabled.most routers nowadays have Network address translation. So the nonroutable internal LAN addresses stay the same.(If you have it enabled in your router.)


On the left side select network.
You can see the IP address there usually in the form of 192.168.1.xx.