Hi All,
Where is the proper place to put .htpasswd so I can password protect directories in /var/www/html?
/etc/httpd/run?
-Jason
Jason Todd Slack-Moehrle wrote:
Hi All,
Where is the proper place to put .htpasswd so I can password protect directories in /var/www/html?
/etc/httpd/run?
probably not, as thats a world readable directory (its a symlink to /var/run )
I've generally stuck them in an app specific directory, if your website is all in /var/www, I'd probably stash them in a subdir of that.
On Wed, May 27, 2009 at 05:36:19PM -0700, John R Pierce wrote:
I've generally stuck them in an app specific directory, if your website is all in /var/www, I'd probably stash them in a subdir of that.
Just don't stick them under htdocs; or if you do then ensure there's an access control to prevent the web server from sending the contents of .htpasswd to a requesting evil person.
Stephen Harris wrote:
On Wed, May 27, 2009 at 05:36:19PM -0700, John R Pierce wrote:
I've generally stuck them in an app specific directory, if your website is all in /var/www, I'd probably stash them in a subdir of that.
Just don't stick them under htdocs; or if you do then ensure there's an access control to prevent the web server from sending the contents of .htpasswd to a requesting evil person.
pretty much every default httpd.conf I've ever seen has had a access control blocking */.ht*
but, i guess I hit send to soon, I didn't mean to put it in /var/www/httpd rather, in /var/www/somethingelse
Hi John,
Where is the proper place to put .htpasswd so I can password protect directories in /var/www/html?
/etc/httpd/run?
probably not, as thats a world readable directory (its a symlink to /var/run )
What does world readable mean scope wise?
Like world readable from a web-server? Or did you mean for users that have accounts on the system?
-Jason
On Wed, May 27, 2009 at 7:28 PM, Jason Todd Slack-Moehrle mailinglists@mailnewsrss.com wrote:
Hi All,
Where is the proper place to put .htpasswd so I can password protect directories in /var/www/html?
/etc/httpd/run?
In theory if you have root access to the system, you really shouldn't use .htaccess files unless you have to. If the file isn't going to change it should ideally go into /etc/httpd/conf.d/someconfig.conf
The httpd documentation itself recommends against using htaccess files because they require more cycles to process and add to httpd's overhead. Now, for 99% (yes I made that statistic up) of webservers out there, it's academic as they likely won't see enough load out there to notice the difference between an included config vs an htaccess file.
-
Jason Todd Slack-Moehrle -
Jim Perrin -
John R Pierce -
Stephen Harris