[go: up one dir, main page]
Menu

htaccess configuration

htaccess (1) web (1) htpasswd (1)
Evgeniy Yakushev

To make apache authenticate users without using external authentication services you need to create two files: password file and htaccess file.

Password file contains users and their password in plain text or encrypted. One of the ways to make such file:

touch /usr/local/sarg/passwd
htpasswd -bm /usr/local/sarg/passwd admin *admin_password*
htpasswd -bm /usr/local/sarg/passwd user1 *user1_password*
htpasswd -bm /usr/local/sarg/passwd user2 *user2_password*
...

Don't forget to grant apache right to read it.
To learn about all htpasswd options use man htpasswd or visit apache htpassword webpage.

htaccess file is a web directory configuration file. The default .htaccess template file is 

AuthUserFile /usr/local/sarg/passwd
AuthName "SARG, Restricted Access"
AuthType Basic
<Limit GET POST>
Require user admin %u
</LIMIT>

For this configuration two users will have an access to a webpage - admin and a user who the report is made for.

For example, you have directories:

/var/www/html/squid-reports/daily/2015Nov20-2015Nov20/alex
/var/www/html/squid-reports/daily/2015Nov20-2015Nov20/max
/var/www/html/squid-reports/daily/2015Nov20-2015Nov20/peter

If you use user_authentication yes option, sarg will put an .htaccess file into each directory with %u changed to a username: Require user admin alex for the first directory and in the same way for the others.
Don't forget to put an AllowOverride All option for squid-reports directory so every user could navigate webpages to choose date or report type (daily, weekly, monthly).

If you use IP authentication only, you can limit access by IP addresses. Then sarg_htaccess template becomes more simple and passwd file is not needed any more:

<Limit GET POST>
Allow from 10.1.2.3 %u
Deny from all
</LIMIT>

Here 10.1.2.3 is an IP address of a computer which should have an access to all reports.

Note that these reports:

Top sites
Sites & Users
Redirector
Downloads
Denied accesses
Authentication Failures
Useragent

will also be available for everyone.

More complex case. You have a directory service and want to give an access to a technician group and a user using accounts in directory. Your .htaccess template file may look like this:

   AuthType Basic
   AuthName "SARG, Restricted Access"
   AuthBasicProvider ldap
   AuthzLDAPAuthoritative on
   AuthLDAPURL "ldap://dc01.mycompany.com:3268/DC=mycompany,DC=com?sAMAccountName?sub?(objectClass=user)"
   AuthLDAPBindDN "CN=ldapuser,CN=Users,DC=mycompany,DC=com"
   AuthLDAPBindPassword "ldapuser-password"
   require ldap-group squidadmins
   require ldap-user %u

Here is a working example in Active Directory environment based on Windows Server 2008 R2 in highest functional level.
AuthLDAPURL has such components:
dc01.mycompany.com - domain controller DNS name.
3268 - TCP port of global catalog service.
DC=mycompany,DC=com - search root.
?sAMAccountName?sub?(objectClass=user) - filter.

AuthLDAPBindDN is a user with rights to read account information. In this example, it is a ldapuser , who resides in a Users container at the top level of a domain structure. AuthLDAPBindPassword is a password of that user.

require ldap-group squidadmins - this string allows member of a squidadmins group an access to a web directory. It is possible to pass several groupnames here.
require ldap-user %u - this string allows a user (%u will be substituted to a directory name) an access to a web directory. It is possible to pass several usernames here.

Since the passwords are transmitted unencrypted, it is recommended to configure SSL on a web server.

Related

Wiki: Web pages options