4.9 Apache Creating Online Shares
- Tin Pham
I am not happy with the private share portion of this article.
Introduction
I often find I need to quickly share files with the general public or selected friends. As such I have setup Online Shares with Apache. Continuing our example I will put put a public and private share on krypton as follows,
www.krypton.com/shared/ - accessible by everyone
www.krypton.com/shared.private/ - only accessible by specific people
Also if possible, this setup should allow the website admins to do the setup without the need for the server admin to come in and perform root actions.
Assuming you are logged in as a Staff User created in the Setup Ubuntu Linux Base Server,
Shared - Public Share Folder
cd /home/www.krypton.com sudo mkdir shared # Browseable folder to drop content to share with others sudo mkdir shared.private # Browser password protected folder to drop content to share with others via .htaccess sudo mkdir keys # Place to store keys for protected folder cd /home sudo chown -R serveradmin:wgkryptonian ./www.krypton.com/shared/ sudo chmod -R 775 www.krypton.com/shared/ # Only svradm and users in the kryptonian group can manage. Apache(other's) still need to be able to read and browse.
Add to the website host file,
Alias /shared/ "/home/www.krypton.com/shared"
Alias /shared "/home/www.krypton.com/shared"
<Directory /home/www.krypton.com/shared>
/# Make this folder browseable
Options +Indexes
</Directory>
The final host file will look like this,
<VirtualHost *:80>
ServerAdmin webmaster@localhost
ServerName www.krypton.com
ServerAlias www.krypton.com
DocumentRoot /home/www.krypton.com/www
# This restrictive a precedence for ALL directory blocks.
<Directory />
Options FollowSymLinks
# This prevents use of .htaccess
AllowOverride None
</Directory>
# Main location of static content for the websites.
<Directory /home/www.krypton.com/www/>
Options +MultiViews
Order Allow,Deny
Allow from all
</Directory>
Alias /shared/ "/home/www.krypton.com/shared"
Alias /shared "/home/www.krypton.com/shared"
<Directory /home/www.krypton.com/shared>
# Make this folder browseable
Options +Indexes
</Directory>
ErrorLog /var/log/apache2/www.krypton.com.error.log
# Possible values include: debug, info, notice, warn, error, crit, alert, emerg.
LogLevel warn
CustomLog /var/log/apache2/www.krypton.com.access.log combined
</VirtualHost>
Reload the Apache configuration file,
sudo /etc/init.d/apache2 reload
shared.private - Private Folders
kalel wants to have a private place to store his documents that can only be access by accounts he sets up.
This is working but has a caveat outlined in notes and a bug in AllowOverride which I am documenting.
htpasswd and the directive AllowOverride in the shared.private directory block will be used to accomplish this.
kalel logs in as himself he would do the following one time setup,
cd /home/www.krypton.com/shared.private mkdir kalel chmod 750 kalel cd /home/www.krypton.com/shared.private mkdir keys cd keys # Create the initial password file with the first user being kalel htpasswd -c kalel-www.krypton.com.shared.private kalel New password: Re-type new password: # Create addition accounts. Notice NO "-c" htpasswd kalel-www.krypton.com.shared.private cclark
One caveat, this also prevents Apache's Index program from viewing the directory so you must know about the directory or put a link to the directory. Consider using .htaccess definition one level higher, but then it's easy to break.... hmmmm...
# Enables directory listing Options +Indexes # Enable authentication, see http://httpd.apache.org/docs/2.0/howto/auth.html AuthType Basic AuthName "Password Required" AuthUserFile /home/www.krypton.com/keys/kalel-www.krypton.com.shared.private Require valid-user
If kalel wants to define additional user accounts and passwords in kalel-www.krypton.com.shared.private this can be accomplished by groups. Further details are on Apache's website at Authentication, Authorization and Access Control.
This will serve well for most users. However, keep in mind that by default /home/www.krypton.com/shared.private/kalel/ is still accessible by other users who can log into the system such as jimmyolsen.
To make his folder more private, kalel makes a request to serveradmin (who has sudo privileges) to make the following changes,
# assuming the user is serveradmin or any other account with sudo privileges sudo chmod -R 750 /home/www.krypton.com/shared.private/kalel/ sudo chown -R kalel:www-data /home/www.krypton.com/shared.private/kalel/
Now only kalel and user's belong to the group www-data (which is required for the Apache Web Server) can access the folderĀ /home/www.krypton.com/shared.private/kalel/.
Update the virtual host as follows,
Alias /shared/ "/home/www.krypton.com/shared"
Alias /shared "/home/www.krypton.com/shared"
<Directory /home/www.krypton.com/shared>
# Make this folder browseable
Options +Indexes
</Directory>
Alias /shared.private/ "/home/www.krypton.com/shared.private"
Alias /shared.private "/home/www.krypton.com/shared.private"
<Directory /home/www.krypton.com/shared.private>
# Allow website admin to use .htaccess - http://httpd.apache.org/docs/2.2/mod/core.html,
# AuthConfig - Authentication
# Indexes - Makes directory browseable
# As soon as I introduce Indexes it breaks with error, ".htaccess: Options not allowed here".
#AllowOverride AuthConfig Indexes
# This works but allowing all is a security risk
# AllowOverride All
# Start TEMP solution
# Allow the .htaccess file to allow authentication.
AllowOverride AuthConfig
# For some reason allowing override of indexes does not work in .htaccess so set it manually here.
Options +Indexes
# End TEMP solution
</Directory>
ErrorLog /var/log/apache2/www.krypton.com.error.log
Reload the configuration file,
sudo /etc/init.d/apache2 reload
You can now browse to the folder, http://www.krypton.com/shared.private through a browser and it will first prompt for an id in the kalel-www.krypton.com.shared.private file before showing the files in that folder.
Should put a screen-shot here.