Apache

From eBabel wiki
Jump to: navigation, search

Secure a single file with .htaccess and .htpasswd

Create a user and its password in a new .htpasswd file

htpasswd -mbc .htpasswd yourUsername yourPassword

Locate your httpd.conf file

todo: where is it on Ubuntu?

On Mac OS X, the httpd.conf file is there:

sudo vi /private/etc/apache2/httpd.conf

After the default <Directory /> tag, place your own:

<Directory /path/to/where/file/to/protect/is/>
  AuthType Basic
  AuthName "Login"
  AuthUserFile /path/to/where/file/to/protect/is/.htpasswd
  Require yourUsername
</Directory>

Testing for Anti-Clickjacking (X-Frame-Options in http header) from Apache

<syntaxhighlight lang="html4strict" line> <!DOCTYPE html> <html> <head> <title>Clickjacking security measure</title>

<style> iframe {

       width: 900px;
       height: 450px;

} </style> </head>

<body>

Clickjacking

Check if website can be returned within a frame or if this blocked by anti-clickjacking http header.

<iframe src="http://www.google.com/" />

</body> </html> </syntaxhighlight>


now there was a redirect to www.google.nl (as the test was run from Amsterdam):

 Request URL:https://www.google.nl/
 Request Method:GET
 Status Code:200 OK
 Request Headersview source
 :host:www.google.nl
 :method:GET
 :path:/
 :scheme:https
 :version:HTTP/1.1
 accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 accept-charset:ISO-8859-1,utf-8;q=0.7,*;q=0.3
 accept-encoding:gzip,deflate,sdch
 accept-language:fr-FR,fr;q=0.8,en-US;q=0.6,en;q=0.4
 cookie:PREF=ID=f3d605bcd4f4d23c:U=149f681acce97428:FF=0:LD=en:TM=1302362664:LM=1352449080:S=z6aq0sRgmFWsYKz8; SID=DQAAAL8AAABhMXV-Iu9m3ZF_W84HP2Uotf7nCa7W1RtkG6Y7n8KB5HTQCHH2VW-nvi-w6Q7PxX_hDM9djXU9MxyYHWZqttIt47HK-Lnb0pvAfiJkkKc-mKEw8N_kz9UYzjHLQ6yLBdVPPyCfLRPEwzwpBSueJvSR-x3Xay6rclQTs6cUJILMBIVECp_DGB45VEZ98pueZnxnY1zKUK5jJQOEkgZ5YLdfGo_BjVaKO94X0Ic4tF7mVWVOFCEq5zABa9brZZFVftE;   HSID=AoHOgMNytb_ghlPgk; SSID=ACGsHcKKPZvToiWhk; APISID=BXREbK9pL02yz8jK/AFAfPmKhxULvluptX; SAPISID=vSkikJkRkVA4n1gi/ACSYc63DapF1F_XlL;   NID=65=QiunY0z7XYhORUAzzagpzAu2DMUWi_rY5JO5f4XGPSeNCkFy7cqJ4MND9Y6T3Na5kzrD68bEGaDriN6TGQAhlb1Prn0SDGaQbK4yVNiLfX6CkBpgyN8__RWjf8pD6SDjFCenLmo8P4KtfWl2U-boMqerq-FlSw5rOdZsG1ibtq7q8ufsgWEVK7hqgg
 referer:http://127.0.0.1/~euterpe/clickjacking.htm                 << local apache webserver, with iFrame test
 user-agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.27 Safari/537.17
 x-chrome-variations:COC1yQEIk7bJAQiftskBCKS2yQEIp7bJAQiqtskBCLO2yQEI0IPKAQ==

but they key part is that we are blocked:

 Response Headersview source
 cache-control:private, max-age=0
 content-encoding:gzip
 content-type:text/html; charset=UTF-8
 date:Sun, 02 Dec 2012 11:41:21 GMT
 expires:-1
 server:gws
 status:200 OK    << interesting this is status 200
 version:HTTP/1.1
 x-frame-options:SAMEORIGIN
 x-xss-protection:1; mode=block    << we are being *blocked* !!

Automated testing for Anti-Clickjacking (i.e. X-Frame-Options in http header) via curl

The above tests allow use to manually test from a simple iframe run from a simple apache localhost page.

However this test can be automate via curl.

Google are safe:

 $ curl -i www.google.com | grep -i X-Frame-Options
   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                  Dload  Upload   Total   Spent    Left  Speed
 100   218  100   218    0     0   6036      0 --:--:-- --:--:-- --:--:--  9478
 X-Frame-Options: SAMEORIGIN

as they have the X-Frame-Options in the http header.

However amazon.com is not looking so good:

 $ curl -i www.amazon.com | grep -i X-Frame-Options
   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                  Dload  Upload   Total   Spent    Left  Speed
 100  159k    0  159k    0     0   109k      0 --:--:--  0:00:01 --:--:--  171k
 $

and indeed we can inbed Amazon in an iFrame ... i.e. rerunning the first test but replacing www.google.com with www.amazon.com!

Apache on Mac OSX

These are my notes, from following:

http://osxdaily.com/2012/09/02/start-apache-web-server-mac-os-x/


Starting apache on Mac OSX

running:

 sudo apachectl start

then in chrome:

 view-source:http://127.0.0.1/

generates:

<syntaxhighlight lang="html4strict" line>
<html>

It works!

</body>
</html>
</syntaxhighlight>
=== Default Apache Guest.conf ===
The standard / default Mac OSX config is  

 $ ls -ltr /etc/apache2/users/
 total 8
 -rw-r--r--  1 root  wheel  141 Jul 27 09:35 Guest.conf
 $ cat /etc/apache2/users/Guest.conf
 <Directory "/Users/Guest/Sites/">
   Options Indexes MultiViews
   AllowOverride None
   Order allow,deny
   Allow from all
 </Directory>
=== Setting up non-Guest Apache conf file ===
 $ sudo cp /etc/apache2/users/Guest.conf /etc/apache2/users/euterpe.conf
 Password:
 $ sudo vi /etc/apache2/users/euterpe.conf 
 $ cat /etc/apache2/users/euterpe.conf
 <Directory "/Users/euterpe/Sites/">
   Options Indexes MultiViews
   AllowOverride None
   Order allow,deny
   Allow from all
 </Directory>
 $ ls /Users/euterpe/Sites
 ls: /Users/euterpe/Sites: No such file or directory
 $ mkdir -p /Users/euterpe/Sites

then restart apache:

 /etc/apache2/users/euterpe.conf


Testing hello.htm

Adding a simple webpage:

 $ cat /Users/euterpe/Sites/hello.html 
 <syntaxhighlight lang="html4strict" line>

Hello World </syntaxhighlight> then in chrome: view-source:http://127.0.0.1/~euterpe/hello.html returns: <syntaxhighlight lang="html4strict" line> <p> Hello World </syntaxhighlight>