RE: [LUAU] apache security question
Good point about the robots.txt file...As for mod_auth_mysql...I guess I should have used mod_auth_digest as my example to be more correct.. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Vince Hoang Sent: Wednesday, February 09, 2005 11:43 PM To: LUAU Subject: Re: [LUAU] apache security question On Tue, Feb 08, 2005 at 01:34:32PM -1000, Jaymes Schooler wrote: > And Rightfully so...Being Paranoid that is... You may > want to use something a little stronger for authorization such as > mysqlauth or almost any other authentication Scheme/Module...Also you > may want to include nobots.txt in any directory you do not want a > search engine to probe. What portable authentication types are there besides HTTP authentication and cookie authentication? If you are referring to mod_auth_mysql, I thought that was HTTP Basic authentication with a DB backend instead of a flat file. A robots.txt file will only keep out good bots. Otherwise, it is fodder for the malicious ones. -Vince ___ LUAU@lists.hosef.org mailing list http://lists.hosef.org/cgi-bin/mailman/listinfo/luau
Re: [LUAU] apache security question
On Tue, Feb 08, 2005 at 01:34:32PM -1000, Jaymes Schooler wrote: > And Rightfully so...Being Paranoid that is... You may > want to use something a little stronger for authorization > such as mysqlauth or almost any other authentication > Scheme/Module...Also you may want to include nobots.txt in any > directory you do not want a search engine to probe. What portable authentication types are there besides HTTP authentication and cookie authentication? If you are referring to mod_auth_mysql, I thought that was HTTP Basic authentication with a DB backend instead of a flat file. A robots.txt file will only keep out good bots. Otherwise, it is fodder for the malicious ones. -Vince
Re: [LUAU] apache security question
On Tue, Feb 08, 2005 at 11:43:11AM -1000, Charles Lockhart wrote: > So, we have a script or something that every time you create > a directory in that secure directory, the script adds an > .htaccess file, and the .htaccess file is used to enforce > privacy, requiring a username and password to log in. I'm told > that this should be secure enough to keep people from accessing > the private area, and to prevent information from turning up on > Google + etc. You only need to enable authentication for the top-most directory when using HTTP Basic authentication. All the subdirectories will inherit the access. It is not _secure_, but it should keep out the bots and casual lurkers. -Vince
RE: [LUAU] apache security question
And Rightfully so...Being Paranoid that is... You may want to use something a little stronger for authorization such as mysqlauth or almost any other authentication Scheme/Module...Also you may want to include nobots.txt in any directory you do not want a search engine to probe. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Gordon Sent: Tuesday, February 08, 2005 12:05 PM To: LUAU Subject: Re: [LUAU] apache security question Charles Lockhart wrote: > So, we have a script or something that every time you create a > directory in that secure directory, the script adds an .htaccess file, > and the .htaccess file is used to enforce privacy, requiring a > username and password to log in. I'm told that this should be secure > enough to keep people from accessing the private area, and to prevent > information from turning up on Google + etc. > > So my question is, is that correct? I have no webmaster experience, > and very limited privacy/security experience, so I'm not setting that > up, our network admin is, but I figured I'd get a second (third, > fourth, fifth...) opinion. > HTTP Auth should be enough for a wiki. I don't know anything about your particular wiki, soconsider the flaw of HTTP Auth for yourself. The session is handled entirely on the client-side (no specification for "logging off"). And the authetication can be passed in the URI/REFERER stings. A funky browser behavior could, in turn send this kind of info to a foreign entity (google, etc). But I may just be paranoid. Tom ___ LUAU@lists.hosef.org mailing list http://lists.hosef.org/cgi-bin/mailman/listinfo/luau
Re: [LUAU] apache security question
Charles Lockhart wrote: So, we have a script or something that every time you create a directory in that secure directory, the script adds an .htaccess file, and the .htaccess file is used to enforce privacy, requiring a username and password to log in. I'm told that this should be secure enough to keep people from accessing the private area, and to prevent information from turning up on Google + etc. So my question is, is that correct? I have no webmaster experience, and very limited privacy/security experience, so I'm not setting that up, our network admin is, but I figured I'd get a second (third, fourth, fifth...) opinion. HTTP Auth should be enough for a wiki. I don't know anything about your particular wiki, soconsider the flaw of HTTP Auth for yourself. The session is handled entirely on the client-side (no specification for "logging off"). And the authetication can be passed in the URI/REFERER stings. A funky browser behavior could, in turn send this kind of info to a foreign entity (google, etc). But I may just be paranoid. Tom
