Admittedly, I'm using a different environment than you are, but mine seems to accomplish what I think you're looking for. What we've done is configure access to the Trac (and Subversion) sites using mod_ldap in Apache and then a list of "require user" statements that are driven through include files in the conf.d directory for httpd. What that does is stop anybody who's not authorized at the apache door.
The next step is that Apache is configured with custom 404 and 403 error pages. The 403 (Forbidden) page is set up to generate a 404 status code. That then means that someone probing the site gets the same 404 status code whether the file doesn't exist or the file access is forbidden. I haven't prodded this a lot, but it seems to work just fine. This is, admittedly, also on an Intranet environment. We are, however, looking at setting up an alias to this server which will be Internet accessible, so getting the same thing you're looking for is fairly important to me. None of my work is sensitive, so the collaboration can ge done on the Internet with SSL encryption (in fact, my group's job is to make some NASA Earth Science data available to the general public), but I also don't want the general public knocking around in the collaboration areas we're setting up with some partners in this earth science data distribution "business". Hope this helps. ============================================================ Bruce E. Wilson ([EMAIL PROTECTED]) Environmental Sciences Division Oak Ridge National Laboratory -----Original Message----- From: trac-users@googlegroups.com [mailto:[EMAIL PROTECTED] On Behalf Of Emin Sent: Tuesday, July 17, 2007 3:58 PM To: Trac Users Subject: [Trac] Re: How do I secure trac from anonymous users? Thanks for the reply. But even with password authentication turned on, it seems like an unauthenticated user can still do things like probe which urls exist and which don't. I guess this isn't a big deal, but it made me wonder if there was some way to prevent that as well. I guess if I need that I should look into the apache methods of restricting access... Thanks, -Emin On Jul 17, 1:17 pm, "Jason Winnebeck" <[EMAIL PROTECTED]> wrote: > If you are using password authentication already, and don't allow > non-authenticated use of Trac, then about the only thing more that I > can see is to use SSL to serve Trac pages if you are not already, and > if you are concerned about password hacking you could go as far as SSL > client certificates, but that is hard to set up. > > So, in short: > * Authentication helps to protect you against unsolicited visitors > * SSL encryption helps to protect you against eavesdroppers > * SSL client certificates help to protect you against crackers > > Jason > > > > -----Original Message----- > From: trac-users@googlegroups.com [mailto:[EMAIL PROTECTED] > > On Behalf Of Emin > Sent: Tuesday, July 17, 2007 10:37 AM > To: Trac Users > Subject: [Trac] How do I secure trac from anonymous users? > > Dear Experts, > > How do I ensure that only users with valid logins have access to my > trac instance? I removed all permissions from the anonymous user and > followed the instructions in the install guide to use htpasswd to > provide authenticated accounts to users. But it seems like it may/ > should be possible to secure things further. What else can/should I do > to protect a trac instance accessable on the Internet as opposed to an > Intranet. > > Thanks, > -Emin- Hide quoted text - > > - Show quoted text - --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Trac Users" group. To post to this group, send email to trac-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/trac-users?hl=en -~----------~----~----~----~------~----~------~--~---
