Apache Protect

Created by: Onar Vikingstad - onar@vikingstad.com
Current version: 0.7 - Released: December 15th, 2005

Version 0.7 - ZIP compressed.dmg file

What is it?
Apache Protect is a GUI utility that lets you configure and set up the built-in basic authentication and access control capabilites of your local Apache web server that comes pre-installed with all versions of Mac OS X. With this app you can easily set up user and group files, protect directories with a username and password and set access control.

Doing all of this manually can both be time-consuming and confusing to the regular end user, since it often involves fiddling in the terminal and using "those pesky unix commands". This tool is just simply meant to make the whole process easier with a sleak aqua interface.

Just drag Apache Protect to your Applications folder.

• How do I protect a directory?
When first loading Apache Protect you may be asked to configure the Apache Web Server so it recognizes the security settings you are setting with Apache Protect. (for the technically inclined, please be away that this will set all the "AllowOverride None" settings in your httpd.conf file to "AllowOverride AuthConfig Limit"). You will have to authenticate this process, as Apache Protect will change a few lines in your /private/etc/httpd/httpd.conf file. Please make a backup of your configuration files first if you are trying this on a production server!

After the initial setup process, you will have to create or use an existing user file where you are storing all the usernames and passwords.

Setup a userfile:
Select the "Configure user file" tab and then click the "New" button. Use whatever name you wish, but make sure the location will be outside the realm of the web server (directly in you home directory should be fine). Now start adding users by entering their usernames and passwords in the fields below. Click the "Add user" button, and the the user gets added in the table view above. Notice that for security reasons the password was encrypted with CRYPT encryption. The user file is also automatically saved every time you edit it, so you don't have to worry about that.

Protecting a directory:
When you have a userfile ready to use with the usernames you wish to protect your directory with, you can select the "Protect directory" tab. Clicking the "Select" button will give you a dialog for specifying the directory you want to protect. Remember that this has to be within one of Apache's directory setups. The default location for your webserver files is in "/Library/WebServer/Documents" and also within every home-directory in "~/Sites".

Then select the user file you just created, and you'll see that the usernames will appear in the table-view below. Just check all the users you wish to gain access to the directory. When that is done, remember to click the "Save protection" button. Voila! The directory you selected is now protected.

Point your web-browser over to the directory and try (http://localhost/whateverdirectory/), a dialog like this should appear (this is in Safari):

• Additional features
Apache Protect also lets you set up a group file through the "Configure group file" tab option. There you can create a new group file, and map usernames to the different group names. This group file can then be used in the "Protect directory" tab.

In addition, support for more access control can be set through the "Access Control" by adding hostnames or IP-adresses you would like to deny or allow access to the directory. Using the "Order" option will let you be sure that you are actually restricting things to the group that you want to let in, by combining a deny and an allow directive.

• Two modes of operation
The method described above is the default method, which will store a separate .htaccess file within each directory it is protecting. The other method is to store all the protection settings in one configuration file. This option can be enabled in the Preferences pane, with the "Store protection settings in a configuration file in /Library/WebServer" option. Apache Protect will then, by default, store this configuration file under "/Library/WebServer/apacheprotect.conf". There are many benefits to this method, both security and performance-wise. A drawback however is that you will have to restart the Apache server each time you save the protection settings on a directory.

Please refer to the Apache webserver documentation at (http://httpd.apache.org/docs/howto/auth.html) for more information about the differences between these two methods of operation to figure out the most appropriate for your use.

• Cost and Distribution
Apache Protect is freeware. Apache Protect may be distributed freely through any method in the original archived format (.dmg), as long as it remains unaltered and includes this ReadMe file.

• Comments and Bugs
Please send all feedback to onar@vikingstad.com . I am very interested in any bugs you might find, or features that you'd like to see.

• Change Log
0.7 - 12/15/2005
- Added a new operation mode: saving into a configuration file
- Added support for group files
- Added support for access control settings (hostname/ip)
- Added options for changing the accessfilename and configuration file path
- Minor bug and memory leak fixes

0.6 - 08/30/2002
- Works in Jaguar 10.2
- Added preferences panel (not everything is implemented yet)
- Minor bug fixes
- Made changes for future improvements (group file/access control). May be implemented in next version.
- Built-in check for update to the application

0.5 - 25/04/2002
Initial release