Hello from a newbie.

I have a question on where to put perl scripts so that I limit access to only valid users on Apache. To get a useful answer I think I have to provide some specifics. My apologies if I do not get all the needed info out.

I have installed Apache , perl and MySQL on a RedHat 9.0 box. My root for web documents is at /var/www/html/. Right now I have my cgi directory at /var/www/cgi-bin/ . I have created a directory at var/www/html/secure/ and limited access to only valid users. I have pages that I want public as well as pages I want secure.

I have created perl scripts that link to a MySQL database. Some of the scripts modify the database therefore I want to limit the access to them. The O'reilly Apache books says that if I put the scripts below the root of the public html (such as in my /var/www/html/secure directory) I create a potential security risk. If I put them in the cgi-bin directory anyone who finds out the name of the script can run them.

Where do they belong? Is there any documentation as to where to put different parts of a website? The O'Reilly Apache book does a decent job of explaining the mechanics but not much on where things belong. I guess it is tough to come up with a generic layout to fit all needs. Any suggestions on what I should configure once I put them there would be great.

Thanks to all who contribute to make this a great website.

A couple of options come to mind right away.

First, in your httpd.conf, create a <Directory ...></Directory> block. Within that you can use "allow none" and "allow from ..." to control access to the directory.

<Directory /var/www/html/secure>
allow none
allow from domain.com
</Directory>
ScriptAlias /var/www/html/secure

That might work . MIGHT. Not sure, haven't tried that out.

Another option is to use a .htaccess file to control visitors access to the scripts. Do some hunting on the web for how they work. They're pretty easy to use.

My last suggestion, and most complicated, is to build a login page in Perl and use a MySQL database backend to store the valid users and passwords. I have several things I've written that use this approach, but I used PHP.

Is the secure directory protected with .htaccess? That is, can't be accessed unless user supplies a password? If so, that sounds like a good place to put it.

If you want to add further security (and complexity), make the perl cgi there pretty minimal and put most of the working code in a perl module. You could also create an sql user with password and put name, password, and whatever other variables of interest into a config file which would reside outside of the web root with permissions set so only the user apache runs as can read it. First thing the cgi does is get those values, and establishes connection with the database when appropriate using those credentials. Only give the sql user used by the script those permissions on tables that it absolutely requires.

One way or another the web server needs to access the cgi, obviously. However many layers of security to add and how arcane to get is up to you. Having a mysql username and password in a file readable by the web server is less than secure on a shared server where other accounts can write scripts for the web server to execute, but still better than no username and password at all.

I do something like the above with php where config variables are defined and the bulk of the code resides in classes. It has been some time since I've written a perl module. Vague recollections of it having its own quirks and php being perhaps a bit more friendly for this approach.

Yes, the secure directory is protected (asks for username and password) but I did it in the httpd.conf file and restarted Apache. Since reading the replies, I combined both suggestions. I added another directory at /var/www/html/secure/cgi-bin/ and added the a ScriptAlias for /var/www/html/secure/cgi-bin. It now validates the user (asking for username and password) before the script can be called so it works OK on that end and everything seems to be interfacing fine. Thanks for the help.

The only nagging question I come back to is the fact that the O'Reilly Apache makes a blanket statement that putting a script below the root html directory creates a potential security risk. I guess the key word is "potential". Anyone have any thought on this?

As a general rule, don't put anything sensitive in the web root. If you have to, password protect it. Do regular back ups. Best of all for security, encase server in cement and dump in deep part of the ocean. Web servers are inherently insecure because their raison d'etre is to share stuff with everyone in the world. Security is, in a sense, tacked on. A certain amount of paranoia is healthy, but unless you want to dump it in the ocean, it's a question of balancing security concerns against access and usability.