The access control by hostname and Basic user authentication facilities provided by httpd are relatively safe, but not bulletproof. The user authentication sends passwords across the network in plaintext, making them easily readable. The DNS based access control is only as safe as DNS, so you should keep that in mind when using it. Bottom line: If it absolutely positively cannot be seen by outside people, you probably should not use httpd to protect it.
Whenever you can, use the Options directive to disable server-side includes. At the very least, you should disable the exec feature. Note that because the default value of Options is All, you should include an Options directive in every Directory clause in your global ACF and in every .htaccess file you write.
Use this directive to prevent any "untrusted" directories (such as users' home directories) from overriding your settings (and thus allowing their friends to execute xterms as nobody with a server-side include or other such horrors). You also gain a bonus in performance.
Protect your users' home directories with
directives. If your users all have their home directories in one
physical location (such as
/home), then this is easy:
<Directory /home> AllowOverride None Options Indexes </Directory>If they are not all in one location such as /home, then you should use this wildcard pattern to secure them (assuming your UserDir is set to
<Directory /*/public_html*> AllowOverride None Options Indexes </Directory>In addition, if you wish to give your users the ability to create symbolic links to things only they own, use the Option
Return to tutorial overview