MacHTTP Security

MacHTTP has two techniques for providing access controls. MacHTTP can restrict incoming connections based on the IP address or domain name of the remote client. Also, MacHTTP implements the "Basic" authentication scheme supported by most WWW clients and servers. This method allows you to assign access controls to files or folders that require a remote user to enter a valid username and password before they are allowed to access the information.

Security by Address

The MacHTTP Technical Reference has a thorough discussion of the ALLOW and DENY statements which control access from WWW clients based on their IP address or domain name. There is one interesting technique that is not covered in the technical reference.

Often, you need to be able to allow everyone to connect to your site, but restrict a handful of hosts or domains. MacHTTP's default behavior is to disallow all clients except those explicitly listed in the MacHTTP.config file if any ALLOW or DENY statements are present. To overcome this behavior, you can easily allow everyone using the following 9 ALLOW statements, followed by any DENY statements as needed:

Another alternative to this technique is to run multiple MacHTTP servers on the same Mac. You can run a public server that is available to everyone on one PORT, and a secure server on a separate PORT (use the PORT command in the MacHTTP.config file to define which TCP/IP port MacHTTP listens to.) Make sure that the MacHTTP applications running on different ports live in different folders with separate config files and settings files.

Basic Authentication

Authentication by folder, multiple realms, username & password support. This is the BIG change for b15, so read the following carefully!!! MacHTTP now FULLY supports the Basic authentication scheme for all files it serves. This means that you may control access down to individual files and assign usernames and passwords.

How authentication works:
The Basic authentication scheme is built into most WWW clients (older versions of MacWeb and Mosaic do not support authentication). Authentication is OPTIONAL and you may choose not to activate any password-based security on your server. When a file or folder is restricted to access by certain users, MacHTTP returns a result to WWW clients that forces them to prompt the user for a username and password to access the file. Assuming the username and password sent to MacHTTP from the client are valid, the requested file is returned. Future requests for files requiring the same permissions will cause the WWW client to send the username and password automatically. Normally, this means a user will only have to enter a password once for convenience purposes.

How MacHTTP implements authentication: MacHTTP allows you to divide your files and folders into multiple security "realms." Files and folders are placed in a realm, based on the text of the URL to the specific file. For example, suppose you want to configure your server so that you have some files available to everyone, some files availalble to co-workers, and some files available to customers.

The MacHTTP.config file adds a new command, "REALM", which allows you to do this. The syntax of the REALM command is:

REALM <match_string> <descriptive_name>

where match_string represents some substring of a URL that will be unique to all files in that realm and descriptive_name is text (no spaces!) that describes the realm in human readable terms. The arguments to REALM are case insensitive.

Back to the example, assume your config file contains the following lines:

REALM work Co-Workers
REALM custom Customers

Files in the Co-Workers realm may have names like:

Customer files may look like:

Using the "Co-Worker" example, MacHTTP looks for the match_string "work" in a URL. If it sees it, it requires authentication from the WWW client before it will allow access to the file. Notice that the substring "work" can be part of the file name, or a folder containing the file. MacHTTP will find the substring anywhere in the URL, so you can control access to multiple files by placing them in a folder whose name contains a realm's match_string. Be careful not to have a single URL match two realms. If this happens, MacHTTP uses the first realm that matches, in the order that they are entered in the config file.

Once it has found that a file requires authentication, MacHTTP sends the appropriate message to the WWW client and passes the descriptive_name (in this case "Co-Workers") to the client. The WWW client will show this string to the user when it prompts the user for a username and password. MacHTTP will use a combination of the username and the realm to look up the correct password from the new "MacHTTP Settings" file. If the password supplied by the user matches the password found in the settings file, the file will be returned to the user.

The MacHTTP Settings file:
This file is where username and password information is stored for all users authorized to access restricted files on your server. The information is stored as STRing resources, so there is no possibility that a remote user can download this information from your server. Ultimately, many of MacHTTP's settings and configuration information stored in the MacHTTP.config file will move to the new settings file. For the time being, there will be one more file to clutter up your MacHTTP folder.

Creating Passwords:
Assuming that there is at least one REALM statement in your MacHTTP.config file, you can use the new "Passwords..." menu command under the "Edit" menu to add or delete password entries from the MacHTTP Settings file. (Ultimately, there will be balloon help and AppleGuide info for this dialog.) To add a new username, enter the name in the "User Name" field, the password in the "Password" field, and use the "Realms" pop-up menu to select a security realm from those defined in the config file. Then, click the Add button. The new username will appear in the scrolling list, along with the realm it is assigned to. Note that a user name may be entered in multiple realms, allowing the user to be both a co-worker and a customer, for example. Each username/realm combination must be unique within the settings file.

To view a username's password or to delete a username, select one of the names from the scrolling list. The information comprising the username entry will be displayed in the username and password fields and the realm pop-up. Press the Delete button to remove the username. Although you may modify the values in the fields at this point, if you press the Add button, the changes will be saved as a new username and will not modify the old entry. To modify an existing username, delete the old one and add a new one.

Usernames are available immediately after adding them, so there is no need to stop or start the server. In addition, MacHTTP will continue to serve files while you are entering username info.

Security Tips