On Wed, 2008-04-30 at 10:04 -0600, Rich Megginson wrote:
Sigurður Bjarnason wrote:
> I would like to secure the front page, so you have to type in the
password before you get the first page, The page the list up all the
pages etc ..
That page is /usr/share/dirsrv/html/admserv.html. It is generated by
the CGI URL /dist/download. I'm not sure how htaccess works - see
/etc/dirsrv/admin-serv/admserv.conf for more information.
.htaccess files are basically <directory> blocks stored in the directory
they configure, rather than the main Apache configuration. They may have
only a subset of the features available in the main config file,
depending mostly on the AllowOverride directive in the primary config
file. They're great for rapid prototyping of a complicated per-directory
configuration in Apache, and widely used in shared hosting Apache
environments. However, they have potentially bad implications for
security, and definitely bad implications for performance. The
performance hit happens just by enabling them, too, not just when the
feature is in use (though that can make it worse). Looking at my own
instance of FDS, they are quite properly disabled. Admserv.conf is
probably the right place for any access control changes.