[sclug] Apache question

[James Fidell]

Quoting Dickon Hood (sclug at splurge.fluff.org):
> On Sun, Nov 07, 2004 at 13:14:44 +0000, Pieter Claassen wrote:
>
> : 3. To provide access control, you have edit the apache.conf file and on
> : a per directory or file provide separate authorisation instructions (you
> : can use PAM to authenticate users which will at least use your
> : /etc/password)
> 
> This is an exceptionally bad idea.  HTTP is a connectionless protocol
> (ignoring 1.1 for now) with no limits on the speed or number of password
> attempts in any given period.  That allows people to attack your main
> system password file by throwing usernames and passwords at it as fast as
> your network connection will allow, and that's not a good thing at all.

However, if you're writing your own module to handle the authentication,
which I think you'd probably have to do to for this, you can add some
form of rate-limiting at the same time.

Whether it's a good idea to allow people to authenticate against the
system password file at all is of course another matter, but sometimes
you just have to solve the problem at hand, not (re)create the entire
system.

> : 2. Might this be most easily achieved to switch UID/GID of the apache
> : process on authentication to that of the authentication user?
> 
> You'd probably have to attempt something similar, yes.  One of the
> problems with this approach are that when you move to Apache 2, will limit
> you to a non-threading MPM (which will cripple performance).  Certainly we
> manage about 1200 requests/second on our threaded Apache 2 instances,
> which is significantly up on the 400r/s or so we were getting under 1.3.

I looked at using Apache 2 to achieve the same sort of thing.  I decided
it wasn't worth wasting time on.  As it happens, the client I was doing
this for was happy to (preferred to, even) run 1.3 anyway and throw more
hardware at it, so that worked out ok :)

James