dcsimg

Apache Guide: Apache Authentication, Part 1 Page 3

By Rich Bowen (Send Email)
Posted Jul 24, 2000


There are two sets of Perl modules available for managing your password files and group files with Perl.

The first one, which is probably the recommended one, is the HTTPD-User-Manage package, which you can obtain from CPAN (http://www.cpan.org/modules/by-module/HTTPD/), allows you to manage a variety of authentication files on a variety of web servers. It is extremely full-featured and lets you do all the sorts of things that you expect to be able to do. These modules were written by Lincoln Stein and Doug MacEachern.

The other set of modules I really only mention as shameless self-promotion. Apache::Htpasswd, by Kevin Meltzer, and Apache::Htgroup, by me, provide a simpler interface to managing password and group files specifically for Apache. These modules are also available on CPAN.

What Other Neat Stuff Can I Do?

Authentication by username and password is only part of the story. Frequently you want to let people in based on something other than who they are. Something such as where they are coming from.

The allow and deny directives let you allow and deny access based on the host name, or host address, of the machine requesting a document. The directive goes hand-in-hand with these is the order directive, which tells Apache in which order to apply the filters.

The usage of these directives is:


       allow from address

where address is an IP address (or a partial IP address) or a fully qualified domain name (or a partial domain name).

For example, if you have someone spamming your message board, and you want to keep them out, you could do the following:

       deny from 205.252.46.165

Visitors coming from that address will not be able to see the content behind this directive. If, instead, you have a machine name, rather than an IP address, you can use that:

       deny from dc.numbersusa.com

And, if you'd like to block access from an entire domain, you can specify just part of an address or domain name:

        deny from 192.101.205
        deny from cyberthugs.com
        deny from ke

Using order will let you be sure that you are actually restricting things to the group that you want to let in, by combining a deny and an allow directive:

        order deny,allow
        deny from all
        allow from dev.rcbowen.com

Listing just the allow directive would not do what you want, because it will let folks from that host in, in addition to letting everyone in. What you want is to let only those folks in.

More Information

You should also read the documentation for mod_auth (http://www.apache.org/docs/mod/mod_auth.html), which contains some more information about how this all works. And the FAQ on the Apache site has some good stuff about authentication, starting at http://www.apache.org/docs/misc/FAQ.html#dnsauth.

Next Week

Next week, I'll talk about mod_auth_dbm and mod_auth_mysql, which are two ways to authenticate against a database, rather than against a text-file password list. This is much faster.

Page 3 of 3


Comment and Contribute

Your name/nickname

Your email

(Maximum characters: 1200). You have characters left.