- 1 Vapor IO Brings OpenDCRE to General Availability
- 2 VMware Takes the Wraps Off vRealize Automation and vRealize Business
- 3 Microsoft Previews Hyper-V Containers for Windows Server 2016
- 4 Mirantis Led FUEL Project Gets Installed Under OpenStack Big Tent
- 5 Red Hat Enterprise Linux 7.2 Adds Security, DR Features
Apache Guide: Apache Authentication, Part 1 Page 3
There are two sets of Perl modules available for managing your password files and group files with Perl.
The first one, which is probably the recommended one, is the
HTTPD-User-Manage package, which you can obtain from CPAN (http://www.cpan.org/modules/by-module/HTTPD/),
allows you to manage a variety of authentication files on a variety of web
servers. It is extremely full-featured and lets you do all the sorts of things
that you expect to be able to do. These modules were written by Lincoln Stein
and Doug MacEachern.
The other set of modules I really only mention as shameless self-promotion.
Apache::Htpasswd, by Kevin Meltzer, and
Apache::Htgroup, by me, provide a simpler interface to managing
password and group files specifically for Apache. These modules are also
available on CPAN.
Authentication by username and password is only part of the story. Frequently you want to let people in based on something other than who they are. Something such as where they are coming from.
deny directives let you allow and
deny access based on the host name, or host address, of the machine requesting
a document. The directive goes hand-in-hand with these is the
order directive, which tells Apache in which order to apply the
The usage of these directives is:
allow from address
where address is an IP address (or a partial IP address) or a fully qualified domain name (or a partial domain name).
For example, if you have someone spamming your message board, and you want to keep them out, you could do the following:deny from 18.104.22.168
Visitors coming from that address will not be able to see the content behind this directive. If, instead, you have a machine name, rather than an IP address, you can use that:deny from dc.numbersusa.com
And, if you'd like to block access from an entire domain, you can specify just part of an address or domain name:deny from 192.101.205 deny from cyberthugs.com deny from ke
orderwill let you be sure that you are actually restricting things to the group that you want to let in, by combining a
allowdirective:order deny,allow deny from all allow from dev.rcbowen.com
Listing just the
allowdirective would not do what you want, because it will let folks from that host in, in addition to letting everyone in. What you want is to let only those folks in.
You should also read the documentation for
mod_auth(http://www.apache.org/docs/mod/mod_auth.html), which contains some more information about how this all works. And the FAQ on the Apache site has some good stuff about authentication, starting at http://www.apache.org/docs/misc/FAQ.html#dnsauth.
Next week, I'll talk about
mod_auth_mysql, which are two ways to authenticate against a database, rather than against a text-file password list. This is much faster.