Securing Your Web Pages with Apache Page 5

Since the username and password are so trivially protected in the Basic authentication mechanism, the same authentication database can be used to store user information for multiple realms. The Digest mechanism, though, includes an encoding of the realm for which the credentials are valid, so you must have a separate credentials database for each realm using the Digest method.

When setting up discretionary controls in your Apache configuration, remember that the AuthType directive is required. The setting can be inherited from a higher-level directory or location, but something must set the value to be inherited; there is no default.

Mixing Mandatory and Discretionary Controls -- The Satisfy Directive

Sometimes you want to mix and match discretionary and non-discretionary access controls, such as allowing anyone on the local network to see documents freely, but requiring anyone else to enter a username and password.

This can be done with the Satisfy directive, which takes a single keyword:

All

In order to gain access to documents within the scope of a Satisfy All directive, a client must pass both any applicable non-discretionary controls (such as Allow or Deny directives) and any discretionary ones (like Require directives).

Any

Documents within the scope of a Satisfy Any directive are accessible to any clients that either pass the non-discretionary check (which occur first) or the discretionary ones

To illustrate, the following would permit any client on the local network (IP addresses 10.*.*.*) to access the foo.html page without let or hindrance, but require a username and password for anyone else:

  
    <Files foo.html>
        Order Deny,Allow
        Deny from All
        Allow from 10.0.0.0/255.0.0.0
        AuthName "Insiders Only"
        AuthType Basic
        AuthUserFile /usr/local/web/apache/.htpasswd-foo
        Require valid-user
        Satisfy Any
    </Files>
  

   
  
Restricting by IP Address
  


  Since the IP address is one of those aspects of a client-server
  HTTP relationship that cannot be changed mid-stream, and cannot
  be easily faked (without the cooperation of the intervening
  network systems), it's considered a non-discretionary control.
  The Apache distribution includes a module for limiting access
  thusly, called mod_access.
  
  


  mod_access allows you to specify what domains
  or addresses should or should not be allowed access, and in which order
  the two lists (allowed and denied) should be evaluated.  The basic
  syntax of the Allow and Deny directives is
  
  
    Allow from host-or-network
  
  


  The host-or-network can be:
  
  


   

a host or domain name (www.foo.com),
   

an IP address (10.0.72.3),
   

an IP address and subnet mask (10.0.0.0/255.0.0.0), or
   

an IP address and CIDR mask size (10.73.128.0/18)