Securing Your Web Pages with Apache Page 6
Whenever possible you should use IP addresses instead of domain names; using names means that the Apache server needs to do a double-reverse lookup on them to make the translation to the IP address of the client. (A double-reverse lookup, which is always done by Apache when dealing with host names in security-related situations, involves translating the name to an IP address, and then translating that IP address back to a list of names. If the translations don't work in both directions, Apache will consider the host/domain name match to have failed.)
As an added fillip, an alternate form of the
allows you to make the go/no-go decision based upon the presence
(or absence) of an environment variable. The envariable may have
been set for the entire server environment, or it may have been
set just for the current request by a module such as
Order directive controls how the cumulative
are interpreted. If the order is
Allow,Deny (note that
no spaces are permitted between the keywords!), then the initial
state is the equivalent of
Deny from All,
Allow conditions are processed, and then the
Deny list is. For
the opposite is the case -- the initial state is 'allow everyone,'
then denials are handled, and then the allows are used to override
The easy way to remember the default state is to recall that it
matches the last keyword:
Deny,Allow means 'allowed,'
Allow,Deny means 'denied.'
There is a third possibility for the
mutual-failure. With this keyword, there is no
'default state' -- the only clients that will be allowed in
are those that don't appear on any
directive, but do appear on at least one
Restricting by User Credentials
If you want to protect pages such that visitors need to enter a
username and password, the
mod_auth module is
your tool. It is one of the simplest and easiest to use of the
discretionary control modules.
The key directives in establishing access controls are those that
define the location of the credential database and identify
the authorised users. For
mod_auth, the directives
in question are
Other modules have similar directives.
AuthUserFile directive simply takes a fully-specified
filename path (such as
tells the module where to find the text authentication file for
the module to use in the current realm. No path-shortening nor
relative file specifications are permitted.
Require directive is actually part of the core
server rather than being specific to
mod_auth, so it's
documented (however sparsely) at
Require is covered in more detail shortly.