Securing Your Web Pages with Apache Page 7
Different URLs within a realm can be protected in different ways, with different sets of credentials being valid for different locations. However, since the realm is the key the client uses to remember which credentials to send, being egregious about using multiple sets of credentials within the same realm tends to annoy users when they have to re-authenticate repeatedly for what looks like (and in fact is) the same realm. It's generally a good idea to have a one-to-one relationship between realms and sets of authorised credentials.
But how do you turn on access control in the first place? Just as you apply any other Apache directive: by having the directives appear in the appropriate scope. For example:
<Directory /usr/local/web/htdocs/finance> AuthName Finance AuthType Basic AuthUserFile /usr/local/web/apache/auth/.htpasswd-finance Require valid-user </Directory>
This will protect the
financesubdirectory and all files and subdirectories in it any below it. Other directories, such as
products, remain unaffected.
<Directory>containers are all very well, but what if you want to protect only a single file? Or perhaps a document that isn't mapped to the filesystem, like the output from
mod_status? The answer remains the same: use the appropriate scoping directives (such as
<Location>) to apply the security measures to the items you want protected.
Like almost all other Apache configuration details, the security directives that apply to a particular document or directoy may be inherited from the parent, or possibly even further up the tree. This means that at each level you need only supply those directives that are different. The following two fragments are equivalent:<Directory /usr/local/web/htdocs/finance> AuthName "Finance Department" AuthType Basic AuthUserFile /usr/local/web/apache/auth/.htpasswd-finance Require valid-user </Directory> <Directory /usr/local/web/htdocs/finance/strategy> AuthName "Finance Department" AuthType Basic AuthUserFile /usr/local/web/apache/auth/.htpasswd-finance Require user susan bob </Directory> <Directory /usr/local/web/htdocs/finance> AuthName "Finance Department" AuthType Basic AuthUserFile /usr/local/web/apache/auth/.htpasswd-finance Require valid-user </Directory>
<Directory /usr/local/web/htdocs/finance/strategy> Require user susan bob </Directory>
The second fragment takes advantage of the inheritance of the values from the parent directory, and simply restricts the access list to only Bob and Susan.
It's generally not a good idea to make too many assumptions when dealing with security matters, so even though inheritance can seem to make your life easier by not requiring you to duplicate directives all over the place, this might be an illusion. Just wait until you see how complicated your life becomes when all the inherited values become compromised because of a single mistake at a higher level.
A related subject involves determining which of possibly several access control modules has the Final Say on whether access is granted or not. This is covered in a later section.
Requiring a Specific Username