ServersSecuring Your Web Pages with Apache Page 7

Securing Your Web Pages with Apache Page 7

ServerWatch content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.




Different URLs within a realm can be protected in different ways,
with different sets of credentials being valid for different locations.
However, since the realm is the key the client uses to remember
which credentials to send, being egregious about using multiple
sets of credentials within the same realm tends to annoy users
when they have to re-authenticate repeatedly for what looks like
(and in fact is) the same realm. It’s generally a good idea to
have a one-to-one relationship between realms and sets of
authorised credentials.

But how do you turn on access control in the first place?
Just as you apply any other Apache directive: by having the
directives appear in the appropriate scope. For example:

  
    
        AuthName Finance
        AuthType Basic
        AuthUserFile /usr/local/web/apache/auth/.htpasswd-finance
        Require valid-user
    

This will protect the finance subdirectory and all
files and subdirectories in it any below it. Other directories,
such as products, remain unaffected.

containers are all very well, but what
if you want to protect only a single file? Or perhaps a document
that isn't mapped to the filesystem, like the output from
mod_status? The answer remains the same: use the
appropriate scoping directives (such as
and ) to apply the security measures
to the items you want protected.

Inheritance

Like almost all other Apache configuration details, the security
directives that apply to a particular document or directoy may be
inherited from the parent, or possibly even further up the tree.
This means that at each level you need only supply those directives that
are different. The following two fragments are equivalent:

    
        AuthName "Finance Department"
        AuthType Basic
        AuthUserFile /usr/local/web/apache/auth/.htpasswd-finance
        Require valid-user
    
        AuthName "Finance Department"
        AuthType Basic
        AuthUserFile /usr/local/web/apache/auth/.htpasswd-finance
        Require user susan bob
    
        AuthName "Finance Department"
        AuthType Basic
        AuthUserFile /usr/local/web/apache/auth/.htpasswd-finance
        Require valid-user
    

    
        Require user susan bob
    

The second fragment takes advantage of the inheritance of the
values from the parent directory, and simply restricts the access
list to only Bob and Susan.

It's generally not a good idea to make too many assumptions when
dealing with security matters, so even though inheritance can seem
to make your life easier by not requiring you to duplicate
directives all over the place, this might be an illusion. Just
wait until you see how complicated your life becomes when all the
inherited values become compromised because of a single mistake
at a higher level.

A related subject involves determining which of possibly several
access control modules has the Final Say on whether access is
granted or not. This is covered in a
later section.

Requiring a Specific Username

Get the Free Newsletter!

Subscribe to Daily Tech Insider for top news, trends & analysis

Latest Posts

Related Stories