GuidesApache Guide: Apache Authentication, Part 1 Page 3

Apache Guide: Apache Authentication, Part 1 Page 3




There are two sets of Perl modules available for managing your password
files and group files with Perl.

The first one, which is probably the recommended one, is the
HTTPD-User-Manage package, which you can obtain from CPAN (http://www.cpan.org/modules/by-module/HTTPD/),
allows you to manage a variety of authentication files on a variety of web
servers. It is extremely full-featured and lets you do all the sorts of things
that you expect to be able to do. These modules were written by Lincoln Stein
and Doug MacEachern.

The other set of modules I really only mention as shameless self-promotion.
Apache::Htpasswd, by Kevin Meltzer, and
Apache::Htgroup, by me, provide a simpler interface to managing
password and group files specifically for Apache. These modules are also
available on CPAN.

What Other Neat Stuff Can I
Do?

Authentication by username and password is only part of the story.
Frequently you want to let people in based on something other than who they
are. Something such as where they are coming from.

The allow and deny directives let you allow and
deny access based on the host name, or host address, of the machine requesting
a document. The directive goes hand-in-hand with these is the
order directive, which tells Apache in which order to apply the
filters.

The usage of these directives is:

       allow from address

where address is an IP address (or a partial IP address) or a fully
qualified domain name (or a partial domain name).

For example, if you have someone spamming your message board, and you want
to keep them out, you could do the following:

       deny from 205.252.46.165

Visitors coming from that address will not be able to see the content behind
this directive. If, instead, you have a machine name, rather than an IP
address, you can use that:

       deny from dc.numbersusa.com

And, if you'd like to block access from an entire domain, you can specify
just part of an address or domain name:

        deny from 192.101.205
        deny from cyberthugs.com
        deny from ke

Using order will let you be sure that you are actually
restricting things to the group that you want to let in, by combining a
deny and an allow directive:

        order deny,allow
        deny from all
        allow from dev.rcbowen.com

Listing just the allow directive would not do what you want,
because it will let folks from that host in, in addition to letting everyone
in. What you want is to let only those folks in.

More Information

You should also read the documentation for mod_auth (http://www.apache.org/docs/mod/mod_auth.html),
which contains some more information about how this all works. And the FAQ on
the Apache site has some good stuff about authentication, starting at
http://www.apache.org/docs/misc/FAQ.html#dnsauth.

Next week, I'll talk about mod_auth_dbm and
mod_auth_mysql, which are two ways to authenticate against a
database, rather than against a text-file password list. This is much faster.

Latest Posts

Related Stories