There are two sets of Perl modules available for managing your password
files and group files with Perl.
The first one, which is probably the recommended one, is the
HTTPD-User-Manage
package, which you can obtain from CPAN (http://www.cpan.org/modules/by-module/HTTPD/),
allows you to manage a variety of authentication files on a variety of web
servers. It is extremely full-featured and lets you do all the sorts of things
that you expect to be able to do. These modules were written by Lincoln Stein
and Doug MacEachern.
The other set of modules I really only mention as shameless self-promotion.
Apache::Htpasswd
, by Kevin Meltzer, and
Apache::Htgroup
, by me, provide a simpler interface to managing
password and group files specifically for Apache. These modules are also
available on CPAN.
What Other Neat Stuff Can I
Do?
Authentication by username and password is only part of the story.
Frequently you want to let people in based on something other than who they
are. Something such as where they are coming from.
The allow
and deny
directives let you allow and
deny access based on the host name, or host address, of the machine requesting
a document. The directive goes hand-in-hand with these is the
order
directive, which tells Apache in which order to apply the
filters.
The usage of these directives is:
allow from addresswhere address is an IP address (or a partial IP address) or a fully
qualified domain name (or a partial domain name).For example, if you have someone spamming your message board, and you want
to keep them out, you could do the following:deny from 205.252.46.165Visitors coming from that address will not be able to see the content behind
this directive. If, instead, you have a machine name, rather than an IP
address, you can use that:deny from dc.numbersusa.comAnd, if you'd like to block access from an entire domain, you can specify
just part of an address or domain name:deny from 192.101.205 deny from cyberthugs.com deny from keUsing
order
will let you be sure that you are actually
restricting things to the group that you want to let in, by combining a
deny
and anallow
directive:order deny,allow deny from all allow from dev.rcbowen.comListing just the
allow
directive would not do what you want,
because it will let folks from that host in, in addition to letting everyone
in. What you want is to let only those folks in.More Information
You should also read the documentation for
mod_auth
(http://www.apache.org/docs/mod/mod_auth.html),
which contains some more information about how this all works. And the FAQ on
the Apache site has some good stuff about authentication, starting at
http://www.apache.org/docs/misc/FAQ.html#dnsauth.Next Week
Next week, I'll talk about
mod_auth_dbm
and
mod_auth_mysql
, which are two ways to authenticate against a
database, rather than against a text-file password list. This is much faster.