Since the username and password are so trivially protected in the
Basic authentication mechanism, the same authentication database can
be used to store user information for multiple realms. The
Digest mechanism, though, includes an encoding of the realm for
which the credentials are valid, so you must have a separate
credentials database for each realm using the Digest method.
When setting up discretionary controls in your Apache configuration,
remember that the AuthType
directive is
required. The setting can be inherited from a higher-level
directory or location, but something must set the value to be
inherited; there is no default.
Mixing Mandatory and Discretionary Controls — The
Satisfy
Directive
Sometimes you want to mix and match discretionary and non-discretionary
access controls, such as allowing anyone on the local network to
see documents freely, but requiring anyone else to enter a username
and password.
This can be done with the Satisfy
directive, which takes
a single keyword:
All
- In order to gain access to documents within the scope of a
Satisfy All
directive, a client must
pass both any applicable non-discretionary controls (such
asAllow
orDeny
directives) and
any discretionary ones (likeRequire
directives). Any
- Documents within the scope of a
Satisfy Any
directive are accessible to any clients that either pass the
non-discretionary check (which occur first) or the
discretionary ones
To illustrate, the following would permit any client on the
local network (IP addresses 10.*.*.*) to access the foo.html
page without let or hindrance, but require a username and password
for anyone else:
Order Deny,Allow Deny from All Allow from 10.0.0.0/255.0.0.0 AuthName "Insiders Only" AuthType Basic AuthUserFile /usr/local/web/apache/.htpasswd-foo Require valid-user Satisfy AnyRestricting by IP Address
Since the IP address is one of those aspects of a client-server
HTTP relationship that cannot be changed mid-stream, and cannot
be easily faked (without the cooperation of the intervening
network systems), it's considered a non-discretionary control.
The Apache distribution includes a module for limiting access
thusly, calledmod_access
.
mod_access
allows you to specify what domains
or addresses should or should not be allowed access, and in which order
the two lists (allowed and denied) should be evaluated. The basic
syntax of theAllow
andDeny
directives isAllow from host-or-networkThe
host-or-network
can be:
-
a host or domain name (
www.foo.com
), -
an IP address (
10.0.72.3
), -
an IP address and subnet mask (
10.0.0.0/255.0.0.0
), or -
an IP address and CIDR mask size (
10.73.128.0/18
)