Whenever possible you should use IP addresses instead of domain names;
using names means that the Apache server needs to do a double-reverse
lookup on them to make the translation to the IP address of the
client. (A double-reverse lookup, which is always done
by Apache when dealing with host names in security-related
situations, involves translating the name to an IP address,
and then translating that IP address back to a list of names. If
the translations don’t work in both directions, Apache will consider
the host/domain name match to have failed.)
As an added fillip, an alternate form of the Allow
and Deny
directives,
“from env=[!]envariable-name
“,
allows you to make the go/no-go decision based upon the presence
(or absence) of an environment variable. The envariable may have
been set for the entire server environment, or it may have been
set just for the current request by a module such as
mod_setenvif
.
The Order
directive controls how the cumulative
lists of Allow
and Deny
directives
are interpreted. If the order is Allow,Deny
(note that
no spaces are permitted between the keywords!), then the initial
state is the equivalent of Deny from All
,
the Allow
conditions are processed, and then the
Deny
list is. For Order Deny,Allow
,
the opposite is the case — the initial state is ‘allow everyone,’
then denials are handled, and then the allows are used to override
them.
The easy way to remember the default state is to recall that it
matches the last keyword: Deny,Allow
means ‘allowed,’
and Allow,Deny
means ‘denied.’
There is a third possibility for the Order
directive:
mutual-failure
. With this keyword, there is no
‘default state’ — the only clients that will be allowed in
are those that don’t appear on any Deny
directive, but do appear on at least one Allow
directive.
Restricting by User Credentials
If you want to protect pages such that visitors need to enter a
username and password, the mod_auth
module is
your tool. It is one of the simplest and easiest to use of the
discretionary control modules.
The key directives in establishing access controls are those that
define the location of the credential database and identify
the authorised users. For mod_auth
, the directives
in question are AuthUserFile
and Require
.
Other modules have similar directives.
The AuthUserFile
directive simply takes a fully-specified
filename path (such as /home/foo/.htpasswd-foo
), which
tells the module where to find the text authentication file for
the module to use in the current realm. No path-shortening nor
relative file specifications are permitted.
The Require
directive is actually part of the core
server rather than being specific to mod_auth
, so it’s
documented (however sparsely) at
http://www.apache.org/docs/mod/core.html#require
>.
Require
is covered in more detail shortly.