Securing Your Web Pages with Apache Page 5
Download the authoritative guide: Data Center Guide: Optimizing Your Data Center Strategy
Download the authoritative guide: Cloud Computing: Using the Cloud for Competitive AdvantageSince the username and password are so trivially protected in the Basic authentication mechanism, the same authentication database can be used to store user information for multiple realms. The Digest mechanism, though, includes an encoding of the realm for which the credentials are valid, so you must have a separate credentials database for each realm using the Digest method.
When setting up discretionary controls in your Apache configuration,
remember that the
AuthType directive is
required. The setting can be inherited from a higher-level
directory or location, but something must set the value to be
inherited; there is no default.
Mixing Mandatory and Discretionary Controls -- The
Sometimes you want to mix and match discretionary and non-discretionary access controls, such as allowing anyone on the local network to see documents freely, but requiring anyone else to enter a username and password.
This can be done with the
Satisfy directive, which takes
a single keyword:
- In order to gain access to documents within the scope of a
Satisfy Alldirective, a client must pass both any applicable non-discretionary controls (such as
Denydirectives) and any discretionary ones (like
- Documents within the scope of a
Satisfy Anydirective are accessible to any clients that either pass the non-discretionary check (which occur first) or the discretionary ones
To illustrate, the following would permit any client on the
local network (IP addresses 10.*.*.*) to access the
page without let or hindrance, but require a username and password
for anyone else:
<Files foo.html> Order Deny,Allow Deny from All Allow from 10.0.0.0/255.0.0.0 AuthName "Insiders Only" AuthType Basic AuthUserFile /usr/local/web/apache/.htpasswd-foo Require valid-user Satisfy Any </Files>
Restricting by IP Address
Since the IP address is one of those aspects of a client-server HTTP relationship that cannot be changed mid-stream, and cannot be easily faked (without the cooperation of the intervening network systems), it's considered a non-discretionary control. The Apache distribution includes a module for limiting access thusly, called
mod_accessallows you to specify what domains or addresses should or should not be allowed access, and in which order the two lists (allowed and denied) should be evaluated. The basic syntax of the
Denydirectives isAllow from host-or-network
a host or domain name (
an IP address (
an IP address and subnet mask (
an IP address and CIDR mask size (
IT Solutions Builder TOP IT RESOURCES TO MOVE YOUR BUSINESS FORWARD
Which topic are you interested in?
What is your company size?
What is your job title?
What is your job function?
Searching our resource database to find your matches...