Posted in Apache Howto Linux Security
Apache : conditional http authentication
This is what I needed to do :
I have a virtual host (say sub.domain.be) running under Apache web server at work that should be accessible for everybody on the local network but as well for a bunch of people outside of it. The main concern is *security*, we would consider the local network as safe while anything else is not.
Thus, the condition is this :
- local network : unrestricted access
- foreign network (in other words “web users”) : http authentication
Here’s the configuration I used on that virtual host :
AuthType basic
AuthName "Sub Domain authentication"
AuthUserFile /var/www/virtual/.htmaster/.sub.domain.be
Require valid-user
Satisfy any
Order deny,allow
Deny from all
Allow from 192.168.100.0/24What is interesting is the “Satisfy any” line.
http://httpd.apache.org/docs/2.0/mod/core.html#satisfy says this about it :
Access policy if both Allow and Require used. The parameter can be either All or Any. This directive is only useful if access to a particular area is being restricted by both username/password and client host address. In this case the default behavior (All) is to require that the client passes the address access restriction and enters a valid username and password. With the Any option the client will be granted access if they either pass the host restriction or enter a valid username and password. This can be used to password restrict an area, but to let clients from particular addresses in without prompting for a password.
So either the user is in the 192.168.100.0/24 range and gets unrestricted access to the virtual host, or he isn’t and is asked for a username and password.
Keep in mind http authentication credentials are sent in the clear ! Force SSL encryption if you want the credentials to be encrypted.
Fore more info about “order directive”, check this link
Comments
marco
Sebastien,
maybe a stupid question. I have a linux box running apache2 behind a router. There I have installed some web applications (sql-ledger) that I would like to access from a computer not in the LAN. For this I need to open a port on the router. At this point everybody could connect.
Could be possible to have an ACL like in SSH so that only certain ip addresses can access the server?
If possible, is this a secure option?
Thanks!
Cheers
Marco
Sébastien Wains
Just set up authentication as explained in the article..
For more info see http://www.yolinux.com/TUTORIALS/LinuxTutorialApacheAddingLoginSiteProtection.html
Cheers
Ramen
Hi Sebastien
Im a developer, but am feeling my way around more sysadmin type stuff. I use my home server for managing projects, etc that I have started to make selectively available to clients. I force access to the projects, repositories, source, etc. through ssl, authenticating against an ldap server. This was proving painful for me when working on my private network and your post has saved me a lot of time.
Thanks
Leave Comment
Please consider visiting the partners below if you enjoyed this article :If this post saved you time and money, please consider checking my Amazon wishlist.
Search
About me
-
Internet & Technology junkie.
Photographer.
Backpacker.
I'm the Linux registered user #350986 and RedHat Certified Engineer #804007797825578 (Verify).
This « blog » is some kind of personal notebook about my discoveries in the IT world.
While some tips may seem obvious (we learn a new thing every day eh), hopefully you'll find some of them informative !
Check out my wishlist at Amazon !
Categories
- Apache (18)
- Apple/Mac OS (6)
- Asterisk (5)
- Bash (15)
- DNS (7)
- Debian/Ubuntu (25)
- Firefox (5)
- Gnome (7)
- Hardware (16)
- High-Availability (1)
- Howto (112)
- Iptables (7)
- LDAP (9)
- Linux (237)
- Linux-Anti-Theft (1)
- Misc (11)
- NSLU2 (5)
- Networking (14)
- Postfix (24)
- Proxy (10)
- RADIUS (2)
- RHCE (22)
- RRDWeather (5)
- Red Hat/CentOS (30)
- Rewards (2)
- SQL (12)
- SSH (11)
- Scripts (4)
- Security (63)
- Tools (14)
- VPN (6)
- Versioning (10)
- Virtualization (1)
- VoIP (6)
- Wifi (9)
- Windows (12)
Links
- Belgian spammers
- Christopher Murray
- Dedicated Servers
- Open Source Heaven
- RRDWeather
- The Admin Blogger
- Yannick
My favorite projects
The Adminblogger
Hi Sebastien,
you’re right, satisfy any is a nice feature in apache.
you could still save one line if using “order” the other way around:
order allow,deny
allow from 192.168.100.0/24
then there is no “deny from all” needed, since deny is the default policy (because it’s at the end in the “order” line) which will hit all not covered by an “allow”.
Wish you a nice weekend,
Marcel.