Access control
Authentication by username and password is only part of the story. Frequently you want to
let people in based on something other than who they are. Something such as where they are
coming from. Restricting access based on something other than the identity of the user is
generally referred to as Access Control.
Allow and Deny
The Allow and Deny directives let you allow and deny access based on the
host name, or host address, of the machine requesting a document. The directive goes
hand-in-hand with these is the Order directive, which tells Apache in which order to
apply the filters.
The usage of these directives is:
allow from address
where address is an IP address (or a partial IP address) or a fully qualified domain
name (or a partial domain name); you may provide multiple addresses or domain names, if
desired.
For example, if you have someone spamming your message board, and you want to keep them
out, you could do the following:
deny from 11.22.33.44
Visitors coming from that address will not be able to see the content behind this
directive. If, instead, you have a machine name, rather than an IP address, you can use that.
deny from hostname.example.com
And, if you'd like to block access from an entire domain, or even from an entire tld (top
level domain, such as .com or .gov) you can specify just part of an address or domain name:
deny from 192.101.205
deny from exampleone.com exampletwo.com
deny from tld
Using Order will let you be sure that you are actually restricting things to the
group that you want to let in, by combining a deny and an allow directive:
Order Deny,Allow
Deny from all
Allow from hostname.example.com
Listing just the allow directive would not do what you want, because it will let
users from that host in, in addition to letting everyone in. What you want is to let in only
users from that host.
Satisfy
The Satisfy directive can be used to specify that several criteria may be
considered when trying to decide if a particular user will be granted admission. Satisfy
can take as an argument one of two options - all or any. By default, it is
assumed that the value is all. This means that if several criteria are specified,
then all of them must be met in order for someone to get in. However, if set to any,
then several criteria may be specified, but if the user satisfies any of these, then they will
be granted entrance.
A very good example of this is using access control to assure that, although a resource is
password protected from outside your network, all hosts inside the network will be given free
access to the resource. This would be accomplished by using the Satisfy directive, as
shown below.
<Directory /usr/local/apache/htdocs/sekrit>
AuthType Basic
AuthName intranet
AuthUserFile /www/passwd/users
AuthGroupFile /www/passwd/groups
Require group customers
Order allow,deny
Allow from internal.com
Satisfy any
</Directory>
In this scenario, users will be let in if they either have a password, or if they are in
the internal network.
|
