date: 2007-01-26 23:18:48+00:00
'Apache : conditional http authentication'
categories: - Apache - Howto - Linux - Security
This is what I needed to do : I have a virtual host (say sub.domain.be) running under Apache web server at work that should be accessible for everybody on the local network but as well for a bunch of people outside of it. The main concern is security, we would consider the local network as safe while anything else is not.
Thus, the condition is this : - local network : unrestricted access - foreign network (in other words "web users") : http authentication
Here's the configuration I used on that virtual host :
<code>AuthType basic AuthName "Sub Domain authentication" AuthUserFile /var/www/virtual/.htmaster/.sub.domain.be Require valid-user Satisfy any Order deny,allow Deny from all Allow from 192.168.100.0/24</code>
What is interesting is the "Satisfy any" line.
http://httpd.apache.org/docs/2.0/mod/core.html#satisfy says this about it :
Access policy if both Allow and Require used. The parameter can be either All or Any. This directive is only useful if access to a particular area is being restricted by both username/password and client host address. In this case the default behavior (All) is to require that the client passes the address access restriction and enters a valid username and password. **With the Any option the client will be granted access if they either pass the host restriction or enter a valid username and password**. This can be used to password restrict an area, but to let clients from particular addresses in without prompting for a password.
So either the user is in the 192.168.100.0/24 range and gets unrestricted access to the virtual host, or he isn't and is asked for a username and password.
Keep in mind http authentication credentials are sent in the clear ! Force SSL encryption if you want the credentials to be encrypted.
Fore more info about "order directive", check this link