Apache - conditional http authentication

categories:

This is what I needed to do : I have a virtual host (say sub.domain.be) running under Apache web server at work that should be accessible for everybody on the local network but as well for a bunch of people outside of it. The main concern is security, we would consider the local network as safe while anything else is not.

Thus, the condition is this :

Here’s the configuration I used on that virtual host :

<code>AuthType        basic
AuthName        "Sub Domain authentication"
AuthUserFile    /var/www/virtual/.htmaster/.sub.domain.be
Require         valid-user

Satisfy         any
Order           deny,allow
Deny            from all
Allow from      192.168.100.0/24</code>

What is interesting is the “Satisfy any” line.

http://httpd.apache.org/docs/2.0/mod/core.html#satisfy says this about it : Access policy if both Allow and Require used. The parameter can be either All or Any. This directive is only useful if access to a particular area is being restricted by both username/password and client host address. In this case the default behavior (All) is to require that the client passes the address access restriction and enters a valid username and password. **With the Any option the client will be granted access if they either pass the host restriction or enter a valid username and password**. This can be used to password restrict an area, but to let clients from particular addresses in without prompting for a password.

So either the user is in the 192.168.100.0/24 range and gets unrestricted access to the virtual host, or he isn’t and is asked for a username and password.

Keep in mind http authentication credentials are sent in the clear ! Force SSL encryption if you want the credentials to be encrypted.

Fore more info about “order directive”, check this link




Thanks for reading this post!


If you found an issue in this article, you can create an issue on Github.

If you have a comment or question, please drop me a line below!