Pages

Welcome to My Blog

This is to share my IT experience with friends all around the world.
I have been working in Linux Fedora Systems for more than 8 years. Its fun to share knowledge and learn..
As everyone knows when a problem arises in your systems "googling" is the way that many depend on..

All the posts here are my working experiences during my working life.. So you can count on it..

I have added the references where I got help in solving IT issues


Wednesday, February 29, 2012

Access Control in Apache with mod_authz_host and mod_access

In Apache web server, access to a website can be controlled to users in several ways. Enable user authentication is one such mechanism. User authentication can  be implemented in the site by it self with the PHP or any other language you used to develop the site OR server administrator can configure the web server to handle user authentication.


The directives provided by mod_authz_host are used to control access to particular parts of the server. From Apache 2.2, mod_access is renamed as mod_authz_host.

Access can be controlled based on the client hostname, IP address, or other characteristics of the client request, as captured in environment variables. The Allow and Deny directives are used to specify which clients are or are not allowed access to the server, while the Order directive sets the default access state, and configures how the Allow and Deny directives interact with each other.

It is done under the <Directory> directive with the AuthUserFile and AuthTypeThe format of a apache based authentication is as follows;


This will allow accesses for the contents in the settings folder to the users who has the login credentials in users_password_file
 
<Directory "/var/www/html/your-site/settings">
        AllowOverride AuthConfig FileInfo Indexes Limit Options
        AuthUserFile /etc/httpd/users/users_password_file
        SSLRequireSSL
        AuthName "Secure Users"
        AuthType Basic
        require valid-user
</Directory>

How you can allow accesses for the above folder from specific IP addresses. That is much easier. By just defining the 'allow from' parameter, it can be achieved.

Following given the format for that setup;

<Directory /var/www/html/your-site/settings> 
    Order Deny, Allow
    Deny from all
    Allow from aaa.bbb.ccc.dddd/netmask
</Directory>


I have used both control mechanisms, with password authentication and IP address filtering.