[PLUG] Apache access control question

Evan Heidtmann clydefrog at adnap.no-ip.com
Thu Jun 10 08:30:02 UTC 2004


On Wed, 2004-06-09 at 23:50, Galen Seitz wrote:
> I'm confused about access control under Apache (2.0).  What determines the
> default access control?  For example, if I have an entry in httpd.conf
> like the following, what sets the access control for /var/www/icons?
> 
> Alias /icons/ "/var/www/icons/"
> 
> <Directory "/var/www/icons">
>     Options Indexes MultiViews
>     AllowOverride None
> </Directory>

You have no auth or access control directives here, so /var/www/icons
will inherit the directives from higher-level directories. If you don't
have any such directives in your httpd.conf at all, then AFAIK the
defaults are to allow access from anywhere.

> Ultimately what I would like to do is allow access to all of my web stuff
> from 127.0.0.1 and 192.168.1.0/24 via http, and allow access to
> selected directories from anywhere via https with basic auth.  I've
> seen examples of this, but they would be easier to follow if I understood
> how access control picks up its defaults, as well as whether there
> is any scoping or inheritance of permissions.  Note that I'm not
> planning to use htaccess files.

This document is probably what you want:

http://httpd.apache.org/docs-2.0/howto/auth.html

Off the top of my head, something like this would do what you want:

<VirtualHost *:80>
 DocumentRoot /var/www/docroot
 
 <Location />
  Order deny,allow
  Deny from all
  Allow from 127.0.0.1 192.168.1.0/24 
  # You can replace this stuff with iptables rules like these:
  # iptables -I INPUT -s 127.0.0.1 -j ACCEPT
  # iptables -I INPUT -p tcp --dport 80 -s ! 192.168.1.0/24 -j DROP
  # This will be more secure.
 </Location>

</VirtualHost>

<VirtualHost *:443> # for https
 DocumentRoot /var/www/public

 # Set up aliases here for other directories
 
 <Location />
  # Put AuthType and Require directives here
 </Location>

</VirtualHost>

Hope this works (I'm accustomed to Apache 1.3).

Evan





More information about the PLUG mailing list