Final Words on Access Control

If you have host-based as well as user-based access protection on a resource, the default behavior of Apache is to require the requester to satisfy both controls. But assume that you want to mix host-based and user-based protection and allow access to a resource if either method succeeds. You can do so using the satisfy directive. You can set the satisfy directive to All (this is the default) or Any. When set to All, all access control methods must be satisfied before the resource is served. If satisfy is set to Any, the resource is served if any access condition is met.

Here's another access control example, again using the previous server-status example. This time, you combine access methods so all users from the Gnulix domain are allowed access and those from outside the domain must identify themselves before gaining access. You can do so with the following:

<Location /server-status>

SetHandler server-status Order deny,allow

Deny from all

Allow from AuthType Basic AuthName "Server status" AuthUserFile "gnulixusers" Require valid-user Satisfy Any </Location>

There are more ways to protect material on your web server, but the methods discussed here should get you started and will probably be more than adequate for most circumstances. Look to Apache's online documentation for more examples of how to secure areas of your site.


Was this article helpful?

0 0

Post a comment