Apache authentication, authorization, access control

Authentication object: A Site directory.

Enable authentication

1. Use AllowOverride directives to specify which directives are valid in a configuration file for a single directory:AllowOverride AuthConfig

2. Set password login to access a site or file, etc.

The password is first introduced to protect the directory on the server. First, you need to create a password file. This file should be placed in a location that cannot be accessed by the network to avoid being downloaded. For example, if a space other than/usr/local/apache/htdocs cannot be accessed by the network, consider placing the password file in the/USR/LOCAL/APACHE/PASSWD directory. Apache provides the HTPASSWD tool in the bin subdirectory of its installation directory for creating a password file that can be used: htpasswd-c/usr/local/apache/passwd/passwords Rbowen HTPASSWD will ask you to enter your password and request a re-entry for confirmation: # htpasswd-c/usr/local/apache/passwd/passwords rbowennew Password:mypasswordre-type New password:mypasswordadding password for user Rbowen if HTPASSWD is not in the search path, you must use the full path, such as:/usr/local/apache/bin/ HTPASSWD then modifies the httpd.conf or. htaccess file to indicate to which users the server is allowed access and to request a password from the user. To protect the/usr/local/apache/htdocs/secret directory, you can write the following instructions to the/usr/local/apache/htdocs/secret/.htaccess or httpd.conf<Directory/usr/local/apache/apache/htdocs/secret>segment. AuthType basicauthname "Restricted Files" Authuserfile/usr/local/apache/passwd/passwordsrequire user Rbowen

The corresponding actual test results:

</VirtualHost>
<virtualhost *:80>
ServerName 127.0.0.1
DocumentRoot "e:/wamp/www/"
Errorlog "E:/wamp/logs/www-error.log"
Customlog "E:/wamp/logs/www-access.log" common
<directory "e:/wamp/www/" >
Options Indexes FollowSymLinks
#AllowOverride All

AllowOverride authconfig
AuthType Basic
AuthName "Test Authconfig"
AuthUserFile E:/wamp/bin/apache/apache2.2.21/htpasswd/passwords
Require User Rbowen

Order Allow,deny
Allow from all
</Directory>

</VirtualHost>

3 Allow multiple personal access:

If you want to allow multiple people access, you must establish a group file to determine the users in the group. The format is simple and can be built with your favorite editor, for example:

GroupName: rbowen dpitts sungo rshersey

It is just a space-delimited list of group members for each set of rows.

To add a user to an existing password file, you can enter:

htpasswd /usr/local/apache/passwd/passwords dpitts

The prompt for the program is the same as above, but it is appended to the existing file instead of building a new one (parameters -c can force the creation of a new password file).

Now, you need to .htaccess modify the file to this:

AuthType Basic
AuthName "By Invitation Only"
AuthUserFile /usr/local/apache/passwd/passwords
AuthGroupFile /usr/local/apache/passwd/groups
Require group GroupName

Now, the GroupName members in the group password have a corresponding record in the file, allowing them to enter the correct password for access.

In addition to creating a group file, there is another way to allow multiple people to access, which is to use the following command:

Require valid-user

Instead of using the instructions above Require user rbowen , you can allow all users in the password file to access with the correct password. By creating a password file for each group, it is even possible to enumerate groups, with the advantage that Apache only needs to check one file (not two), with the disadvantage that it must maintain a large number of password files and ensure that AuthUserFile a correct password file is specified

PS: If there are many people above, certification will take time.

4 Other:

AllowAnd Deny instructions can allow or deny access from a specific host name or host address, while the Order instruction tells Apache to process the order of the two instructions to change the filter.

Usage of these instructions:

Allow from address

addressCan be an IP address (or part of an IP address), or it can be a full domain name (or part of a domain name), and you can specify multiple IP addresses and domain names at the same time.

For example, to reject unwelcome spam-peddling sites:

Deny from 205.252.46.165

In this way, the area under which this directive is governed will deny all access from that address. In addition to specifying an IP address, you can also specify a domain name, such as:

Deny from host.example.com

Alternatively, you can specify an address or part of a domain name to block a group:

Deny from 192.101.205
Deny from cyberthugs.com moreidiots.com
Deny from ke

OrderCan be combined Deny and Allow instructed to ensure that a group's access is allowed while some of them are restricted:

Order deny,allow
Deny from all
Allow from dev.example.com

Simply listing Allow instructions will not get the result you want, because it does not prohibit access to other objects that are not listed while allowing the specified object access. So the previous example uses the following method: Deny anyone first, and then allow access from a specific host.

Apache authentication, authorization, access control