Use Apache to build Web sites (ii) Client access control

To better control access to site resources, I can add access authorizations for specific site directories. We can control the user's access by restricting both the client's address and the user's access rights, respectively. So let's explain each of these two control methods, both of which apply to the directory area <directory directory location >......</Directory> scope in the httpd.conf configuration file.

Client Address Restrictions

The configuration item Order,deny From,allow from to restrict client access based on the host name or IP address of the client. When you use an order configuration item, you can set it to "Allow,deny" or "Deny,allow" to determine the sequence in which the host applies the Allow and deny policies.

Allow,deny: Deny first, and reject all client addresses that are not explicitly allowed by default.

Deny,allow: Allow, by default, all client addresses that are not explicitly rejected.

When using allow and deny configuration items, you need to set up the client address to form a complete restriction policy in the form of an IP address, network address, host name, domain name, and any address using the name "all".

The following sets the root directory of the Web site for all people to access.

[Root@localhost/] #vim/usr/local/httpd/conf/httpd.conf

.../omitted part of the content

<directory "/usr/local/httpd/htdocs" >

.../omit part of the content

Order Allow,deny//reject after first permission

Allow from all//Allow all addresses

</Directory>

.../omitted part of the content

We can also reject an IP address or a network segment, which is set as follows:

[Root@localhost/] #vim/usr/local/httpd/conf/httpd.conf

.../omit part of the content

<directory '/usr/local/httpd/htdocs ' >

.../omit part of the content

Order Deny,allow//Reject First and allow

Deny from 192.168.1.1 192.168.3.0/24//Reject 192.168.1.1 and 192.168.3.0 network segments

</Directory>

.../omit part of the content

User Authorization Restrictions

The HTTPD server supports the use of Digest authentication and Basic authentication in two ways. Using Digest authentication requires adding the "--enable-auth-digest" option before compiling httpd, but not all browsers support Digest authentication, while Basic authentication is the basic function of httpd service and does not require special options, so this explains the basic authentication methods.

User-based access control contains authentication and authorization two processes,

Authentication: The process of identifying a user's identity.

Authorization: The process of allowing a specific user to access a specific directory area.