From: Rich Bowen Date: Fri, 19 Jun 2026 12:16:23 +0000 (+0000) Subject: docs: howto/auth.xml tone normalization and deduplication X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=8736920ab50d4572be872b82433c769fc1758ebb;p=thirdparty%2Fapache%2Fhttpd.git docs: howto/auth.xml tone normalization and deduplication - Replace host-based access control section (Require ip/host examples) with brief explanation and cross-reference to access.html howto - Remove dated "HTTPD 2.3/2.4 introduces" from socache section - Grammar and spelling fixes throughout git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1935509 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/docs/manual/howto/auth.xml b/docs/manual/howto/auth.xml index a87a511155..9185ae665d 100644 --- a/docs/manual/howto/auth.xml +++ b/docs/manual/howto/auth.xml @@ -127,9 +127,11 @@ module from each group.

an AllowOverride directive like the following:

- + + AllowOverride AuthConfig - + +

Or, if you are just going to put the directives directly in your main server configuration file, you will of course need to @@ -201,14 +203,16 @@ AllowOverride AuthConfig placed in httpd.conf inside a <Directory "/usr/local/apache/htdocs/secret"> section.

- + + AuthType Basic AuthName "Restricted Files" # (Following line optional) AuthBasicProvider file AuthUserFile "/usr/local/apache/passwd/passwords" Require user rbowen - + +

Let's examine each of those directives individually. The AuthType directive selects @@ -304,7 +308,8 @@ person in

Now, you need to modify your .htaccess file to look like the following:

- + + AuthType Basic AuthName "By Invitation Only" # Optional line: @@ -312,7 +317,8 @@ AuthBasicProvider file AuthUserFile "/usr/local/apache/passwd/passwords" AuthGroupFile "/usr/local/apache/passwd/groups" Require group GroupName - + +

Now, anyone that is listed in the group GroupName, and has an entry in the password file, will be let in, if @@ -322,9 +328,11 @@ Require group GroupName specific. Rather than creating a group file, you can just use the following directive:

- + + Require valid-user - + +

Using that rather than the Require user rbowen line will allow anyone in that is listed in the password file, @@ -371,15 +379,17 @@ Require valid-user

To select a dbm file rather than a text file, for example:

- + + <Directory "/www/docs/private"> - AuthName "Private" - AuthType Basic - AuthBasicProvider dbm - AuthDBMUserFile "/www/passwords/passwd.dbm" - Require valid-user +AuthName "Private" +AuthType Basic +AuthBasicProvider dbm +AuthDBMUserFile "/www/passwords/passwd.dbm" +Require valid-user </Directory> - + +

Other options are available. Consult the mod_authn_dbm documentation for more details.

@@ -394,16 +404,18 @@ Require valid-user scheme that meets your needs. In the following example, both the file and LDAP based authentication providers are being used.

- + + <Directory "/www/docs/private"> - AuthName "Private" - AuthType Basic - AuthBasicProvider file ldap - AuthUserFile "/usr/local/apache/passwd/passwords" - AuthLDAPURL ldap://ldaphost/o=yourorg - Require valid-user +AuthName "Private" +AuthType Basic +AuthBasicProvider file ldap +AuthUserFile "/usr/local/apache/passwd/passwords" +AuthLDAPURL ldap://ldaphost/o=yourorg +Require valid-user </Directory> - + +

In this example the file provider will attempt to authenticate the user first. If it is unable to authenticate the user, the LDAP @@ -418,18 +430,20 @@ Require valid-user authorization methods can also be used. In this example both file group authorization as well as LDAP group authorization is being used.

- + + <Directory "/www/docs/private"> - AuthName "Private" - AuthType Basic - AuthBasicProvider file - AuthUserFile "/usr/local/apache/passwd/passwords" - AuthLDAPURL ldap://ldaphost/o=yourorg - AuthGroupFile "/usr/local/apache/passwd/groups" - Require group GroupName - Require ldap-group cn=mygroup,o=yourorg +AuthName "Private" +AuthType Basic +AuthBasicProvider file +AuthUserFile "/usr/local/apache/passwd/passwords" +AuthLDAPURL ldap://ldaphost/o=yourorg +AuthGroupFile "/usr/local/apache/passwd/groups" +Require group GroupName +Require ldap-group cn=mygroup,o=yourorg </Directory> - + +

To take authorization a little further, authorization container directives such as @@ -492,77 +506,15 @@ Require valid-user

Using authorization providers for access control

Authentication by username and password is only part of the - story. Frequently you want to let people in based on something - other than who they are. Something such as where they are - coming from.

- -

The authorization providers all, - env, host and ip let you - allow or deny access based on other host based criteria such as - host name or ip address of the machine requesting a - document.

- -

The usage of these providers is specified through the - Require directive. - This directive registers the authorization providers - that will be called during the authorization stage of the request - processing. For example:

- - -Require ip address - - -

where address is an IP address (or a partial IP - address) or:

- - -Require host domain_name - - -

where domain_name is a fully qualified domain name - (or a partial domain name); you may provide multiple addresses or - domain names, if desired.

- -

For example, if you have someone spamming your message - board, and you want to keep them out, you could do the - following:

- - -<RequireAll> - Require all granted - Require not ip 10.252.46.165 -</RequireAll> - - -

Visitors coming from that address will not be able to see - the content covered by this directive. If, instead, you have a - machine name, rather than an IP address, you can use that.

- - -<RequireAll> - Require all granted - Require not host host.example.com -</RequireAll> - - -

And, if you'd like to block access from an entire domain, - you can specify just part of an address or domain name:

- - -<RequireAll> - Require all granted - Require not ip 192.168.205 - Require not host phishers.example.com moreidiots.example - Require not host ke -</RequireAll> - - -

Using RequireAll - with multiple Require directives, each negated with not, - will only allow access, if all of negated conditions are true. In other words, - access will be blocked, if any of the negated conditions fails.

+ story. You can also allow or deny access based on other + criteria, such as the client's IP address or hostname, using + the authorization providers all, env, + host, and ip with the + Require + directive.

+

For full details and examples, see the + Access Control howto.

Access Control backwards compatibility @@ -596,9 +548,8 @@ Require host domain_name
Authentication Caching

There may be times when authentication puts an unacceptable load on a provider or on your network. This is most likely to affect users - of mod_authn_dbd (or third-party/custom providers). - To deal with this, HTTPD 2.3/2.4 introduces a new caching provider - mod_authn_socache to cache credentials and reduce + of mod_authn_dbd (or third-party/custom providers). The + mod_authn_socache module caches credentials and reduces the load on the origin provider(s).

This may offer a substantial performance boost to some users.