From: Rich Bowen
Date: Fri, 19 Jun 2026 12:16:23 +0000 (+0000)
Subject: docs: howto/auth.xml tone normalization and deduplication
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=8736920ab50d4572be872b82433c769fc1758ebb;p=thirdparty%2Fapache%2Fhttpd.git
docs: howto/auth.xml tone normalization and deduplication
- Replace host-based access control section (Require ip/host examples)
with brief explanation and cross-reference to access.html howto
- Remove dated "HTTPD 2.3/2.4 introduces" from socache section
- Grammar and spelling fixes throughout
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1935509 13f79535-47bb-0310-9956-ffa450edef68
---
diff --git a/docs/manual/howto/auth.xml b/docs/manual/howto/auth.xml
index a87a511155..9185ae665d 100644
--- a/docs/manual/howto/auth.xml
+++ b/docs/manual/howto/auth.xml
@@ -127,9 +127,11 @@ module from each group.
an AllowOverride directive like the
following:
-
+
+
AllowOverride AuthConfig
-
+
+
Or, if you are just going to put the directives directly in
your main server configuration file, you will of course need to
@@ -201,14 +203,16 @@ AllowOverride AuthConfig
placed in httpd.conf inside a <Directory
"/usr/local/apache/htdocs/secret"> section.
-
+
+
AuthType Basic
AuthName "Restricted Files"
# (Following line optional)
AuthBasicProvider file
AuthUserFile "/usr/local/apache/passwd/passwords"
Require user rbowen
-
+
+
Let's examine each of those directives individually. The AuthType directive selects
@@ -304,7 +308,8 @@ person in
Now, you need to modify your .htaccess file to
look like the following:
-
+
+
AuthType Basic
AuthName "By Invitation Only"
# Optional line:
@@ -312,7 +317,8 @@ AuthBasicProvider file
AuthUserFile "/usr/local/apache/passwd/passwords"
AuthGroupFile "/usr/local/apache/passwd/groups"
Require group GroupName
-
+
+
Now, anyone that is listed in the group GroupName,
and has an entry in the password file, will be let in, if
@@ -322,9 +328,11 @@ Require group GroupName
specific. Rather than creating a group file, you can just use
the following directive:
-
+
+
Require valid-user
-
+
+
Using that rather than the Require user rbowen
line will allow anyone in that is listed in the password file,
@@ -371,15 +379,17 @@ Require valid-user
To select a dbm file rather than a text file, for example:
-
+
+
<Directory "/www/docs/private">
- AuthName "Private"
- AuthType Basic
- AuthBasicProvider dbm
- AuthDBMUserFile "/www/passwords/passwd.dbm"
- Require valid-user
+AuthName "Private"
+AuthType Basic
+AuthBasicProvider dbm
+AuthDBMUserFile "/www/passwords/passwd.dbm"
+Require valid-user
</Directory>
-
+
+
Other options are available. Consult the
mod_authn_dbm documentation for more details.
@@ -394,16 +404,18 @@ Require valid-user
scheme that meets your needs. In the following example, both the
file and LDAP based authentication providers are being used.
-
+
+
<Directory "/www/docs/private">
- AuthName "Private"
- AuthType Basic
- AuthBasicProvider file ldap
- AuthUserFile "/usr/local/apache/passwd/passwords"
- AuthLDAPURL ldap://ldaphost/o=yourorg
- Require valid-user
+AuthName "Private"
+AuthType Basic
+AuthBasicProvider file ldap
+AuthUserFile "/usr/local/apache/passwd/passwords"
+AuthLDAPURL ldap://ldaphost/o=yourorg
+Require valid-user
</Directory>
-
+
+
In this example the file provider will attempt to authenticate
the user first. If it is unable to authenticate the user, the LDAP
@@ -418,18 +430,20 @@ Require valid-user
authorization methods can also be used. In this example both file group
authorization as well as LDAP group authorization is being used.
-
+
+
<Directory "/www/docs/private">
- AuthName "Private"
- AuthType Basic
- AuthBasicProvider file
- AuthUserFile "/usr/local/apache/passwd/passwords"
- AuthLDAPURL ldap://ldaphost/o=yourorg
- AuthGroupFile "/usr/local/apache/passwd/groups"
- Require group GroupName
- Require ldap-group cn=mygroup,o=yourorg
+AuthName "Private"
+AuthType Basic
+AuthBasicProvider file
+AuthUserFile "/usr/local/apache/passwd/passwords"
+AuthLDAPURL ldap://ldaphost/o=yourorg
+AuthGroupFile "/usr/local/apache/passwd/groups"
+Require group GroupName
+Require ldap-group cn=mygroup,o=yourorg
</Directory>
-
+
+
To take authorization a little further, authorization container
directives such as
@@ -492,77 +506,15 @@ Require valid-user
Using authorization providers for access control
Authentication by username and password is only part of the
- story. Frequently you want to let people in based on something
- other than who they are. Something such as where they are
- coming from.
-
- The authorization providers all,
- env, host and ip let you
- allow or deny access based on other host based criteria such as
- host name or ip address of the machine requesting a
- document.
-
- The usage of these providers is specified through the
- Require directive.
- This directive registers the authorization providers
- that will be called during the authorization stage of the request
- processing. For example:
-
-
-Require ip address
-
-
- where address is an IP address (or a partial IP
- address) or:
-
-
-Require host domain_name
-
-
- where domain_name is a fully qualified domain name
- (or a partial domain name); you may provide multiple addresses or
- domain names, if desired.
-
- For example, if you have someone spamming your message
- board, and you want to keep them out, you could do the
- following:
-
-
-<RequireAll>
- Require all granted
- Require not ip 10.252.46.165
-</RequireAll>
-
-
- Visitors coming from that address will not be able to see
- the content covered by this directive. If, instead, you have a
- machine name, rather than an IP address, you can use that.
-
-
-<RequireAll>
- Require all granted
- Require not host host.example.com
-</RequireAll>
-
-
- And, if you'd like to block access from an entire domain,
- you can specify just part of an address or domain name:
-
-
-<RequireAll>
- Require all granted
- Require not ip 192.168.205
- Require not host phishers.example.com moreidiots.example
- Require not host ke
-</RequireAll>
-
-
- Using RequireAll
- with multiple Require directives, each negated with not,
- will only allow access, if all of negated conditions are true. In other words,
- access will be blocked, if any of the negated conditions fails.
+ story. You can also allow or deny access based on other
+ criteria, such as the client's IP address or hostname, using
+ the authorization providers all, env,
+ host, and ip with the
+ Require
+ directive.
+ For full details and examples, see the
+ Access Control howto.
Access Control backwards compatibility
@@ -596,9 +548,8 @@ Require host domain_name
Authentication Caching
There may be times when authentication puts an unacceptable load
on a provider or on your network. This is most likely to affect users
- of mod_authn_dbd (or third-party/custom providers).
- To deal with this, HTTPD 2.3/2.4 introduces a new caching provider
- mod_authn_socache to cache credentials and reduce
+ of mod_authn_dbd (or third-party/custom providers). The
+ mod_authn_socache module caches credentials and reduces
the load on the origin provider(s).
This may offer a substantial performance boost to some users.