httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Boyle Owen" <>
Subject RE: Restricting access with both IP address and password
Date Tue, 02 Jul 2002 12:06:36 GMT
>From: Trish Hartnett []

>I was reading lots of documentation again today 

Well done! At last, someone who reads the docs *before* posting :-)

> and I'm curious about the 
>capabilities of the htacess file. Most sources agree that you can use 
>htaccees to limit access by password, or by IP address 
>(/domain name). Only 
>one source mentioned using both. 

These are quite different things. The Auth* directives implement password checking on a directory
using the mod_auth module. Allow/Deny controls access based on various attributes of the request
(like IP address). The two mechanisms are quite separate - just to be clear.

Also, bear in mind that .htaccess files are just a handy way of applying some subset of directives
to a directory without editing httpd.conf. Anything that goes in .htaccess can just as easily
go in the config.

> It said that if you used for example:
>"Deny from all
>Allow from
>Allow from 169.147
>Allow from 129.237
>AuthType Basic
>AuthUserFile /pulse-root/som/.htpasswd
>AuthName "Directory Protected"
>Require valid-user
>Satisfy any"
>This would set up IP access that defaults to a
>password prompt when the user is out of the IP range.

Err.. no. You will only get the password prompt if you are in the IP range. If you are outside
the IP range you will be denied access long before your request trips the password check.

>Is it possible to have a page/folder restricted such that only 
>individuals sitting at a particular computer could get access to that 
>page, and then only if they knew the correct password ?

Not in general. If you had complete control of the environment and knew in advance the IP
address of the client and could be sure that no-one could change that IP address (e.g. in
a lab environment) then you could use "Allow" as above. In a general case, this wouldn't work
because real internet requests often lose the actual IP address of the client (e.g. the request
goes via a proxy). There is nothing in a request that is unique to the computer that it originated
from - despite Intel's desires, we don't have unique processor IDs just yet, thank goodness.


Owen Boyle

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message