Sat, 01/05/2010 - 19:31 — horuskol

Using the or directives to restrict access to specific areas of a website only works if there is actually a physical file or directory. But as more and more site frameworks are using rewritten URLs, the chances of a URL mapping to a physical file or directory are getting pretty slim.

So, what can you do in these circumstances?

Well, something like this:

Satisfy any
 
Order allow,deny
 
SetEnvIf Request_URI "^/admin" admin
Deny from env=admin
 
AuthUserFile /var/www/your-website/.htpasswd
AuthType Basic
AuthName "Authentication Required"

Sat, 01/05/2010 - 19:00 — horuskol

If you want to restrict access to a specific directory, such as an administration section, you have a couple of options. First, you can drop a .htaccess file into the directory which you want to restrict and set it up like this:

AuthUserFile /var/www/your-website/.htpasswd
AuthType Basic
AuthName "Authentication Required"
 
Require valid-user

Sat, 01/05/2010 - 18:39 — horuskol

This should be fairly useful - it sets up a trusted connection (always allow access to people on a specific network) and requires authentication for anyone else outside of that network.

Satisfy any
 
Order deny,allow
Deny from all
 
Allow from 192.168.1
 
AuthUserFile /var/www/your-website/.htpasswd
AuthType Basic
AuthName "Authentication Required"
 
Require valid-user

Satisfy Directive

Sat, 01/05/2010 - 18:17 — horuskol

If you want to lockdown your website, but do not need a full user access solution built in PHP or ASP, etc, you can make use of a variety of authentication options with Apache.

This example uses the basic authentication methods available to the core of Apache httpd:

AuthUserFile /var/www/your-website/.htpasswd
AuthType Basic
AuthName "Authentication Required"
Require valid-user

.htpasswd file

Sat, 01/05/2010 - 17:48 — horuskol

First off, restricting access to your entire website is pretty easy.

All you need to do is put the following at the top of the .htaccess file in your website's document root:

Order deny,allow
Deny from all

This will prevent anyone from seeing your website. Admittedly, not terribly useful, but it's a start.

It is important not to have a space in 'deny,allow', as this will cause an Apache server error.

Sat, 01/05/2010 - 17:14 — horuskol

For most applications, there really isn't all that much to Apache configuration beyond setting up the virtual host and document root.

But Apache has a lot more to offer, and this set of articles will show how to set up some security on your site.