From 2a463b3cd73c32ee9dcd508248d0194923f435f4 Mon Sep 17 00:00:00 2001 From: Stefan Fritsch Date: Sat, 29 Mar 2014 21:56:19 +0100 Subject: Imported Upstream version 2.4.9 --- docs/manual/howto/auth.html.en | 76 ++++++++++++++++-------------------------- 1 file changed, 29 insertions(+), 47 deletions(-) (limited to 'docs/manual/howto/auth.html.en') diff --git a/docs/manual/howto/auth.html.en b/docs/manual/howto/auth.html.en index 7508170a..ceff2f56 100644 --- a/docs/manual/howto/auth.html.en +++ b/docs/manual/howto/auth.html.en @@ -9,7 +9,7 @@ - @@ -215,14 +215,12 @@ module from each group.

placed in httpd.conf inside a <Directory /usr/local/apache/htdocs/secret> section.

- 
-AuthType Basic
+    
AuthType Basic
 AuthName "Restricted Files"
 # (Following line optional)
 AuthBasicProvider file
 AuthUserFile /usr/local/apache/passwd/passwords
-Require user rbowen
-    

+Require user rbowen

Let's examine each of those directives individually. The AuthType directive selects @@ -233,8 +231,8 @@ Require user rbowen the server unencrypted. This method should therefore not be used for highly sensitive data, unless accompanied by mod_ssl. Apache supports one other authentication method: - AuthType Digest. This method is implemented by mod_auth_digest and is much more secure. Most recent - browsers support Digest authentication.

+ AuthType Digest. This method is implemented by mod_auth_digest and was intended to be more secure. This is no + longer the case and the connection should be encrypted with mod_ssl instead.

The AuthName directive sets the Realm to be used in the authentication. The realm serves @@ -314,15 +312,13 @@ person in <Directory> block to look like the following:

- 
-AuthType Basic
+    
AuthType Basic
 AuthName "By Invitation Only"
 # Optional line:
 AuthBasicProvider file
 AuthUserFile /usr/local/apache/passwd/passwords
 AuthGroupFile /usr/local/apache/passwd/groups
-Require group GroupName
-    

+Require group GroupName

Now, anyone that is listed in the group GroupName, @@ -374,15 +370,13 @@ Require group GroupName

To select a dbm file rather than a text file, for example:

- 
-<Directory /www/docs/private>
+    
<Directory /www/docs/private>
     AuthName "Private"
     AuthType Basic
     AuthBasicProvider dbm
     AuthDBMUserFile /www/passwords/passwd.dbm
     Require valid-user
-</Directory>
-    

+</Directory>

Other options are available. Consult the @@ -398,16 +392,14 @@ Require group GroupName scheme that meets your needs. In the following example, both the file and LDAP based authentication providers are being used.

- 
-<Directory /www/docs/private>
+    
<Directory /www/docs/private>
     AuthName "Private"
     AuthType Basic
     AuthBasicProvider file ldap
     AuthUserFile /usr/local/apache/passwd/passwords
     AuthLDAPURL ldap://ldaphost/o=yourorg
     Require valid-user
-</Directory>
-    

+</Directory>

In this example the file provider will attempt to authenticate @@ -423,8 +415,7 @@ Require group GroupName authorization methods can also be used. In this example both file group authorization as well as LDAP group authorization is being used.

- 
-<Directory /www/docs/private>
+    
<Directory /www/docs/private>
     AuthName "Private"
     AuthType Basic
     AuthBasicProvider file
@@ -433,8 +424,7 @@ Require group GroupName
     AuthGroupFile /usr/local/apache/passwd/groups
     Require group GroupName
     Require ldap-group cn=mygroup,o=yourorg
-</Directory>
-    

+</Directory>

To take authorization a little further, authorization container @@ -499,13 +489,11 @@ Require group GroupName other than who they are. Something such as where they are coming from.

-

The authorization providers - all, - env, - host and - ip let you allow or deny access based other host based - criteria such as host name or ip address of the machine requesting - a document.

+

The authorization providers all, + env, host and ip let you + allow or deny access based other host based criteria such as + host name or ip address of the machine requesting a + document.

The usage of these providers is specified through the Require directive. @@ -530,37 +518,31 @@ Require group GroupName board, and you want to keep them out, you could do the following:

- 
-<RequireAll>
+        
<RequireAll>
     Require all granted
     Require not ip 10.252.46.165
-</RequireAll>
-        

+</RequireAll>

Visitors coming from that address will not be able to see the content covered by this directive. If, instead, you have a machine name, rather than an IP address, you can use that.

- 
-<RequireAll>
+        
<RequireAll>
     Require all granted
     Require not host host.example.com
-</RequireAll>
-        

+</RequireAll>

And, if you'd like to block access from an entire domain, you can specify just part of an address or domain name:

- 
-<RequireAll>
+        
<RequireAll>
     Require all granted
     Require not ip 192.168.205
     Require not host phishers.example.com moreidiots.example
     Require not host ke
-</RequireAll>
-        

+</RequireAll>

Using <RequireAll> @@ -595,10 +577,10 @@ Require group GroupName

More information

You should also read the documentation for - mod_auth_basic and mod_authz_host which - contain some more information about how this all works. - The directive <AuthnProviderAlias> - can also help in simplifying certain authentication configurations.

+ mod_auth_basic and mod_authz_host + which contain some more information about how this all works. The + directive <AuthnProviderAlias> can also help + in simplifying certain authentication configurations.

The various ciphers supported by Apache for authentication data are explained in Password @@ -632,7 +614,7 @@ var comments_identifier = 'http://httpd.apache.org/docs/2.4/howto/auth.html'; } })(window, document); //-->