Restricting Website Access with Apache 2

• By Daniel Lopez
• Nov 8, 2002
• Sample Chapter is provided courtesy of Sams

This chapter is from the book
Sams Teach Yourself Apache 2 in 24 Hours

This hour explains how to restrict access to parts of a Web site based on the identity of the user or on information about the request.

In this hour, you will learn

• How to restrict access based on the user, client IP address, domain name, and browser version

• How to enable and configure Apache authentication modules

• How to use the user management tools provided with Apache

Authentication

Authorization and authentication are common requirements for many Web sites. Authentication establishes the identity of parties in a communication. You can authenticate yourself by something you know (a password, a cookie), something you have (an ID card, a key), something you are (your fingerprint, your retina), or a combination of these elements. In the context of the Web, authentication is usually restricted to the use of passwords and certificates. Certificates are explained in Hour 17, "Setting Up a Secure Server."

Authorization deals with protecting access to resources. You can authorize based on several factors, such as the IP address the user is coming from, the user's browser, the content the user is trying to access, or who the user is (which is previously determined via authentication).

Apache includes several modules that provide authentication and access control and that can be used to protect both dynamic and static content.

You can either use one of these modules or implement your own access control at the application level and provide customized login screens, single sign-on, and other advanced functionality. Those topics are application- and development language–specific and are not covered in this book, which only deals with authentication and authorization at the Web server level.