Combining Access Methods
In previous sections, you learned how to restrict access based on user identity or request information. The Satisfy directive enables you to determine whether both types of access restrictions must be satisfied in order to grant access. Satisfy accepts one parameter, which can be either all or any.
Satisfy all means that the client will be granted access if it provides a valid username and password and passes the access restrictions. Satisfy any means the client will be granted access if it provides a valid username and password or passes the access restrictions.
Why is this useful? For example, you might want to provide free access to your Web site to users coming from an internal, trusted network address, but require users coming from the Internet to provide a valid username and password. Listing 7.7 demonstrates just that.
Listing 7.7 Mixing Authentication and Access Control Rules
1: <Location /restricted> 2: Order allow,deny 3: Allow from 10.0.0.0/255.255.255.0 4: AuthType Basic 5: AuthName "Intranet" 6: AuthUserFile /usr/local/apache2/conf/htusers 7: AuthAuthoritative on 8: Require valid-user 9: Satisfy any 10: </Location>
Access control based on connection or request information is not completely secure. Although it provides an appropriate level of protection for most cases, the rules rely on the integrity of your DNS servers and your network infrastructure. If an attacker gains control of your DNS servers, or your routers or firewalls are incorrectly configured, he can easily change authorized domain name records to point to his machine or pretend he is coming from an authorized IP address.