Access controls in Apache

There are various ways in which you can control access to a resource in Apache.

Here, we'll focus on managing access using a .htaccess file. Every virtual host on a machine has its own .htaccess file.

However, for the .htaccess file to have any effect regarding access control, the Apache server needs to have AllowOverride AuthConfig in the virtual host's configuration. For example, this can look like below:

Example vhost configuration, AllowOverride is highlighted

<VirtualHost *:443>
        ServerName my-test.site
        ServerAdmin [email protected]
        DocumentRoot /var/www/my-test.site

        <Directory /var/www/my-test.site>
            Options Indexes FollowSymLinks
            AllowOverride AuthConfig
            Require all granted
        </Directory>
        
        Include /etc/letsencrypt/options-ssl-apache.conf
        SSLCertificateFile /etc/letsencrypt/live/my-test.site/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/my-test.site/privkey.pem
</VirtualHost>

Once the AllowOverride directive is in place, you can start limiting access through a .htacess file.

Protecting a directory with a username and a password

First, create a password file:

Command

htpasswd -c /usr/local/apache/passwd/passwords exampleuser

Add the following to a .htaccess file in the virtual host's document root:

.htaccess

AuthType Basic
AuthName "Restricted Files"
AuthBasicProvider file
AuthUserFile /usr/local/apache/passwd/passwords
Require user exampleuser

Now, when someone tries to access the files in this virtual host's document root, they'll be prompted to enter a username and password.

Combining a username with the directive "Satisfy any"

Something that isn’t as widely known is the Apache directive Satisfy any. If you add the following to the above .htaccess file:

Addition to the .htaccess file

Order allow,deny
Allow from 2a02:750:dead:beaf::/64
Satisfy any

...you change the behavior from requiring a password to requiring that the user either originates from 2a02:750:dead:beaf::/64 or provides a username.

With this setup, for example, a developer can access the website without entering a password (if they originate from 2a02:750:dead:beaf::/64), while the site remains inaccessible to regular users. If the developer wants to access the site from outside of 2a02:750:dead:beaf::/64 they can still do that using the username/password.

Blocking IP address

To only allow access from two specific IP addresses, edit the .htaccess file to only contain the content below:

.htaccess

Order Allow,Deny
Allow from 192.168.0.1
Allow from 192.168.1.2

We can also turn it around: block only those two IP addresses while allowing everything else. This example is, in other words, the complete opposite of the above example:

.htaccess

Order Deny,Allow
Deny from 192.168.0.1
Deny from 192.168.1.2

More information

There is additional information about the .htaccess file available on Apache's website: https://httpd.apache.org/docs/current/howto/htaccess.html

PreviousTraceroute using My Traceroute (MTR)NextProtect yourself from a WordPress XML-RPC attack

Last updated 7 months ago

Was this helpful?