Protecting a directory

Shortly before 3:00, Roger saunters over from the Human Resources office. As he strokes his whiskers, he mentions that they need you to set up an Intranet directory on the web server for an employee newsletter. Since the newsletter is going to be talking about successes and failures in the company, it’s important that the directory be protected from people outside the network. OK. Let’s assume that addresses in your network follow the 192.168.0.x address format. That is, your IP address on the network might be something like, whereas your officemate’s IP Address might be You’ll make use of two Apache features: basic authentication, or basic access control. Since the Intranet site is for all employees, the simplest thing to do is use the Order, Allow, and Deny directives to control access to the directory. However, this excludes off-site employees who are checking the site through the Internet. As a result, the best method to use here is a combination of both access control and basic authentication, along with the Satisfy directive. The Satisfy directive, when set to ‘any’, sets an either/or scenario in Apache; if the user requesting the page is outside of the 192.168.0.x IP address range, they will be presented with a login prompt. Otherwise, the page will be shown to them without having to authenticate on the Apache server. In order to maintain this section easily in the future, I’ve added a special section for the protected directory. This will help me find it quicker in the future, should I need to make configuration changes. Because this system is going to be accessed by people outside the company network (hence the name extranet), we won’t always know what IP Address they’re coming from. As a result, we want to ask for a username and a password before allowing them access to the site. The first directive we want to use for configuring authentication is AuthName. This directive will display text in the user’s alert box, describing why Apache is requesting they authenticate before seeing the page. Next, we need to tell Apache what type of authentication to use. As we discussed in Chapter 3, not all browsers support all types of authentication; as a result, we want to stick with basic authentication. After we’ve told Apache what type of authentication to use, we need to tell it where to find the users allowed on the system. This is the .htpasswd file, which is created through using the htpasswd utility. To bring the authentication together, we finally need to tell Apache that it needs a valid user in order to authenticate. Because this system is also going to be used inside the network, we don’t want to have to subject users to logging in every time they want to have access to the Intranet. As a result, we need to set up an additional access rule based on the IP Address of the person visiting. This is done through the Allow/Deny directives. First, we need to tell Apache in which order it is to read the access rules. In this case, we want it to read the access rules first, and then the deny rules. This is done through Order Allow, Deny . Next, we want to tell Apache which IP Addresses it should allow to access the directory. Since everyone in the internal network has an IP Address starting with 192.168.0 (for example,, we’ll set this up with a wildcard: Allow from 192.168.0. Next, we have to tell Apache to deny all other IP Addresses through the Deny from all directive. Finally, we have to tell Apache that if either the IP Address matches, or the user enters the right username and password, that the user is allowed access to the directory. This is done through the Satisfy any directive.
Example configuration
# Load basic Apache configuration
Include basic.conf
# Load Modules
Include modules.conf
# Load Logs
Include logfiles.conf
ServerAdmin [email protected]
DocumentRoot /var/www/
 ErrorLog /var/log/apache/error.log
CustomLog /var/log/apache/access.log combined
<Directory />
Options Indexes SymLinksIfOwnerMatch MultiViews
    AllowOverride None
<Directory /var/www/>
    Options Indexes Includes FollowSymLinks MultiViews
    AllowOverride All
    Order allow,deny
    Allow from all
<Directory /var/www/intranet/>
  Options Indexes Includes FollowSymLinks MultiViews ExecCGI
  AllowOverride All
  AuthName “Foo Industries Extranet – Employee Access Only”
  AuthType Basic
  AuthUserFile /var/www/intranet/.htpasswd
  Require valid-user
  Order Allow, Deny
  Allow from 192.168.0
  Deny from all
  Satisfy any
  ErrorDocument 401 /errors/authorization.html