Question Details

Browse

Access control lists for apache - best policies

By Larry Hayes - Oct. 11, 2007

I have several sub folders on my apache web server that I manage. I am looking for a way to define user groups so I can manage access to those web servers. I really do not want to invest in a big-ass identity control management app. I want to use htaccess and something simple. However, I would like to have the system manageable such that if a user leaves, I can simply remove his/her account from the server and not have to disrupt the other users.

Needs:
(1) Different users need access to different folders on the server
(2) Each user has his/her own login/pass

Ideally, I would like to define groups, and have anyone within those groups have access to the intranet

e.g. "development", "contractors", "testers", etc.

What is an easy way to do this?


Answers

Add Answer

  1. By Jesse Babson on Oct. 12, 2007

    Some things to be aware of:
    - htpasswd goes in clear text over the wire. Not super-secure, depending on your need
    - htdigest uses a digest, but IE 6 has issues with it. Do your users absolutely need it?
    - Is this the only form of security you are using? What about app-level security? That, of course, is a different can of worms.

    0 Votes
    Report this

  2. By Jesse Babson on Oct. 12, 2007

    Also, you can do IP-level filtering in your httpd.conf file on a per-directory basis. Just include your local intranet and known IP addresses.

    This can be a pain to manage, but another level of security, assuming there are no widely shared subnets being used.

    0 Votes
    Report this
Share your knowledge