Apache: Different authentication requirements

I have a web application running on Apache 2.4 that I would like to be password protected for everyone except for my local network. If someone access it from my local network, it should let them in without a password.

This application has no authentication build it so it relies on the web server (Apache 2.4) to provide any authentication required. In this case I have setup a simple authorization file with usernames and password (in digest format) and Apache is setup to use the AuthType of Digest. This works fine and provides simple password protection for the application. Now I would like to allow systems on my local network access to the application without prompting for a password (bypass the digest password).

Implementation

Here is how I accomplished that.

You need to add some Require directives to apache. This can be added in either a config file that gets imported when Apache starts up (this is what I do in /usr/local/etc/apache24/Include) or it can also be put into and .htaccess file in the root of the application directory.

Here is al. the lines required to allow the digest (password prompt) from any place but my local network (192.168.5.0/24)

AuthType  Digest
AuthName  "myapp"
AuthUserFile /usr/local/etc/apache24/myapp/.htdigest
BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
<RequireAny>
    Require ip 192.168.5.0/24
    Require  valid-user
</RequireAny>

Either of the two Require statement can be met and this will pass, this is because they are surrounded by the RequireAny statement. The RequireAny is actually the default for Apache so this would still work without the RequireAny statements but leaving it in makes it at lot easier to read. If you wanted to make sure that both the Require statement are needed (so only allow access from my local network and with a password) then you would surround it with a RequireAll statement.

Reference:

Leave a Comment

Your email address will not be published.