| 1 |
On Thu, 29 Nov 2012 15:36:51 -0800 |
| 2 |
Grant <emailgrant@×××××.com> wrote: |
| 3 |
|
| 4 |
> > > I want users jack and jill to be able to access the web content |
| 5 |
> > > from any IP address, and I want users john and jacob to be able |
| 6 |
> > > to access the web content only if they are coming from a certain |
| 7 |
> > > IP address. I don't want anyone else to have access. |
| 8 |
> > > |
| 9 |
> > > - Grant |
| 10 |
> > |
| 11 |
> > Run two vhosts that deliver the same content from the same |
| 12 |
> > DocumentRoot |
| 13 |
> > |
| 14 |
> > One has jack and jill as users in htpasswd with no acls in place |
| 15 |
> > The other has john and jacob as users in a different htpasswd with |
| 16 |
> > IP acls in place |
| 17 |
> > |
| 18 |
> > Trying to specify access rules to a group of users and not to other |
| 19 |
> > users all in the same context is a problem that will drive you nuts |
| 20 |
> > in a day. Rather side-step it entirely by applying your rules |
| 21 |
> > globaly to two different things. |
| 22 |
> |
| 23 |
> So I'm sure I understand, if I want to keep the IP address which |
| 24 |
> accesses the web content the same, this means setting up a vhost for |
| 25 |
> a port other than 80 and 443 which the other vhosts are already set |
| 26 |
> up on? |
| 27 |
|
| 28 |
No need for that, use name-based vhosting: |
| 29 |
|
| 30 |
the same IP, port and Apache instance, with different names in DNS the |
| 31 |
return the same IP. Apache can tell them apart based on the site name in |
| 32 |
the HTTP request and keeps the config separate with the |
| 33 |
<NameVirtualHost> directive. |
| 34 |
|
| 35 |
I don't know what sort of scale you are working at, if it's two users |
| 36 |
or many more. I have to deal with the same sort of thing in a |
| 37 |
corporate setting (not necessarily web sites) often for 50 or more |
| 38 |
users and that's how I would do it. |
| 39 |
|
| 40 |
Just a tip though: many times when I ponder complex access control |
| 41 |
systems I find out at the end that I'm just being really silly and |
| 42 |
don't actually need it. If I can't trust a user to behave outside of |
| 43 |
office hours that often means I can't trust them at all and they get no |
| 44 |
access :-) By all means continue with your original post if that's |
| 45 |
what you need but in your shoes I'd first be proving to myself it |
| 46 |
really is what I need (rather than what I think I want) |
| 47 |
|
| 48 |
-- |
| 49 |
Alan McKinnon |
| 50 |
alan.mckinnon@×××××.com |
Archives