1 |
On Thu, 29 Nov 2012 15:36:51 -0800 |
2 |
Grant <emailgrant@×××××.com> wrote: |
3 |
|
4 |
> > > I want users jack and jill to be able to access the web content |
5 |
> > > from any IP address, and I want users john and jacob to be able |
6 |
> > > to access the web content only if they are coming from a certain |
7 |
> > > IP address. I don't want anyone else to have access. |
8 |
> > > |
9 |
> > > - Grant |
10 |
> > |
11 |
> > Run two vhosts that deliver the same content from the same |
12 |
> > DocumentRoot |
13 |
> > |
14 |
> > One has jack and jill as users in htpasswd with no acls in place |
15 |
> > The other has john and jacob as users in a different htpasswd with |
16 |
> > IP acls in place |
17 |
> > |
18 |
> > Trying to specify access rules to a group of users and not to other |
19 |
> > users all in the same context is a problem that will drive you nuts |
20 |
> > in a day. Rather side-step it entirely by applying your rules |
21 |
> > globaly to two different things. |
22 |
> |
23 |
> So I'm sure I understand, if I want to keep the IP address which |
24 |
> accesses the web content the same, this means setting up a vhost for |
25 |
> a port other than 80 and 443 which the other vhosts are already set |
26 |
> up on? |
27 |
|
28 |
No need for that, use name-based vhosting: |
29 |
|
30 |
the same IP, port and Apache instance, with different names in DNS the |
31 |
return the same IP. Apache can tell them apart based on the site name in |
32 |
the HTTP request and keeps the config separate with the |
33 |
<NameVirtualHost> directive. |
34 |
|
35 |
I don't know what sort of scale you are working at, if it's two users |
36 |
or many more. I have to deal with the same sort of thing in a |
37 |
corporate setting (not necessarily web sites) often for 50 or more |
38 |
users and that's how I would do it. |
39 |
|
40 |
Just a tip though: many times when I ponder complex access control |
41 |
systems I find out at the end that I'm just being really silly and |
42 |
don't actually need it. If I can't trust a user to behave outside of |
43 |
office hours that often means I can't trust them at all and they get no |
44 |
access :-) By all means continue with your original post if that's |
45 |
what you need but in your shoes I'd first be proving to myself it |
46 |
really is what I need (rather than what I think I want) |
47 |
|
48 |
-- |
49 |
Alan McKinnon |
50 |
alan.mckinnon@×××××.com |