From: Alan McKinnon <alan.mckinnon@gmail.com>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] Restrict certain web users by IP
Date: Fri, 30 Nov 2012 08:57:21 +0200 [thread overview]
Message-ID: <20121130085721.3f9ef936@khamul.example.com> (raw)
In-Reply-To: <CAN0CFw3w5YmxZBmSsNCY29B3FxLmQLsDDK44SudnRzRm3udfmA@mail.gmail.com>
On Thu, 29 Nov 2012 15:36:51 -0800
Grant <emailgrant@gmail.com> wrote:
> > > I want users jack and jill to be able to access the web content
> > > from any IP address, and I want users john and jacob to be able
> > > to access the web content only if they are coming from a certain
> > > IP address. I don't want anyone else to have access.
> > >
> > > - Grant
> >
> > Run two vhosts that deliver the same content from the same
> > DocumentRoot
> >
> > One has jack and jill as users in htpasswd with no acls in place
> > The other has john and jacob as users in a different htpasswd with
> > IP acls in place
> >
> > Trying to specify access rules to a group of users and not to other
> > users all in the same context is a problem that will drive you nuts
> > in a day. Rather side-step it entirely by applying your rules
> > globaly to two different things.
>
> So I'm sure I understand, if I want to keep the IP address which
> accesses the web content the same, this means setting up a vhost for
> a port other than 80 and 443 which the other vhosts are already set
> up on?
No need for that, use name-based vhosting:
the same IP, port and Apache instance, with different names in DNS the
return the same IP. Apache can tell them apart based on the site name in
the HTTP request and keeps the config separate with the
<NameVirtualHost> directive.
I don't know what sort of scale you are working at, if it's two users
or many more. I have to deal with the same sort of thing in a
corporate setting (not necessarily web sites) often for 50 or more
users and that's how I would do it.
Just a tip though: many times when I ponder complex access control
systems I find out at the end that I'm just being really silly and
don't actually need it. If I can't trust a user to behave outside of
office hours that often means I can't trust them at all and they get no
access :-) By all means continue with your original post if that's
what you need but in your shoes I'd first be proving to myself it
really is what I need (rather than what I think I want)
--
Alan McKinnon
alan.mckinnon@gmail.com
next prev parent reply other threads:[~2012-11-30 7:01 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-11-29 0:34 [gentoo-user] Restrict certain web users by IP Grant
2012-11-29 1:35 ` Joseph
2012-11-29 4:10 ` Grant
2012-11-29 17:55 ` Joseph
2012-11-29 19:55 ` Grant
2012-11-29 20:43 ` Alan McKinnon
2012-11-29 23:36 ` Grant
2012-11-30 0:35 ` Adam Carter
2012-11-30 6:57 ` Alan McKinnon [this message]
2012-11-30 1:04 ` Michael Orlitzky
2012-11-30 8:37 ` Grant
2012-11-30 16:48 ` Michael Orlitzky
2012-12-01 5:26 ` Grant
2012-11-29 20:49 ` Joseph
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20121130085721.3f9ef936@khamul.example.com \
--to=alan.mckinnon@gmail.com \
--cc=gentoo-user@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox