1

I want to restrict access to a given site based on two criteria:

  1. The IP address of the client (i.e. is it within an allowed range) and;
  2. Digest authentication.

However, for each range of IPs there will be a different list of username/password combinations (I'm segregating clients by source IP, then requiring authentication on top of that). Every client which comes from a valid IP and provides a matching username/password combination (or digest in this case) for that IP will connect to the same hostname and see the same site served from the same document root.

I'd like to keep this configuration in the Apache configuration if possible, to avoid reinventing the wheel in my application, and have something like this:

if client_ip = 1.1.1.1
  digest_file = /etc/digests/customer1
elseif client_ip = 2.2.2.2
  digest_file = /etc/digests/customer2
else
  deny access

Is it possible to do this within a single virtual host? I'm running Apache 2.2.9 on Debian and have the ability to load modules if required.

I have also thought about using a different hostname and virtual host container for each customer, and putting a different IP range and digest file reference in each, but unfortunately this site will run over HTTPS and I suspect obtaining all the extra IPs would be prohibitive in terms of cost.

pwaring
  • 209
  • 2
  • 7
  • I don't know if apache can do what you are asking, but if you go the virtual host route, you have alternatives to extra IPs: UCC certs if you have a limited number of clients or a *.example.com wildcard cert if all your sites are of the form client.example.com – DerfK Nov 26 '10 at 16:07
  • I'm a bit dubious about wildcard certificates - are HTTP clients intelligent enough to know that *.example.org matches www.example.org, client.example.org and www.client.example.org? I'm not convinced that going more than one subdomain deep is reliable across all clients. – pwaring Nov 26 '10 at 16:25

0 Answers0