Bypass Authentication Or Access Requirements

The Satisfy directive controls how Authentication directives (used for password protection) and access directives (e.g. Allow/Deny) interact with each other. You can instruct your Apache server to allow requests if either authentication or access requirements are met. Or you can insist that all criteria are met before allowing the request.

Satisfy comes with two options:

  • Satisfy Any Allows the request if any requirement is met (authentication OR access).
  • Satisfy All Allows the request only if both requirements are met (authentication AND access).

For the rest of this recipe, let's set an example scenario.

<Directory /home/www/site1/private>
  AuthUserFile /home/www/site1-passwd
  AuthType Basic
  AuthName MySite
  Require valid-user
</Directory>

With this configuration, your users will be required to authenticate as normal.

But let's say you want people from your LAN to have full access, without being prompted for a password. In this scenario we could use:

<Directory /home/www/site1/private>
  AuthUserFile /home/www/site1-passwd
  AuthType Basic
  AuthName MySite
  Require valid-user
  Order allow,deny
  Allow from 172.17.10
  Satisfy any
</Directory>

This will force everyone from the outside to authenticate, but those coming from the LAN IP range would not be required to do so. Apache will let them access the directory without authenticating. You can add other hostnames (local or remote) to the Allow directive to give them access to the directory as well. See the Apache Docs on Allow.

This will also work with a subdirectory in your protected directory. Let's say you have a subdirectory in private called noprotect that you want to allow everyone access to without being prompted for credentials. You could do this:

<Directory /home/www/site1/private/noprotect>
  Order allow,deny
  Allow from all
  Satisfy any
</Directory>

Finally, if you have a directory that is super-secret, you may want to restrict access to those on the LAN and demand a password:

<Directory /home/www/site1/super-secret>
  AuthUserFile /home/www/site1-passwd
  AuthType Basic
  AuthName MySite
  Require valid-user

  Order allow,deny
  Allow from 172.17.10
  Satisfy all
</Directory>

In this above example, the "Order allow,deny" line blocks access by default, the "Allow" directive allows the LAN, and the "Satisfy all" directive requires both LAN and password.

See the Apache Docs for further information on the Satisfy directive.

  • No labels