I suspect that either it's not possible or I'm missing something very
obvious, but using Apache 1.3.9 is it possible to set up access control so
* access is automatically allowed from some client systems, and
* access is allowed from some other systems if a valid username/password
can be provided, but
* access from anywhere else is simply rejected, so no risk of password
guessing attacks (etc.) by people who are connecting from places that
should always be refused
If it helps, the list of systems allowed passworded access would most likely
be a superset of those allowed straight in. The context is a test server to
which the world in general should have no access, staff in one or two
subdomains should have direct (non-passworded) access, and systems anywhere
else in the organisation (domain) should have access only if they can
provide valid username/password. The "access with password" list would most
likely be a simple wildcard for the whole domain.
The "standard recipe" as seen e.g. at
only deals with allowing access from specific systems *or* if that fails,
allowing access with a password from anywhere.
Any solutions (short of writing/modifying an authentication module :-)?
John Line - Cambridge University Computing Service, Computer Laboratory,
New Museums Site, Pembroke Street, Cambridge CB2 3QG, England.