In previous sections, you learned how to restrict access based on user identity or request information. The Satisfy directive enables you to determine whether both types of access restrictions must be satisfied in order to grant access. Satisfy accepts one parameter, which can be either all or any.
Satisfy all means that the client will be granted access if it provides a valid username and password and passes the access restrictions. Satisfy any means the client will be granted access if it provides a valid username and password or passes the access restrictions.
Why is this directive useful? For example, you might want to provide free access to your Web site to users coming from an internal, trusted address, but require users coming from the Internet to provide a valid username and password. Listing 24.4 demonstrates just that.
Listing 24.4. Mixing Authentication and Access Control Rules
1: <Location /restricted> 2: Allow from 10.0.0.0/255.255.255.0 3: AuthType Basic 4: AuthName "Intranet" 5: AuthUserFile /usr/local/apache2/conf/htusers 6: AuthAuthoritative on 7: Require valid-user 8: Satisfy any 9: </Location>
By the Way
Access control based on connection or request information is not completely secure. Although it provides an appropriate level of protection for most cases, the rules rely on the integrity of your DNS servers and your network infrastructure. If an attacker gains control of your DNS servers, or your routers or firewalls are incorrectly configured, he can easily change authorized domain name records to point to his machine or pretend he is coming from an authorized IP address.