lighttpd: whitelist some IPs while authenticating the rest

Here's the scenario: you have an office full of people that need access to a certain web app. Some of them probably have insecure passwords and you're too busy to worry about the latest security holes in your web-app. Slow down attackers by allowing your office IP addresses in while denying the open web access until they put in a simple group password.

In other words, this post walks you through having lighttpd allow some IP addresses in (and authenticating with your web app) and others to have to authenticate with mod_auth first, then the web app.

These instructions were tested on Debian Lenny:
  • First Enable the authentication module:
    lighttpd-enable-mod auth
  • Create the password file, the format is username:password
    vim /etc/lighttpd.user
    Make the password file owned by the webserver user:
    chown www-data:www-data /etc/lighttpd.user
  • Configure the auth module:
    vim /etc/lighttpd/conf-enabled/05-auth.conf
    * Comment out the auth.backend = "plain" line
    * Comment out the auth.backend.plain.userfile = .... line
    * Change the auth.backend.plain.userfile file to the one you created above, /etc/lighttpd.user
  • Finally, have all IPs authenticated, except for the IP1 and IP2 (add more separated by pipes) by adding the following to /etc/lighttpd/lighttpd.conf:

    $HTTP["remoteip"] !~ "IP1|IP2" {
    auth.require = ( "" =>
    "method" => "basic",
    "realm" => "Employees Only!",
    "require" => "user=username"

    Note: you can't use hostnames, only IPs
  • Reload lighttpd and you're done!

No comments: