Here's the scenario: you have an office full of people that need access to a certain web app. Some of them probably have insecure passwords and you're too busy to worry about the latest security holes in your web-app. Slow down attackers by allowing your office IP addresses in while denying the open web access until they put in a simple group password. In other words, this post walks you through having lighttpd allow some IP addresses in (and authenticating with your web app) and others to have to authenticate with mod_auth first, then the web app. These instructions were tested on Debian Lenny: First Enable the authentication module: lighttpd-enable-mod auth Create the password file, the format is username:password vim /etc/lighttpd.user Make the password file owned by the webserver user: chown www-data:www-data /etc/lighttpd.user Configure the auth module: vim /etc/lighttpd/conf-enabled/05-auth.conf * Comment out the auth.backend = "plain" line * Co...