we know that we can protect some pages in our apache server using authentication.

but what if I have already authenticate the users using something else and add this users to a DB, Is there a way to configure Apache to do a query to the DataBase and don't ask for credentials if it find the user in this DB, in short words can Apache authenticate only some users ( which aren't found on DB) and don't ask for authentication credentials for users that found on DB.

what I really want is to deploy single sign on, I have authenticates users using ieee802.1x and put the authenticated users in a DB, BUT I authenticate only the inside ( inside my network ) users, and I don't want apache to reauthenticate them, I want apache only to authenticate the outside users, what I have suggested is to let apache do a query to my DB and find if the users is already authenticated by ieee802.1x : If apache find the user on this DB it don't ask him for a credentials, otherwise it does

I'd suggest the external users authenticate against the default Apache server using your public domain and public IP while the local users accessing over the lan using non-public IP connect to a second, virtual Apache server which does not require login to access the same resources.

Thanks for your reply, but I don't want different web pages, I want one web page

to enlight you more on my question:

I know that I can let specific IP addresses WITHOUT requiring user/password. and any other IP address SHOULD require login to gain access using this:

<Directory /var/www/files/>
Order deny,allow
Deny from all
Allow from 192.168.1.0
Satisfy Any
AuthUserFile /etc/apache2/basic.pwd
AuthName "Please enter username and password"
AuthType Basic
Require valid-user
</Directory>

but the problem is:

Imagine I have this DB (Different from the DB used for Authentication):

User IP

Mark 192.168.1.2

Mike 192.168.1.3

Karl 192.168.1.4

1- can I allow all the IP addresses stored in the DB using a configration in Apache?

2- another problem is the Authorization of the Allowed IP is lost, can Apache use this DB for Authorization, if the user is allowed to get the pages without authentication?

Is this an internal website, by any chance?

If so, then what you are describing here is essentially what LDAP (nee Microsoft ActiveDirectory), and Kerberos, already does: single sign-on authentication.

Furthermore, if the website is of such a nature that internal users ought to be able to have access to it using their internal company credentials alone, then I recommend that you should not expose that same website to the outside world. Instead, you should use a VPN perimeter around the whole thing ... using individually-issued digital certificates (not passwords!) to protect that outer ring.

The dual problem with "the wild and wooly web" is that neither authentication ("I trust that I know who you actually are"), nor authorization ("I trust that I know that you're entitled to do this"), can truly ever be relied-upon. When you, in an internal company network, (wisely ...) use LDAP to establish these things, you are trusting the IT infrastructure within which everything lives. Either you can do that, or you can't.

Yes, you can establish two URLs, which point to the same place, and which have two separate authentication schemes. (You can't base it on source-IP.) However, I would sternly warn you, you don't want to do that, for the reasons aforementioned.

so there isn't any way to Apache to authorize according to my DB? AND No Configuration to allow all the IP addresses stored in the DB?


How can I DO such a thing, Is there any useful tutorial on Apache website?

ngiw, I think I see where you are confused...
The pages are resources, the servers are the mechanism by which the pages are served. Fifty servers can all serve the same page to 5,000 different users, simultaneously.
To take sundials explanation one step further, if a user is authenticated into the domain, then a domain facing Apache server can handle those requests without additional sign-on by confirming the identity of the requester via Kerberos or LDAP An externally facing server can serve the same page without any verification of identity.
As far as I know, Apache by itself can only simulate single sign on through the use of cookies however this is inherently (extremely) insecure.
I seriously doubt it since it's such a bad idea.

No, though if the requesting IP form a discrete sub-network you can control their access to the Apache server via the firewall....