On Tue, Oct 18, 2005 at 09:46:47AM +1000, Voytek wrote: > I have Apache 1.3x running a number of vhosts, some have some htaccess > control using maybe 10 or 15 unique usernames; > > for one vhost, I'm looking at setting a 'closed shop' accessible only to > pre-defined existing customers, like, say, oscommerce behind htaccess > authentication; > > is that a 'good idea' to look at htaccess authentication for around 200 > unique user/password ? or ?
By "htaccess authentication" you probably mean Basic Authentication, probably with mod_auth and htpasswd files, right? The main problem with Basic Authentication is security, since usernames and passwords are passwd in the clear - unless you're going to do everything over SSL, you shouldn't do it. Scalability is a secondary issue. Since htpasswd files just use a linear scan, even 200 users will probably start to impact performance. The docs say [1]: A consequence of this is that there's a practical limit to how many users you can put in one password file. This limit will vary depending on the performance of your particular server machine, but you can expect to see slowdowns once you get above a few hundred entries, and may wish to consider a different authentication method at that time. Something like mod_auth_dbm/mod_auth_mysql/mod_auth_ldap would be better for scalability, but you're still doing evil Basic Authentication, just faster. <Plug>You'd need something like mod_auth_tkt[2] to sidestep the problems with Basic Authentication if you want to avoid using SSL everywhere. </Plug> Cheers, Gavin [1] http://httpd.apache.org/docs/2.0/howto/auth.html [2] http://www.openfusion.com.au/labs/mod_auth_tkt/ -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
