[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [users@httpd] Require directives

On 04/17/2018 10:39 AM, Luca Toscano wrote:
> Hi Robert,
> 2018-04-17 16:27 GMT+02:00 Robert Schweikert <rjschwei@xxxxxxxx>:
>> Hi,
>> Configuration question.
>> Apache version 2.4.23
>> What I am trying to do is have users authenticate but only allow access
>> to that authentication method from known IP ranges. To this effect I
>> have a config file that sets:
>> <Directory "some_path>
>>         Options +Indexes +FollowSymLinks
>>         IndexOptions +NameWidth=*
>>         PerlAuthenHandler THE::PERL::MODULE
>>         AuthName MODULE
>>         AuthType Basic
>>         Require valid-user
>>         Require expr %{REQUEST_URI} =~ m#^/SOME_EXCEPTION/.*#
>>         Require ip A_VERY_LONG_LIST_OF_IP_RANGES
>> </Directory>
>> The observed behavior is what could be described as "or" behavior.
>> Meaning even traffic from outside the specified IP ranges is allowed to
>> hit the auth handler, i.e. the user gets a username/password request
>> when accessing a path that is not in the "SOME_EXCEPTION" path.
>> What I am trying to achieve is that Apache blocks any access if the
>> traffic originates from outside the specified IP ranges.
>> Is there a potential that I am hitting some limit of the number of IP
>> ranges specified and thus the whole mechanism of limiting by IP is ignored?
>> Am I simply mis-interpreting the documentation and I need to structure
>> the restrictions differently?
>> Is there some "and" directive to tie the requires together in an "and"
>> fashion to ensure all "Require" directives are considered?
> This might be useful:
> By default
> the multiple requires are acting as RequireAny, meanwhile you'd probably
> need RequireAll.
> Hope that helps!

Sure was, thanks solved the problem :)


Robert Schweikert                   MAY THE SOURCE BE WITH YOU
Distinguished Architect                       LINUX
Team Lead Public Cloud
IRC: robjo

Attachment: signature.asc
Description: OpenPGP digital signature