git.net

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [users@httpd] Require directives


On 04/17/2018 10:39 AM, Luca Toscano wrote:
> Hi Robert,
> 
> 2018-04-17 16:27 GMT+02:00 Robert Schweikert <rjschwei@xxxxxxxx>:
> 
>> Hi,
>>
>> Configuration question.
>>
>> Apache version 2.4.23
>>
>> What I am trying to do is have users authenticate but only allow access
>> to that authentication method from known IP ranges. To this effect I
>> have a config file that sets:
>>
>> <Directory "some_path>
>>         Options +Indexes +FollowSymLinks
>>         IndexOptions +NameWidth=*
>>
>>         PerlAuthenHandler THE::PERL::MODULE
>>         AuthName MODULE
>>         AuthType Basic
>>         Require valid-user
>>         Require expr %{REQUEST_URI} =~ m#^/SOME_EXCEPTION/.*#
>>
>>         Require ip A_VERY_LONG_LIST_OF_IP_RANGES
>>         Require ip ANOTHER_VERY_LONG_LIST_OF_IP_RANGES
>> </Directory>
>>
>> The observed behavior is what could be described as "or" behavior.
>> Meaning even traffic from outside the specified IP ranges is allowed to
>> hit the auth handler, i.e. the user gets a username/password request
>> when accessing a path that is not in the "SOME_EXCEPTION" path.
>>
>> What I am trying to achieve is that Apache blocks any access if the
>> traffic originates from outside the specified IP ranges.
>>
>> Is there a potential that I am hitting some limit of the number of IP
>> ranges specified and thus the whole mechanism of limiting by IP is ignored?
>>
>> Am I simply mis-interpreting the documentation and I need to structure
>> the restrictions differently?
>>
>> Is there some "and" directive to tie the requires together in an "and"
>> fashion to ensure all "Require" directives are considered?
> 
> 
> This might be useful:
> https://httpd.apache.org/docs/2.4/mod/mod_authz_core.html#logic. By default
> the multiple requires are acting as RequireAny, meanwhile you'd probably
> need RequireAll.
> 
> Hope that helps!

Sure was, thanks solved the problem :)

Later,
Robert

-- 
Robert Schweikert                   MAY THE SOURCE BE WITH YOU
Distinguished Architect                       LINUX
Team Lead Public Cloud
rjschwei@xxxxxxxx
IRC: robjo

Attachment: signature.asc
Description: OpenPGP digital signature



( ! ) Warning: include(msgfooter.php): failed to open stream: No such file or directory in /var/www/git/apache2-users/msg02469.html on line 138
Call Stack
#TimeMemoryFunctionLocation
10.0007368616{main}( ).../msg02469.html:0

( ! ) Warning: include(): Failed opening 'msgfooter.php' for inclusion (include_path='.:/var/www/git') in /var/www/git/apache2-users/msg02469.html on line 138
Call Stack
#TimeMemoryFunctionLocation
10.0007368616{main}( ).../msg02469.html:0