OSDir


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[users@httpd] Require directives


Hi,

Configuration question.

Apache version 2.4.23

What I am trying to do is have users authenticate but only allow access
to that authentication method from known IP ranges. To this effect I
have a config file that sets:

<Directory "some_path>
        Options +Indexes +FollowSymLinks
        IndexOptions +NameWidth=*

        PerlAuthenHandler THE::PERL::MODULE
        AuthName MODULE
        AuthType Basic
        Require valid-user
        Require expr %{REQUEST_URI} =~ m#^/SOME_EXCEPTION/.*#

        Require ip A_VERY_LONG_LIST_OF_IP_RANGES
        Require ip ANOTHER_VERY_LONG_LIST_OF_IP_RANGES
</Directory>

The observed behavior is what could be described as "or" behavior.
Meaning even traffic from outside the specified IP ranges is allowed to
hit the auth handler, i.e. the user gets a username/password request
when accessing a path that is not in the "SOME_EXCEPTION" path.

What I am trying to achieve is that Apache blocks any access if the
traffic originates from outside the specified IP ranges.

Is there a potential that I am hitting some limit of the number of IP
ranges specified and thus the whole mechanism of limiting by IP is ignored?

Am I simply mis-interpreting the documentation and I need to structure
the restrictions differently?

Is there some "and" directive to tie the requires together in an "and"
fashion to ensure all "Require" directives are considered?

Should the ip address restriction move to a different config file? At
present this is included for a given path, but the server really only
serves this specific path and thus traffic could be declined on a more
general level.

Help is much appreciated.

Thanks,
Robert

-- 
Robert Schweikert                   MAY THE SOURCE BE WITH YOU
Distinguished Architect                       LINUX
Team Lead Public Cloud
rjschwei@xxxxxxxx
IRC: robjo

Attachment: signature.asc
Description: OpenPGP digital signature