[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [users@httpd] Require directives

Hi Robert,

2018-04-17 16:27 GMT+02:00 Robert Schweikert <rjschwei@xxxxxxxx>:

Configuration question.

Apache version 2.4.23

What I am trying to do is have users authenticate but only allow access
to that authentication method from known IP ranges. To this effect I
have a config file that sets:

<Directory "some_path>
        Options +Indexes +FollowSymLinks
        IndexOptions +NameWidth=*

        PerlAuthenHandler THE::PERL::MODULE
        AuthName MODULE
        AuthType Basic
        Require valid-user
        Require expr %{REQUEST_URI} =~ m#^/SOME_EXCEPTION/.*#

        Require ip A_VERY_LONG_LIST_OF_IP_RANGES

The observed behavior is what could be described as "or" behavior.
Meaning even traffic from outside the specified IP ranges is allowed to
hit the auth handler, i.e. the user gets a username/password request
when accessing a path that is not in the "SOME_EXCEPTION" path.

What I am trying to achieve is that Apache blocks any access if the
traffic originates from outside the specified IP ranges.

Is there a potential that I am hitting some limit of the number of IP
ranges specified and thus the whole mechanism of limiting by IP is ignored?

Am I simply mis-interpreting the documentation and I need to structure
the restrictions differently?

Is there some "and" directive to tie the requires together in an "and"
fashion to ensure all "Require" directives are considered?

This might be useful: https://httpd.apache.org/docs/2.4/mod/mod_authz_core.html#logic. By default the multiple requires are acting as RequireAny, meanwhile you'd probably need RequireAll.

Hope that helps!