You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Robert Schweikert <rj...@suse.com> on 2018/04/17 14:27:16 UTC
[users@httpd] Require directives
Hi,
Configuration question.
Apache version 2.4.23
What I am trying to do is have users authenticate but only allow access
to that authentication method from known IP ranges. To this effect I
have a config file that sets:
<Directory "some_path>
Options +Indexes +FollowSymLinks
IndexOptions +NameWidth=*
PerlAuthenHandler THE::PERL::MODULE
AuthName MODULE
AuthType Basic
Require valid-user
Require expr %{REQUEST_URI} =~ m#^/SOME_EXCEPTION/.*#
Require ip A_VERY_LONG_LIST_OF_IP_RANGES
Require ip ANOTHER_VERY_LONG_LIST_OF_IP_RANGES
</Directory>
The observed behavior is what could be described as "or" behavior.
Meaning even traffic from outside the specified IP ranges is allowed to
hit the auth handler, i.e. the user gets a username/password request
when accessing a path that is not in the "SOME_EXCEPTION" path.
What I am trying to achieve is that Apache blocks any access if the
traffic originates from outside the specified IP ranges.
Is there a potential that I am hitting some limit of the number of IP
ranges specified and thus the whole mechanism of limiting by IP is ignored?
Am I simply mis-interpreting the documentation and I need to structure
the restrictions differently?
Is there some "and" directive to tie the requires together in an "and"
fashion to ensure all "Require" directives are considered?
Should the ip address restriction move to a different config file? At
present this is included for a given path, but the server really only
serves this specific path and thus traffic could be declined on a more
general level.
Help is much appreciated.
Thanks,
Robert
--
Robert Schweikert MAY THE SOURCE BE WITH YOU
Distinguished Architect LINUX
Team Lead Public Cloud
rjschwei@suse.com
IRC: robjo
Re: [users@httpd] Require directives
Posted by Robert Schweikert <rj...@suse.com>.
On 04/17/2018 10:39 AM, Luca Toscano wrote:
> Hi Robert,
>
> 2018-04-17 16:27 GMT+02:00 Robert Schweikert <rj...@suse.com>:
>
>> Hi,
>>
>> Configuration question.
>>
>> Apache version 2.4.23
>>
>> What I am trying to do is have users authenticate but only allow access
>> to that authentication method from known IP ranges. To this effect I
>> have a config file that sets:
>>
>> <Directory "some_path>
>> Options +Indexes +FollowSymLinks
>> IndexOptions +NameWidth=*
>>
>> PerlAuthenHandler THE::PERL::MODULE
>> AuthName MODULE
>> AuthType Basic
>> Require valid-user
>> Require expr %{REQUEST_URI} =~ m#^/SOME_EXCEPTION/.*#
>>
>> Require ip A_VERY_LONG_LIST_OF_IP_RANGES
>> Require ip ANOTHER_VERY_LONG_LIST_OF_IP_RANGES
>> </Directory>
>>
>> The observed behavior is what could be described as "or" behavior.
>> Meaning even traffic from outside the specified IP ranges is allowed to
>> hit the auth handler, i.e. the user gets a username/password request
>> when accessing a path that is not in the "SOME_EXCEPTION" path.
>>
>> What I am trying to achieve is that Apache blocks any access if the
>> traffic originates from outside the specified IP ranges.
>>
>> Is there a potential that I am hitting some limit of the number of IP
>> ranges specified and thus the whole mechanism of limiting by IP is ignored?
>>
>> Am I simply mis-interpreting the documentation and I need to structure
>> the restrictions differently?
>>
>> Is there some "and" directive to tie the requires together in an "and"
>> fashion to ensure all "Require" directives are considered?
>
>
> This might be useful:
> https://httpd.apache.org/docs/2.4/mod/mod_authz_core.html#logic. By default
> the multiple requires are acting as RequireAny, meanwhile you'd probably
> need RequireAll.
>
> Hope that helps!
Sure was, thanks solved the problem :)
Later,
Robert
--
Robert Schweikert MAY THE SOURCE BE WITH YOU
Distinguished Architect LINUX
Team Lead Public Cloud
rjschwei@suse.com
IRC: robjo
Re: [users@httpd] Require directives
Posted by Luca Toscano <to...@gmail.com>.
Hi Robert,
2018-04-17 16:27 GMT+02:00 Robert Schweikert <rj...@suse.com>:
> Hi,
>
> Configuration question.
>
> Apache version 2.4.23
>
> What I am trying to do is have users authenticate but only allow access
> to that authentication method from known IP ranges. To this effect I
> have a config file that sets:
>
> <Directory "some_path>
> Options +Indexes +FollowSymLinks
> IndexOptions +NameWidth=*
>
> PerlAuthenHandler THE::PERL::MODULE
> AuthName MODULE
> AuthType Basic
> Require valid-user
> Require expr %{REQUEST_URI} =~ m#^/SOME_EXCEPTION/.*#
>
> Require ip A_VERY_LONG_LIST_OF_IP_RANGES
> Require ip ANOTHER_VERY_LONG_LIST_OF_IP_RANGES
> </Directory>
>
> The observed behavior is what could be described as "or" behavior.
> Meaning even traffic from outside the specified IP ranges is allowed to
> hit the auth handler, i.e. the user gets a username/password request
> when accessing a path that is not in the "SOME_EXCEPTION" path.
>
> What I am trying to achieve is that Apache blocks any access if the
> traffic originates from outside the specified IP ranges.
>
> Is there a potential that I am hitting some limit of the number of IP
> ranges specified and thus the whole mechanism of limiting by IP is ignored?
>
> Am I simply mis-interpreting the documentation and I need to structure
> the restrictions differently?
>
> Is there some "and" directive to tie the requires together in an "and"
> fashion to ensure all "Require" directives are considered?
This might be useful:
https://httpd.apache.org/docs/2.4/mod/mod_authz_core.html#logic. By default
the multiple requires are acting as RequireAny, meanwhile you'd probably
need RequireAll.
Hope that helps!
Luca
Re: [users@httpd] Require directives
Posted by Eric Covener <co...@gmail.com>.
Whoops, spent too much time as a draft
On Tue, Apr 17, 2018 at 11:45 AM, Eric Covener <co...@gmail.com> wrote:
> On Tue, Apr 17, 2018 at 10:27 AM, Robert Schweikert <rj...@suse.com> wrote:
>> Hi,
>>
>> Configuration question.
>>
>> Apache version 2.4.23
>>
>> What I am trying to do is have users authenticate but only allow access
>> to that authentication method from known IP ranges. To this effect I
>> have a config file that sets:
>>
>> <Directory "some_path>
>> Options +Indexes +FollowSymLinks
>> IndexOptions +NameWidth=*
>>
>> PerlAuthenHandler THE::PERL::MODULE
>> AuthName MODULE
>> AuthType Basic
>
> Unfortunately it has to look something like this:
>
> <RequireAny>
> Require expr %{REQUEST_URI} =~ m#^/SOME_EXCEPTION/.*#
> <RequireAll>
> Require valid-user
> <RequireAny>
> Require ip A_VERY_LONG_LIST_OF_IP_RANGES
> Require ip ANOTHER_VERY_LONG_LIST_OF_IP_RANGES
> </RequireAny>
> </RequireAlll>
> </RequireAny>
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Require directives
Posted by Eric Covener <co...@gmail.com>.
On Tue, Apr 17, 2018 at 10:27 AM, Robert Schweikert <rj...@suse.com> wrote:
> Hi,
>
> Configuration question.
>
> Apache version 2.4.23
>
> What I am trying to do is have users authenticate but only allow access
> to that authentication method from known IP ranges. To this effect I
> have a config file that sets:
>
> <Directory "some_path>
> Options +Indexes +FollowSymLinks
> IndexOptions +NameWidth=*
>
> PerlAuthenHandler THE::PERL::MODULE
> AuthName MODULE
> AuthType Basic
Unfortunately it has to look something like this:
<RequireAny>
Require expr %{REQUEST_URI} =~ m#^/SOME_EXCEPTION/.*#
<RequireAll>
Require valid-user
<RequireAny>
Require ip A_VERY_LONG_LIST_OF_IP_RANGES
Require ip ANOTHER_VERY_LONG_LIST_OF_IP_RANGES
</RequireAny>
</RequireAlll>
</RequireAny>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org