You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Anders Wong <kw...@gmail.com> on 2020/10/14 05:37:32 UTC
[users@httpd] How to restrict page access to certain IPs using Apache httpd 2.4
Hi HTTP apache community,
I have a Location and Directory directive configured within VirtualHost
and I would like to restrict only 10.75.x.x IPs to access the URL "http://
..../ords".
The access restriction is not working in <Location> directive as any
client IPs still can access the URL after the setting. However, the same
"Require ip x.x " setting is working well in <Directory> directive.
I can confirm that I have both modules (authz_core / authz_host) loaded
[root@xxx]# httpd -f /etc/httpd/conf/httpd.conf -M | grep authz
authz_core_module (shared)
authz_dbd_module (shared)
authz_dbm_module (shared)
authz_groupfile_module (shared)
authz_host_module (shared)
authz_owner_module (shared)
authz_user_module (shared)
see blow:
<VirtualHost>
<Location "/ords">
Require ip 10.75
.... truncated....
</Location>
</VirtualHost>
<Directory "/var/www/html/htdocs/myserver">
Options Indexes FollowSymLinks
AllowOverride None
Require ip 10.75
</Directory>
Can someone please help out and guide me? Thanks
Regards,
Kwok
[users@httpd] alias for AuthLDAPBindDN and AuthLDAPBindPassword
Posted by Jason Keltz <ja...@eecs.yorku.ca>.
Hi.
I'm trying to provide users on my site with the ability to offer pages
protected by .htaccess using the httpd mod_ldap/mod_authn_ldap modules.
Authentication by username, and authorization by group name.
However, I can't give the users the AuthLDAPBindPassword, and I'd rather
pre-define the AuthLDAPBindDN and AuthLDAPURL as well.
From looking at the docs, it looks like I can use
<AuthnProviderAlias my-ldap>
AuthLDAPURL ...
AuthLDAPBindDN ...
AuthLDAPBindPassword ...
</AuthnProviderAlias>
Now when the users uses: AuthBasicProvider my-ldap, those values get
inherited. This is terrific.
but then for the authorization part, if I want users to be able to
authorize based on groups, and I don't want them to have to enter the
URL/BindDN/Password, then for each and every group, it appears that I
need to have a section in my apache config:
<AuthzProviderAlias ldap-group ....>
AuthLDAPURL
AuthLDAPBindDN
AuthLDAPBindPassword ...
Require ldap-group cn=mygroup,...
</AuthzProviderAlias>
Is that really true? or am I missing something?
Is there no other way?
Jason.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: How to restrict page access to certain IPs
using Apache httpd 2.4
Posted by Eric Covener <co...@gmail.com>.
> <Location "/ords">
> AuthType Kerberos
> Krb5KeyTab /etc/my.keytab
> KrbServiceName HTTP/something.com@ABC.COM
> KrbAuthRealms ABC.COM
> KrbMethodNegotiate on
> KrbMethodK5Passwd on
> require valid-user
> Require ip 10.75
It is accepting either Require directive
https://httpd.apache.org/docs/2.4/mod/mod_authz_core.html#require
When multiple Require directives are used in a single configuration
section and are not contained in another authorization directive like
<RequireAll>, they are implicitly contained within a <RequireAny>
directive. Thus the first one to authorize a user authorizes the
entire request, and subsequent Require directives are ignored.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: How to restrict page access to certain IPs
using Apache httpd 2.4
Posted by Anders Wong <kw...@gmail.com>.
Hi Eric,
See below the configuration I have put in the httpd.conf
<VirtualHost *:80>
<Location "/ords">
AuthType Kerberos
Krb5KeyTab /etc/my.keytab
KrbServiceName HTTP/something.com@ABC.COM
KrbAuthRealms ABC.COM
KrbMethodNegotiate on
KrbMethodK5Passwd on
require valid-user
Require ip 10.75
ProxyPass "ajp://localhost:8009/ords"
ProxyPassReverse "ajp://localhost:8009/ords"
</Location>
<Directory "/var/www/html/htdocs/something">
Options Indexes FollowSymLinks
AllowOverride None
Require ip 10.75
</Directory>
</VirtualHost>
---Access Log --
10.75.3.4 - - [13/Oct/2020:15:28:02 +1100] "GET /index.html HTTP/1.1" 200
3206 "-" "-"
10.75.3.5 - - [13/Oct/2020:15:28:04 +1100] "GET /index.html HTTP/1.1" 200
3206 "-" "-"
210.10.2.163 - dxxxx @ABC.COM [13/Oct/2020:15:28:51 +1100] "GET
/ords/f?p=4050:9:212076483029344::NO::: HTTP/1.1" 302 - "-" "Mozilla/5.0
(Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/64.0.3282.140 Safari/537.36 Edge/18.17763"
210.10.2.163 - dxxxx@ABC.COM [13/Oct/2020:15:28:54 +1100] "GET
/ords/f?p=4550:10:2982892575199::::: HTTP/1.1" 200 7101 "-" "Mozilla/5.0
(Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/64.0.3282.140 Safari/537.36 Edge/18.17763"
10.75.3.5 - - [13/Oct/2020:15:28:09 +1100] "GET /index.html HTTP/1.1" 200
3206 "-" "-"
10.75.3.4 - - [13/Oct/2020:15:28:12 +1100] "GET /index.html HTTP/1.1" 200
3206 "-" "-"
10.75.3.5 - - [13/Oct/2020:15:28:14 +1100] "GET /index.html HTTP/1.1" 200
3206 "-" "-"
10.75.3.4 - - [13/Oct/2020:15:28:17 +1100] "GET /index.html HTTP/1.1" 200
3206 "-" "-"
10.75.3.5 - - [13/Oct/2020:15:28:19 +1100] "GET /index.html HTTP/1.1" 200
3206 "-" "-"
10.75.3.4 - - [13/Oct/2020:15:28:22 +1100] "GET /index.html HTTP/1.1" 200
3206 "-" "-"
10.75.3.5 - - [13/Oct/2020:15:28:24 +1100] "GET /index.html HTTP/1.1" 200
3206 "-" "-"
10.75.3.4 - - [13/Oct/2020:15:28:27 +1100] "GET /index.html HTTP/1.1" 200
3206 "-" "-"
210.10.2.163 - - [13/Oct/2020:15:28:29 +1100] "GET /index.html HTTP/1.1"
200 3206 "-" "-"
10.75.3.4 - - [13/Oct/2020:15:28:32 +1100] "GET /index.html HTTP/1.1" 200
3206 "-" "-"
10.75.3.5 - - [13/Oct/2020:15:28:34 +1100] "GET /index.html HTTP/1.1" 200
3206 "-" "-"
10.75.3.4 - - [13/Oct/2020:15:28:37 +1100] "GET /index.html HTTP/1.1" 200
3206 "-" "-"
On Mon, Oct 19, 2020 at 10:35 PM Eric Covener <co...@gmail.com> wrote:
> On Mon, Oct 19, 2020 at 7:31 AM Anders Wong <kw...@gmail.com> wrote:
> >
> > Hi,
> >
> > Anyone able to help please?
>
> It would help to show the config un-redacted and to show the resulting
> access_log entries.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
Re: [users@httpd] Re: How to restrict page access to certain IPs
using Apache httpd 2.4
Posted by Eric Covener <co...@gmail.com>.
On Mon, Oct 19, 2020 at 7:31 AM Anders Wong <kw...@gmail.com> wrote:
>
> Hi,
>
> Anyone able to help please?
It would help to show the config un-redacted and to show the resulting
access_log entries.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] Re: How to restrict page access to certain IPs using Apache httpd 2.4
Posted by Anders Wong <kw...@gmail.com>.
Hi,
Anyone able to help please?
Regards, Kwok
On Wed, 14 Oct 2020 at 4:37 pm, Anders Wong <kw...@gmail.com> wrote:
> Hi HTTP apache community,
>
> I have a Location and Directory directive configured within
> VirtualHost and I would like to restrict only 10.75.x.x IPs to access the
> URL "http://..../ords".
>
> The access restriction is not working in <Location> directive as any
> client IPs still can access the URL after the setting. However, the same
> "Require ip x.x " setting is working well in <Directory> directive.
>
> I can confirm that I have both modules (authz_core / authz_host) loaded
>
> [root@xxx]# httpd -f /etc/httpd/conf/httpd.conf -M | grep authz
> authz_core_module (shared)
> authz_dbd_module (shared)
> authz_dbm_module (shared)
> authz_groupfile_module (shared)
> authz_host_module (shared)
> authz_owner_module (shared)
> authz_user_module (shared)
>
> see blow:
> <VirtualHost>
> <Location "/ords">
> Require ip 10.75
> .... truncated....
> </Location>
> </VirtualHost>
>
> <Directory "/var/www/html/htdocs/myserver">
> Options Indexes FollowSymLinks
> AllowOverride None
> Require ip 10.75
> </Directory>
>
> Can someone please help out and guide me? Thanks
>
> Regards,
> Kwok
>