You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Darryl Philip Baker <da...@northwestern.edu> on 2017/01/31 15:56:09 UTC

[users@httpd] Trouble Securing a directory correctly

I have a directory defined inside a virtual host I want to only be accessible from inside our networks. What is happening is that the rules don't seem to be working as I expect browser that do not match the criteria are getting access. One complexity is that the parent path is secured by our SSO solution using AM Agent. The browser is prompting for the SSO credentials. Here is my directory definition:

    <Directory "/nuinfo/httpd/htdocs/it-virtual-v2/admin-systems/secure">
        Require all denied
        <RequireAny>
            Require host northwestern.edu
            Require host wireless.northwestern.private
            Require ip 129.105.0.0/16
            Require ip 165.124.0.0/16
            Require ip 165.20.108.150
            Require ip 165.20.104.30
            Require ip 38.124.31.0/24
            Require ip 10.101.0.0/16
            Require ip 10.102.0.0/15
            Require ip 10.105.0.0/16
        </RequireAny>
    </Directory>


Darryl Baker
Sr. System Administrator
Northwestern | Information Technology
www.it.northwestern.edu

Re: [users@httpd] Trouble Securing a directory correctly

Posted by Luca Toscano <to...@gmail.com>.

Hi!

2017-01-31 16:56 GMT+01:00 Darryl Philip Baker <
darryl.baker@northwestern.edu>:

> I have a directory defined inside a virtual host I want to only be
> accessible from inside our networks. What is happening is that the rules
> don’t seem to be working as I expect browser that do not match the criteria
> are getting access. One complexity is that the parent path is secured by
> our SSO solution using AM Agent. The browser is prompting for the SSO
> credentials. Here is my directory definition:
>
>
>
>     <Directory "/nuinfo/httpd/htdocs/it-virtual-v2/admin-systems/secure">
>
>         Require all denied
>
>         <RequireAny>
>
>             Require host northwestern.edu
>
>             Require host wireless.northwestern.private
>
>             Require ip 129.105.0.0/16
>
>             Require ip 165.124.0.0/16
>
>             Require ip 165.20.108.150
>
>             Require ip 165.20.104.30
>
>             Require ip 38.124.31.0/24
>
>             Require ip 10.101.0.0/16
>
>             Require ip 10.102.0.0/15
>
>             Require ip 10.105.0.0/16
>
>         </RequireAny>
>
>     </Directory>
>

So as far as I can read in [1] you could simply list the "Require"s
specified in the RequireAny block and remove the "Require all denied" on
the top to achieve what you need to do. Also be aware that Require host
triggers DNS lookups for each request that wants to access the content of
the directory [2].

Hope that helps! Let me know if anything changes..

Luca


[1]: https://httpd.apache.org/docs/2.4/howto/auth.html#beyond
"By default all Require directives are handled as though contained within a
<RequireAny> container directive. In other words, if any of the specified
authorization methods succeed, then authorization is granted."

[2]:
http://httpd.apache.org/docs/2.4/mod/mod_authz_host.html#requiredirectives