You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Anders Wong <kw...@gmail.com> on 2020/10/19 11:30:40 UTC

[users@httpd] Re: How to restrict page access to certain IPs using Apache httpd 2.4

Hi,

Anyone able to help please?

Regards, Kwok

On Wed, 14 Oct 2020 at 4:37 pm, Anders Wong <kw...@gmail.com> wrote:

> Hi HTTP apache community,
>
>     I have a Location and Directory directive configured within
> VirtualHost and I would like to restrict only 10.75.x.x IPs to access the
> URL "http://..../ords".
>
>    The access restriction is not working in <Location> directive as any
> client IPs still can access the URL after the setting. However, the same
> "Require ip x.x " setting is working well in <Directory> directive.
>
>   I can confirm that I have both modules (authz_core / authz_host) loaded
>
> [root@xxx]# httpd -f /etc/httpd/conf/httpd.conf -M | grep authz
>  authz_core_module (shared)
>  authz_dbd_module (shared)
>  authz_dbm_module (shared)
>  authz_groupfile_module (shared)
>  authz_host_module (shared)
>  authz_owner_module (shared)
>  authz_user_module (shared)
>
> see blow:
> <VirtualHost>
>     <Location "/ords">
>       Require ip 10.75
>      .... truncated....
>     </Location>
> </VirtualHost>
>
> <Directory "/var/www/html/htdocs/myserver">
>        Options Indexes FollowSymLinks
>         AllowOverride None
>         Require ip 10.75
> </Directory>
>
> Can someone please help out and guide me? Thanks
>
> Regards,
> Kwok
>

[users@httpd] alias for AuthLDAPBindDN and AuthLDAPBindPassword

Posted by Jason Keltz <ja...@eecs.yorku.ca>.

Hi.

I'm trying to provide users on my site with the ability to offer pages 
protected by .htaccess using the httpd mod_ldap/mod_authn_ldap modules.  
Authentication by username, and authorization by group name.

However, I can't give the users the AuthLDAPBindPassword, and I'd rather 
pre-define the AuthLDAPBindDN and AuthLDAPURL as well.

 From looking at the docs, it looks like I can use

<AuthnProviderAlias my-ldap>

  AuthLDAPURL ...

  AuthLDAPBindDN ...

  AuthLDAPBindPassword ...

</AuthnProviderAlias>

Now when the users uses: AuthBasicProvider my-ldap, those values get 
inherited.  This is terrific.

but then for the authorization part, if I want users to be able to 
authorize based on groups, and I don't want them to have to enter the 
URL/BindDN/Password, then for each and every group, it appears that I 
need to have a section in my apache config:

<AuthzProviderAlias ldap-group ....>

   AuthLDAPURL

   AuthLDAPBindDN

   AuthLDAPBindPassword ...

   Require ldap-group cn=mygroup,...

</AuthzProviderAlias>

Is that really true?  or am I missing something?

Is there no other way?

Jason.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Re: How to restrict page access to certain IPs using Apache httpd 2.4

Posted by Eric Covener <co...@gmail.com>.

> <Location "/ords">
>         AuthType  Kerberos
>         Krb5KeyTab /etc/my.keytab
>         KrbServiceName HTTP/something.com@ABC.COM
>         KrbAuthRealms ABC.COM
>         KrbMethodNegotiate on
>         KrbMethodK5Passwd on
>         require valid-user
>         Require ip 10.75

It is accepting either Require directive

https://httpd.apache.org/docs/2.4/mod/mod_authz_core.html#require

When multiple Require directives are used in a single configuration
section and are not contained in another authorization directive like
<RequireAll>, they are implicitly contained within a <RequireAny>
directive. Thus the first one to authorize a user authorizes the
entire request, and subsequent Require directives are ignored.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Re: How to restrict page access to certain IPs using Apache httpd 2.4

Posted by Anders Wong <kw...@gmail.com>.

Hi Eric,

       See below the configuration I have put in the httpd.conf

<VirtualHost *:80>

<Location "/ords">
        AuthType  Kerberos
        Krb5KeyTab /etc/my.keytab
        KrbServiceName HTTP/something.com@ABC.COM
        KrbAuthRealms ABC.COM
        KrbMethodNegotiate on
        KrbMethodK5Passwd on
        require valid-user
        Require ip 10.75
        ProxyPass "ajp://localhost:8009/ords"
        ProxyPassReverse "ajp://localhost:8009/ords"
</Location>

<Directory "/var/www/html/htdocs/something">
    Options Indexes FollowSymLinks
    AllowOverride None
    Require ip 10.75
</Directory>

 </VirtualHost>

---Access Log --
10.75.3.4 - - [13/Oct/2020:15:28:02 +1100] "GET /index.html HTTP/1.1" 200
3206 "-" "-"
10.75.3.5 - - [13/Oct/2020:15:28:04 +1100] "GET /index.html HTTP/1.1" 200
3206 "-" "-"
210.10.2.163 - dxxxx @ABC.COM [13/Oct/2020:15:28:51 +1100] "GET
/ords/f?p=4050:9:212076483029344::NO::: HTTP/1.1" 302 - "-" "Mozilla/5.0
(Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/64.0.3282.140 Safari/537.36 Edge/18.17763"
210.10.2.163 - dxxxx@ABC.COM [13/Oct/2020:15:28:54 +1100] "GET
/ords/f?p=4550:10:2982892575199::::: HTTP/1.1" 200 7101 "-" "Mozilla/5.0
(Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/64.0.3282.140 Safari/537.36 Edge/18.17763"
10.75.3.5 - - [13/Oct/2020:15:28:09 +1100] "GET /index.html HTTP/1.1" 200
3206 "-" "-"
10.75.3.4 - - [13/Oct/2020:15:28:12 +1100] "GET /index.html HTTP/1.1" 200
3206 "-" "-"
10.75.3.5 - - [13/Oct/2020:15:28:14 +1100] "GET /index.html HTTP/1.1" 200
3206 "-" "-"
10.75.3.4 - - [13/Oct/2020:15:28:17 +1100] "GET /index.html HTTP/1.1" 200
3206 "-" "-"
10.75.3.5 - - [13/Oct/2020:15:28:19 +1100] "GET /index.html HTTP/1.1" 200
3206 "-" "-"
10.75.3.4 - - [13/Oct/2020:15:28:22 +1100] "GET /index.html HTTP/1.1" 200
3206 "-" "-"
10.75.3.5 - - [13/Oct/2020:15:28:24 +1100] "GET /index.html HTTP/1.1" 200
3206 "-" "-"
10.75.3.4 - - [13/Oct/2020:15:28:27 +1100] "GET /index.html HTTP/1.1" 200
3206 "-" "-"
210.10.2.163 - - [13/Oct/2020:15:28:29 +1100] "GET /index.html HTTP/1.1"
200 3206 "-" "-"
10.75.3.4 - - [13/Oct/2020:15:28:32 +1100] "GET /index.html HTTP/1.1" 200
3206 "-" "-"
10.75.3.5 - - [13/Oct/2020:15:28:34 +1100] "GET /index.html HTTP/1.1" 200
3206 "-" "-"
10.75.3.4 - - [13/Oct/2020:15:28:37 +1100] "GET /index.html HTTP/1.1" 200
3206 "-" "-"

On Mon, Oct 19, 2020 at 10:35 PM Eric Covener <co...@gmail.com> wrote:

> On Mon, Oct 19, 2020 at 7:31 AM Anders Wong <kw...@gmail.com> wrote:
> >
> > Hi,
> >
> > Anyone able to help please?
>
> It would help to show the config un-redacted and to show the resulting
> access_log entries.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

Re: [users@httpd] Re: How to restrict page access to certain IPs using Apache httpd 2.4

Posted by Eric Covener <co...@gmail.com>.

On Mon, Oct 19, 2020 at 7:31 AM Anders Wong <kw...@gmail.com> wrote:
>
> Hi,
>
> Anyone able to help please?

It would help to show the config un-redacted and to show the resulting
access_log entries.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org