You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Bill Tantzen <ta...@umn.edu> on 2018/11/29 18:18:06 UTC
[users@httpd] The Require Directives
Experts,
My environment is RHEL7 and apache 2.4.6
I am looking for the seemingly tricky combination of directives
(Require, RequireAll, RequireAny...) that will allow me to deny access
to an entire domain except for, say, one particular host.
For instance, how do deny access to
yyy.zzz.com
except for
ok.yyy.zzz.com
Is this even possible? I have tried every combination of
authorization containers that I can think of, each of which so far is
either too restrictive or too weak.
Any ideas or suggestions for a good tutorial (believe me, I have searched)!!
Thanks in advance!
-- Bill
--
Human wheels spin round and round
While the clock keeps the pace... -- John Mellencamp
________________________________________________________________
Bill Tantzen University of Minnesota Libraries
612-626-9949 (U of M) 612-325-1777 (cell)
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] The Require Directives
Posted by Bill Tantzen <ta...@umn.edu>.
Awesome, I will try it out -- I was seriously overthinking and
over-engineering this thing. In the meantime, a little mod_rewrite
magic works too...
Thanks a million!
Bill
On Thu, Nov 29, 2018 at 4:41 PM Jonathon Koyle <li...@gmail.com> wrote:
>
> You might try this, with some simple testing it seems to work...
> <RequireAll>
> Require host usurf.usu.edu denied
> Require host c01622.usurf.usu.edu
> </RequireAll>
>
> <RequireAll>
> Require not host usurf.usu.edu
> Require ip 0.0.0.0/1
> </RequireAll>
>
> <RequireAll>
> Require not host usurf.usu.edu
> Require ip 128.0.0.0/1
> </RequireAll>
>
> On Thu, Nov 29, 2018 at 2:23 PM Bill Tantzen <ta...@umn.edu> wrote:
>>
>> Sorry this is turning out to be so confusing! What I'm hoping to do,
>> in pseudo-config would be something like this:
>>
>> Require not host bigdomain.com . ## nobody from the entire domain gets in!
>> Require host buddy.bigdomain.com ## except this single client
>> Require all granted ## and the rest of the world!
>>
>> I'm not sure this can even be done at the apache level, much less how to do it.
>> Thanks for looking!
>> Bill
>> On Thu, Nov 29, 2018 at 3:10 PM Jonathon Koyle <li...@gmail.com> wrote:
>> >
>> > So, you want to restrict access to the host to a single machine on a specific domain with a non-static IP, OR to any machine not on the domain?
>> >
>> > On Thu, Nov 29, 2018 at 12:34 PM Bill Tantzen <ta...@umn.edu> wrote:
>> >>
>> >> No that's not exactly what I meant. What I mean is something like
>> >> this -- although actually typing it seems like it can't possibly be
>> >> done:
>> >>
>> >> <RequireAny>
>> >> Require not host xxx.com
>> >> Require host ok.xxx.com
>> >> </ReqiureAny>
>> >>
>> >> I realize "not host" is not allowed here, but it maybe helps explain
>> >> what I want to do: Block an entire domain except for a single host.
>> >> --Bill
>> >> On Thu, Nov 29, 2018 at 1:24 PM Jonathon Koyle <li...@gmail.com> wrote:
>> >> >
>> >> > You want to only allow access to a server at a specific hostname, (that is how I understand you question). One way, that would work, is something like
>> >> >
>> >> > Listen 80
>> >> > <VirtualHost *:80>
>> >> > # This is the default host for this port (assuming it is the first declaration for a host on this port) all server names that do not match another will hit this location
>> >> > <Location />
>> >> > Require all denied
>> >> > </Location>
>> >> > </VirtualHost>
>> >> >
>> >> > <VirtualHost *:80>
>> >> > ServerName ok.yyy.zzz.com
>> >> > # Put the rest of the host configuration here
>> >> > </VirtualHost>
>> >> >
>> >> > Assuming there are no other virtual hosts defined on this machine, this should return a forbidden for any attempt to access the host at port 80 through any method name but ok.yyy.zzz.com
>> >> >
>> >> > On Thu, Nov 29, 2018 at 11:18 AM Bill Tantzen <ta...@umn.edu> wrote:
>> >> >>
>> >> >> Experts,
>> >> >>
>> >> >> My environment is RHEL7 and apache 2.4.6
>> >> >>
>> >> >> I am looking for the seemingly tricky combination of directives
>> >> >> (Require, RequireAll, RequireAny...) that will allow me to deny access
>> >> >> to an entire domain except for, say, one particular host.
>> >> >>
>> >> >> For instance, how do deny access to
>> >> >> yyy.zzz.com
>> >> >> except for
>> >> >> ok.yyy.zzz.com
>> >> >>
>> >> >> Is this even possible? I have tried every combination of
>> >> >> authorization containers that I can think of, each of which so far is
>> >> >> either too restrictive or too weak.
>> >> >>
>> >> >> Any ideas or suggestions for a good tutorial (believe me, I have searched)!!
>> >> >> Thanks in advance!
>> >> >> -- Bill
>> >> >> --
>> >> >> Human wheels spin round and round
>> >> >> While the clock keeps the pace... -- John Mellencamp
>> >> >> ________________________________________________________________
>> >> >> Bill Tantzen University of Minnesota Libraries
>> >> >> 612-626-9949 (U of M) 612-325-1777 (cell)
>> >> >>
>> >> >> ---------------------------------------------------------------------
>> >> >> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> >> >> For additional commands, e-mail: users-help@httpd.apache.org
>> >> >>
>> >> >
>> >> >
>> >> > --
>> >> > Jonathon Koyle
>> >>
>> >>
>> >>
>> >> --
>> >> Human wheels spin round and round
>> >> While the clock keeps the pace... -- John Mellencamp
>> >> ________________________________________________________________
>> >> Bill Tantzen University of Minnesota Libraries
>> >> 612-626-9949 (U of M) 612-325-1777 (cell)
>> >>
>> >> ---------------------------------------------------------------------
>> >> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> >> For additional commands, e-mail: users-help@httpd.apache.org
>> >>
>> >
>> >
>> > --
>> > Jonathon Koyle
>>
>>
>>
>> --
>> Human wheels spin round and round
>> While the clock keeps the pace... -- John Mellencamp
>> ________________________________________________________________
>> Bill Tantzen University of Minnesota Libraries
>> 612-626-9949 (U of M) 612-325-1777 (cell)
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>
>
> --
> Jonathon Koyle
--
Human wheels spin round and round
While the clock keeps the pace... -- John Mellencamp
________________________________________________________________
Bill Tantzen University of Minnesota Libraries
612-626-9949 (U of M) 612-325-1777 (cell)
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] The Require Directives
Posted by Jonathon Koyle <li...@gmail.com>.
You might try this, with some simple testing it seems to work...
<RequireAll>
Require host usurf.usu.edu denied
Require host c01622.usurf.usu.edu
</RequireAll>
<RequireAll>
Require not host usurf.usu.edu
Require ip 0.0.0.0/1
</RequireAll>
<RequireAll>
Require not host usurf.usu.edu
Require ip 128.0.0.0/1
</RequireAll>
On Thu, Nov 29, 2018 at 2:23 PM Bill Tantzen <ta...@umn.edu> wrote:
> Sorry this is turning out to be so confusing! What I'm hoping to do,
> in pseudo-config would be something like this:
>
> Require not host bigdomain.com . ## nobody from the entire domain
> gets in!
> Require host buddy.bigdomain.com ## except this single client
> Require all granted ## and the rest of the
> world!
>
> I'm not sure this can even be done at the apache level, much less how to
> do it.
> Thanks for looking!
> Bill
> On Thu, Nov 29, 2018 at 3:10 PM Jonathon Koyle <li...@gmail.com>
> wrote:
> >
> > So, you want to restrict access to the host to a single machine on a
> specific domain with a non-static IP, OR to any machine not on the domain?
> >
> > On Thu, Nov 29, 2018 at 12:34 PM Bill Tantzen <ta...@umn.edu> wrote:
> >>
> >> No that's not exactly what I meant. What I mean is something like
> >> this -- although actually typing it seems like it can't possibly be
> >> done:
> >>
> >> <RequireAny>
> >> Require not host xxx.com
> >> Require host ok.xxx.com
> >> </ReqiureAny>
> >>
> >> I realize "not host" is not allowed here, but it maybe helps explain
> >> what I want to do: Block an entire domain except for a single host.
> >> --Bill
> >> On Thu, Nov 29, 2018 at 1:24 PM Jonathon Koyle <li...@gmail.com>
> wrote:
> >> >
> >> > You want to only allow access to a server at a specific hostname,
> (that is how I understand you question). One way, that would work, is
> something like
> >> >
> >> > Listen 80
> >> > <VirtualHost *:80>
> >> > # This is the default host for this port (assuming it is the
> first declaration for a host on this port) all server names that do not
> match another will hit this location
> >> > <Location />
> >> > Require all denied
> >> > </Location>
> >> > </VirtualHost>
> >> >
> >> > <VirtualHost *:80>
> >> > ServerName ok.yyy.zzz.com
> >> > # Put the rest of the host configuration here
> >> > </VirtualHost>
> >> >
> >> > Assuming there are no other virtual hosts defined on this machine,
> this should return a forbidden for any attempt to access the host at port
> 80 through any method name but ok.yyy.zzz.com
> >> >
> >> > On Thu, Nov 29, 2018 at 11:18 AM Bill Tantzen <ta...@umn.edu>
> wrote:
> >> >>
> >> >> Experts,
> >> >>
> >> >> My environment is RHEL7 and apache 2.4.6
> >> >>
> >> >> I am looking for the seemingly tricky combination of directives
> >> >> (Require, RequireAll, RequireAny...) that will allow me to deny
> access
> >> >> to an entire domain except for, say, one particular host.
> >> >>
> >> >> For instance, how do deny access to
> >> >> yyy.zzz.com
> >> >> except for
> >> >> ok.yyy.zzz.com
> >> >>
> >> >> Is this even possible? I have tried every combination of
> >> >> authorization containers that I can think of, each of which so far is
> >> >> either too restrictive or too weak.
> >> >>
> >> >> Any ideas or suggestions for a good tutorial (believe me, I have
> searched)!!
> >> >> Thanks in advance!
> >> >> -- Bill
> >> >> --
> >> >> Human wheels spin round and round
> >> >> While the clock keeps the pace... -- John Mellencamp
> >> >> ________________________________________________________________
> >> >> Bill Tantzen University of Minnesota Libraries
> >> >> 612-626-9949 (U of M) 612-325-1777 (cell)
> >> >>
> >> >> ---------------------------------------------------------------------
> >> >> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >> >> For additional commands, e-mail: users-help@httpd.apache.org
> >> >>
> >> >
> >> >
> >> > --
> >> > Jonathon Koyle
> >>
> >>
> >>
> >> --
> >> Human wheels spin round and round
> >> While the clock keeps the pace... -- John Mellencamp
> >> ________________________________________________________________
> >> Bill Tantzen University of Minnesota Libraries
> >> 612-626-9949 (U of M) 612-325-1777 (cell)
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >> For additional commands, e-mail: users-help@httpd.apache.org
> >>
> >
> >
> > --
> > Jonathon Koyle
>
>
>
> --
> Human wheels spin round and round
> While the clock keeps the pace... -- John Mellencamp
> ________________________________________________________________
> Bill Tantzen University of Minnesota Libraries
> 612-626-9949 (U of M) 612-325-1777 (cell)
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
--
Jonathon Koyle
Re: [users@httpd] The Require Directives
Posted by Bill Tantzen <ta...@umn.edu>.
Sorry this is turning out to be so confusing! What I'm hoping to do,
in pseudo-config would be something like this:
Require not host bigdomain.com . ## nobody from the entire domain gets in!
Require host buddy.bigdomain.com ## except this single client
Require all granted ## and the rest of the world!
I'm not sure this can even be done at the apache level, much less how to do it.
Thanks for looking!
Bill
On Thu, Nov 29, 2018 at 3:10 PM Jonathon Koyle <li...@gmail.com> wrote:
>
> So, you want to restrict access to the host to a single machine on a specific domain with a non-static IP, OR to any machine not on the domain?
>
> On Thu, Nov 29, 2018 at 12:34 PM Bill Tantzen <ta...@umn.edu> wrote:
>>
>> No that's not exactly what I meant. What I mean is something like
>> this -- although actually typing it seems like it can't possibly be
>> done:
>>
>> <RequireAny>
>> Require not host xxx.com
>> Require host ok.xxx.com
>> </ReqiureAny>
>>
>> I realize "not host" is not allowed here, but it maybe helps explain
>> what I want to do: Block an entire domain except for a single host.
>> --Bill
>> On Thu, Nov 29, 2018 at 1:24 PM Jonathon Koyle <li...@gmail.com> wrote:
>> >
>> > You want to only allow access to a server at a specific hostname, (that is how I understand you question). One way, that would work, is something like
>> >
>> > Listen 80
>> > <VirtualHost *:80>
>> > # This is the default host for this port (assuming it is the first declaration for a host on this port) all server names that do not match another will hit this location
>> > <Location />
>> > Require all denied
>> > </Location>
>> > </VirtualHost>
>> >
>> > <VirtualHost *:80>
>> > ServerName ok.yyy.zzz.com
>> > # Put the rest of the host configuration here
>> > </VirtualHost>
>> >
>> > Assuming there are no other virtual hosts defined on this machine, this should return a forbidden for any attempt to access the host at port 80 through any method name but ok.yyy.zzz.com
>> >
>> > On Thu, Nov 29, 2018 at 11:18 AM Bill Tantzen <ta...@umn.edu> wrote:
>> >>
>> >> Experts,
>> >>
>> >> My environment is RHEL7 and apache 2.4.6
>> >>
>> >> I am looking for the seemingly tricky combination of directives
>> >> (Require, RequireAll, RequireAny...) that will allow me to deny access
>> >> to an entire domain except for, say, one particular host.
>> >>
>> >> For instance, how do deny access to
>> >> yyy.zzz.com
>> >> except for
>> >> ok.yyy.zzz.com
>> >>
>> >> Is this even possible? I have tried every combination of
>> >> authorization containers that I can think of, each of which so far is
>> >> either too restrictive or too weak.
>> >>
>> >> Any ideas or suggestions for a good tutorial (believe me, I have searched)!!
>> >> Thanks in advance!
>> >> -- Bill
>> >> --
>> >> Human wheels spin round and round
>> >> While the clock keeps the pace... -- John Mellencamp
>> >> ________________________________________________________________
>> >> Bill Tantzen University of Minnesota Libraries
>> >> 612-626-9949 (U of M) 612-325-1777 (cell)
>> >>
>> >> ---------------------------------------------------------------------
>> >> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> >> For additional commands, e-mail: users-help@httpd.apache.org
>> >>
>> >
>> >
>> > --
>> > Jonathon Koyle
>>
>>
>>
>> --
>> Human wheels spin round and round
>> While the clock keeps the pace... -- John Mellencamp
>> ________________________________________________________________
>> Bill Tantzen University of Minnesota Libraries
>> 612-626-9949 (U of M) 612-325-1777 (cell)
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>
>
> --
> Jonathon Koyle
--
Human wheels spin round and round
While the clock keeps the pace... -- John Mellencamp
________________________________________________________________
Bill Tantzen University of Minnesota Libraries
612-626-9949 (U of M) 612-325-1777 (cell)
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] The Require Directives
Posted by Jonathon Koyle <li...@gmail.com>.
So, you want to restrict access to the host to a single machine on a
specific domain with a non-static IP, OR to any machine not on the domain?
On Thu, Nov 29, 2018 at 12:34 PM Bill Tantzen <ta...@umn.edu> wrote:
> No that's not exactly what I meant. What I mean is something like
> this -- although actually typing it seems like it can't possibly be
> done:
>
> <RequireAny>
> Require not host xxx.com
> Require host ok.xxx.com
> </ReqiureAny>
>
> I realize "not host" is not allowed here, but it maybe helps explain
> what I want to do: Block an entire domain except for a single host.
> --Bill
> On Thu, Nov 29, 2018 at 1:24 PM Jonathon Koyle <li...@gmail.com>
> wrote:
> >
> > You want to only allow access to a server at a specific hostname, (that
> is how I understand you question). One way, that would work, is something
> like
> >
> > Listen 80
> > <VirtualHost *:80>
> > # This is the default host for this port (assuming it is the first
> declaration for a host on this port) all server names that do not match
> another will hit this location
> > <Location />
> > Require all denied
> > </Location>
> > </VirtualHost>
> >
> > <VirtualHost *:80>
> > ServerName ok.yyy.zzz.com
> > # Put the rest of the host configuration here
> > </VirtualHost>
> >
> > Assuming there are no other virtual hosts defined on this machine, this
> should return a forbidden for any attempt to access the host at port 80
> through any method name but ok.yyy.zzz.com
> >
> > On Thu, Nov 29, 2018 at 11:18 AM Bill Tantzen <ta...@umn.edu> wrote:
> >>
> >> Experts,
> >>
> >> My environment is RHEL7 and apache 2.4.6
> >>
> >> I am looking for the seemingly tricky combination of directives
> >> (Require, RequireAll, RequireAny...) that will allow me to deny access
> >> to an entire domain except for, say, one particular host.
> >>
> >> For instance, how do deny access to
> >> yyy.zzz.com
> >> except for
> >> ok.yyy.zzz.com
> >>
> >> Is this even possible? I have tried every combination of
> >> authorization containers that I can think of, each of which so far is
> >> either too restrictive or too weak.
> >>
> >> Any ideas or suggestions for a good tutorial (believe me, I have
> searched)!!
> >> Thanks in advance!
> >> -- Bill
> >> --
> >> Human wheels spin round and round
> >> While the clock keeps the pace... -- John Mellencamp
> >> ________________________________________________________________
> >> Bill Tantzen University of Minnesota Libraries
> >> 612-626-9949 (U of M) 612-325-1777 (cell)
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >> For additional commands, e-mail: users-help@httpd.apache.org
> >>
> >
> >
> > --
> > Jonathon Koyle
>
>
>
> --
> Human wheels spin round and round
> While the clock keeps the pace... -- John Mellencamp
> ________________________________________________________________
> Bill Tantzen University of Minnesota Libraries
> 612-626-9949 (U of M) 612-325-1777 (cell)
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
--
Jonathon Koyle
Re: [users@httpd] The Require Directives
Posted by Bill Tantzen <ta...@umn.edu>.
No that's not exactly what I meant. What I mean is something like
this -- although actually typing it seems like it can't possibly be
done:
<RequireAny>
Require not host xxx.com
Require host ok.xxx.com
</ReqiureAny>
I realize "not host" is not allowed here, but it maybe helps explain
what I want to do: Block an entire domain except for a single host.
--Bill
On Thu, Nov 29, 2018 at 1:24 PM Jonathon Koyle <li...@gmail.com> wrote:
>
> You want to only allow access to a server at a specific hostname, (that is how I understand you question). One way, that would work, is something like
>
> Listen 80
> <VirtualHost *:80>
> # This is the default host for this port (assuming it is the first declaration for a host on this port) all server names that do not match another will hit this location
> <Location />
> Require all denied
> </Location>
> </VirtualHost>
>
> <VirtualHost *:80>
> ServerName ok.yyy.zzz.com
> # Put the rest of the host configuration here
> </VirtualHost>
>
> Assuming there are no other virtual hosts defined on this machine, this should return a forbidden for any attempt to access the host at port 80 through any method name but ok.yyy.zzz.com
>
> On Thu, Nov 29, 2018 at 11:18 AM Bill Tantzen <ta...@umn.edu> wrote:
>>
>> Experts,
>>
>> My environment is RHEL7 and apache 2.4.6
>>
>> I am looking for the seemingly tricky combination of directives
>> (Require, RequireAll, RequireAny...) that will allow me to deny access
>> to an entire domain except for, say, one particular host.
>>
>> For instance, how do deny access to
>> yyy.zzz.com
>> except for
>> ok.yyy.zzz.com
>>
>> Is this even possible? I have tried every combination of
>> authorization containers that I can think of, each of which so far is
>> either too restrictive or too weak.
>>
>> Any ideas or suggestions for a good tutorial (believe me, I have searched)!!
>> Thanks in advance!
>> -- Bill
>> --
>> Human wheels spin round and round
>> While the clock keeps the pace... -- John Mellencamp
>> ________________________________________________________________
>> Bill Tantzen University of Minnesota Libraries
>> 612-626-9949 (U of M) 612-325-1777 (cell)
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>
>
> --
> Jonathon Koyle
--
Human wheels spin round and round
While the clock keeps the pace... -- John Mellencamp
________________________________________________________________
Bill Tantzen University of Minnesota Libraries
612-626-9949 (U of M) 612-325-1777 (cell)
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] The Require Directives
Posted by Jonathon Koyle <li...@gmail.com>.
You want to only allow access to a server at a specific hostname, (that is
how I understand you question). One way, that would work, is something
like
Listen 80
<VirtualHost *:80>
# This is the default host for this port (assuming it is the first
declaration for a host on this port) all server names that do not match
another will hit this location
<Location />
Require all denied
</Location>
</VirtualHost>
<VirtualHost *:80>
ServerName ok.yyy.zzz.com
# Put the rest of the host configuration here
</VirtualHost>
Assuming there are no other virtual hosts defined on this machine, this
should return a forbidden for any attempt to access the host at port 80
through any method name but ok.yyy.zzz.com
On Thu, Nov 29, 2018 at 11:18 AM Bill Tantzen <ta...@umn.edu> wrote:
> Experts,
>
> My environment is RHEL7 and apache 2.4.6
>
> I am looking for the seemingly tricky combination of directives
> (Require, RequireAll, RequireAny...) that will allow me to deny access
> to an entire domain except for, say, one particular host.
>
> For instance, how do deny access to
> yyy.zzz.com
> except for
> ok.yyy.zzz.com
>
> Is this even possible? I have tried every combination of
> authorization containers that I can think of, each of which so far is
> either too restrictive or too weak.
>
> Any ideas or suggestions for a good tutorial (believe me, I have
> searched)!!
> Thanks in advance!
> -- Bill
> --
> Human wheels spin round and round
> While the clock keeps the pace... -- John Mellencamp
> ________________________________________________________________
> Bill Tantzen University of Minnesota Libraries
> 612-626-9949 (U of M) 612-325-1777 (cell)
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
--
Jonathon Koyle