I'm trying to find some Apache documentation verifying that the access configs listed below in the manner I find them to be working are truly supported by Apache and are reasonable.(I'm using Apache 2.2.3). In a given directory in web space I have an .htaccess file with information such as the following (various SSL requirements are left out of the example for simplicity): AuthUserFile /home/secure/.htpasswd AuthName "Restricted Access" AuthType Basic <Files abc.html> require user andy </Files> <Files def.html> require user bert </Files> <Limit GET POST> order deny, allow deny from all allow from 10.10.10.0/24 require user andy bert charlie </Limit> <LimitExcept GET POST> order deny,allow deny from all </LimitExcept> What I'm looking to do is restrict all access to anything in this directory to either GET or POST and then only to certain IP addresses (anything on the 10.10.10.x network) and listed authenticated users. Any other methods should be completely rejected. Any resource in that directory protected by the .htaccess file should require a valid user of andy, bert or charlie. Those requirements should be accomplished by the Limit/LimitExcept directives. I'm reasonably confident in that. In addition, for certain resources in that directory such as abc.html and def.html, I only want specific users to have access to those resources, but still subject to the 10.10.10.x IP address restriction. My concern at first would be will Apache seeing the restriction on <Files abc.html> and requiring user andy continue to respect the Limits I have on GET and POST requiring a specific IP address range. It would be cumbersome to have to repeat the restrictions on IP address within each <Files> directive. So... the bottom line in my intention is that: Any request to a Method other than GET or POST is completely blocked. Anyone either not on 10.10.10.x OR not having been authenticated as andy, bert or charlie is completely blocked. Of the authenticated users: only andy can access abc.html coming from 10.10.10.x only bert can access def.html coming from 10.10.10.x My testing says that Apache does respect both the user requirement with the Files directive and the IP address requirement within the Limit directive. The access does work as I intended from the testing I have done. However, I really can't find any Apache documentation explaining the logic of how Apache would parse that and hence verify that both the user requirements with <Files> and IP address requirement within <Limit> are combined. Comments on this approach are very much appreciated. #1 Does Apache support this? eg... not just a fluke that might not work in a future apache release. #2 Improvements or a better approach? Thank you. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|