On 12/02/2013 1:50 PM, "Phil Smith" <philboonz@xxxxxxxxx> wrote:
>
> I'm trying to find some Apache documentation verifying that the access
> configs listed below in the manner I find them to be working are truly
> supported by Apache and are reasonable.(I'm using Apache 2.2.3).
>
> In a given directory in web space I have an .htaccess file with
> information such as the following (various SSL requirements are left
> out of the example for simplicity):
>
> AuthUserFile /home/secure/.htpasswd
> AuthName "Restricted Access"
> AuthType Basic
>
> <Files abc.html>
> require user andy
> </Files>
>
> <Files def.html>
> require user bert
> </Files>
>
> <Limit GET POST>
> order deny, allow
> deny from all
>
> allow from 10.10.10.0/24
>
> require user andy bert charlie
> </Limit>
>
> <LimitExcept GET POST>
> order deny,allow
> deny from all
> </LimitExcept>
>
>
>
> What I'm looking to do is restrict all access to anything in this
> directory to either GET or POST and then only to certain IP addresses
> (anything on the 10.10.10.x network) and listed authenticated users.
> Any other methods should be completely rejected. Any resource in that
> directory protected by the .htaccess file should require a valid user
> of andy, bert or charlie. Those requirements should be accomplished by
> the Limit/LimitExcept directives. I'm reasonably confident in that.
>
> In addition, for certain resources in that directory such as abc.html
> and def.html, I only want specific users to have access to those
> resources, but still subject to the 10.10.10.x IP address restriction.
>
> My concern at first would be will Apache seeing the restriction on
> <Files abc.html> and requiring user andy continue to respect the
> Limits I have on GET and POST requiring a specific IP address range.
> It would be cumbersome to have to repeat the restrictions on IP
> address within each <Files> directive.
>
> So... the bottom line in my intention is that:
> Any request to a Method other than GET or POST is completely blocked.
> Anyone either not on 10.10.10.x OR not having been authenticated as
> andy, bert or charlie is completely blocked.
> Of the authenticated users:
> only andy can access abc.html coming from 10.10.10.x
> only bert can access def.html coming from 10.10.10.x
>
> My testing says that Apache does respect both the user requirement
> with the Files directive and the IP address requirement within the
> Limit directive. The access does work as I intended from the testing I
> have done. However, I really can't find any Apache documentation
> explaining the logic of how Apache would parse that and hence verify
> that both the user requirements with <Files> and IP address
> requirement within <Limit> are combined.
>
> Comments on this approach are very much appreciated.
> #1 Does Apache support this? eg... not just a fluke that might not
> work in a future apache release.
> #2 Improvements or a better approach?
>
> Thank you.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>
>From the docs:
In the general case, access control directives should not be placed within a <Limit> section.The purpose of the <Limit> directive is to restrict the effect of the access controls to the nominated HTTP methods. For all other methods, the access restrictions that are enclosed in the <Limit> bracket will have no effect.
Whats not clear here???