On Mon, Feb 11, 2013 at 10:05 PM, Igor Cicimov <icicimov@xxxxxxxxx> wrote: > > On 12/02/2013 1:50 PM, "Phil Smith" <philboonz@xxxxxxxxx> wrote: >> >> I'm trying to find some Apache documentation verifying that the access >> configs listed below in the manner I find them to be working are truly >> supported by Apache and are reasonable.(I'm using Apache 2.2.3). >> >> In a given directory in web space I have an .htaccess file with >> information such as the following (various SSL requirements are left >> out of the example for simplicity): >> >> AuthUserFile /home/secure/.htpasswd >> AuthName "Restricted Access" >> AuthType Basic >> >> <Files abc.html> >> require user andy >> </Files> >> >> <Files def.html> >> require user bert >> </Files> >> >> <Limit GET POST> >> order deny, allow >> deny from all >> >> allow from 10.10.10.0/24 >> >> require user andy bert charlie >> </Limit> >> >> <LimitExcept GET POST> >> order deny,allow >> deny from all >> </LimitExcept> >> >> >> >> What I'm looking to do is restrict all access to anything in this >> directory to either GET or POST and then only to certain IP addresses >> (anything on the 10.10.10.x network) and listed authenticated users. >> Any other methods should be completely rejected. Any resource in that >> directory protected by the .htaccess file should require a valid user >> of andy, bert or charlie. Those requirements should be accomplished by >> the Limit/LimitExcept directives. I'm reasonably confident in that. >> >> In addition, for certain resources in that directory such as abc.html >> and def.html, I only want specific users to have access to those >> resources, but still subject to the 10.10.10.x IP address restriction. >> >> My concern at first would be will Apache seeing the restriction on >> <Files abc.html> and requiring user andy continue to respect the >> Limits I have on GET and POST requiring a specific IP address range. >> It would be cumbersome to have to repeat the restrictions on IP >> address within each <Files> directive. >> >> So... the bottom line in my intention is that: >> Any request to a Method other than GET or POST is completely blocked. >> Anyone either not on 10.10.10.x OR not having been authenticated as >> andy, bert or charlie is completely blocked. >> Of the authenticated users: >> only andy can access abc.html coming from 10.10.10.x >> only bert can access def.html coming from 10.10.10.x >> >> My testing says that Apache does respect both the user requirement >> with the Files directive and the IP address requirement within the >> Limit directive. The access does work as I intended from the testing I >> have done. However, I really can't find any Apache documentation >> explaining the logic of how Apache would parse that and hence verify >> that both the user requirements with <Files> and IP address >> requirement within <Limit> are combined. >> >> Comments on this approach are very much appreciated. >> #1 Does Apache support this? eg... not just a fluke that might not >> work in a future apache release. >> #2 Improvements or a better approach? >> >> Thank you. >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx >> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx >> > From the docs: > > In the general case, access control directives should not be placed within a > <Limit> section.The purpose of the <Limit> directive is to restrict the > effect of the access controls to the nominated HTTP methods. For all other > methods, the access restrictions that are enclosed in the <Limit> bracket > will have no effect. > > Whats not clear here??? I did see that that documentation and thought it was terse and not explained very well given that LimitExcept exists. If I've covered all the Methods combining both Limit and LimitExcept then there are no uncovered Methods. Desired Methods are allowed with respect to restrictions in Limit directive; all others are denied in the LimitExcept. If there were no such directive as LimitExcept, then I would agree with your quote. Given LimitExcept exists, my understanding is the two can be properly used together. The IP address restrictions fit globally to all resources via the allowed Methods so that provides a single place to restrict by IP address since all resources are to be restricted by IP address. Following the quote you present, I imagine I would have to repeat IP address access control in each File directive which is what I would like to avoid. But given that Limit and LimitExcept exist they seem reasonable. Refinements per resource could be made via Files directive. It works and my question is does it follow documented Apache support for the flow of parsing the directives to come up with a final set of restriction criteria. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx