Re: Trouble Securing a directory correctly

[Luca Toscano <toscano.luca@xxxxxxxxx>]

Hi! 

2017-01-31 16:56 GMT+01:00 Darryl Philip Baker <darryl.baker@xxxxxxxxxxxxxxxx>:

I have a directory defined inside a virtual host I want to only be accessible from inside our networks. What is happening is that the rules don’t seem to be working as I expect browser that do not match the criteria are getting access. One complexity is that the parent path is secured by our SSO solution using AM Agent. The browser is prompting for the SSO credentials. Here is my directory definition:

 

    <Directory "/nuinfo/httpd/htdocs/it-virtual-v2/admin-systems/secure">

        Require all denied

        <RequireAny>

            Require host northwestern.edu

            Require host wireless.northwestern.private

            Require ip 129.105.0.0/16

            Require ip 165.124.0.0/16

            Require ip 165.20.108.150

            Require ip 165.20.104.30

            Require ip 38.124.31.0/24

            Require ip 10.101.0.0/16

            Require ip 10.102.0.0/15

            Require ip 10.105.0.0/16

        </RequireAny>

    </Directory>

So as far as I can read in [1] you could simply list the "Require"s specified in the RequireAny block and remove the "Require all denied" on the top to achieve what you need to do. Also be aware that Require host triggers DNS lookups for each request that wants to access the content of the directory [2].

Hope that helps! Let me know if anything changes..

Luca

[1]: https://httpd.apache.org/docs/2.4/howto/auth.html#beyond

"By default all Require directives are handled as though contained within a <RequireAny> container directive. In other words, if any of the specified authorization methods succeed, then authorization is granted."

[2]: http://httpd.apache.org/docs/2.4/mod/mod_authz_host.html#requiredirectives