Hi,
Configuration question.
Apache version 2.4.23
What I am trying to do is have users authenticate but only allow access
to that authentication method from known IP ranges. To this effect I
have a config file that sets:
<Directory "some_path>
Options +Indexes +FollowSymLinks
IndexOptions +NameWidth=*
PerlAuthenHandler THE::PERL::MODULE
AuthName MODULE
AuthType Basic
Require valid-user
Require expr %{REQUEST_URI} =~ m#^/SOME_EXCEPTION/.*#
Require ip A_VERY_LONG_LIST_OF_IP_RANGES
Require ip ANOTHER_VERY_LONG_LIST_OF_IP_RANGES
</Directory>
The observed behavior is what could be described as "or" behavior.
Meaning even traffic from outside the specified IP ranges is allowed to
hit the auth handler, i.e. the user gets a username/password request
when accessing a path that is not in the "SOME_EXCEPTION" path.
What I am trying to achieve is that Apache blocks any access if the
traffic originates from outside the specified IP ranges.
Is there a potential that I am hitting some limit of the number of IP
ranges specified and thus the whole mechanism of limiting by IP is ignored?
Am I simply mis-interpreting the documentation and I need to structure
the restrictions differently?
Is there some "and" directive to tie the requires together in an "and"
fashion to ensure all "Require" directives are considered?
|