On 04/17/2018 10:39 AM, Luca Toscano wrote:
> Hi Robert,
>
> 2018-04-17 16:27 GMT+02:00 Robert Schweikert <rjschwei@xxxxxxxx>:
>
>> Hi,
>>
>> Configuration question.
>>
>> Apache version 2.4.23
>>
>> What I am trying to do is have users authenticate but only allow access
>> to that authentication method from known IP ranges. To this effect I
>> have a config file that sets:
>>
>> <Directory "some_path>
>> Options +Indexes +FollowSymLinks
>> IndexOptions +NameWidth=*
>>
>> PerlAuthenHandler THE::PERL::MODULE
>> AuthName MODULE
>> AuthType Basic
>> Require valid-user
>> Require expr %{REQUEST_URI} =~ m#^/SOME_EXCEPTION/.*#
>>
>> Require ip A_VERY_LONG_LIST_OF_IP_RANGES
>> Require ip ANOTHER_VERY_LONG_LIST_OF_IP_RANGES
>> </Directory>
>>
>> The observed behavior is what could be described as "or" behavior.
>> Meaning even traffic from outside the specified IP ranges is allowed to
>> hit the auth handler, i.e. the user gets a username/password request
>> when accessing a path that is not in the "SOME_EXCEPTION" path.
>>
>> What I am trying to achieve is that Apache blocks any access if the
>> traffic originates from outside the specified IP ranges.
>>
>> Is there a potential that I am hitting some limit of the number of IP
>> ranges specified and thus the whole mechanism of limiting by IP is ignored?
>>
>> Am I simply mis-interpreting the documentation and I need to structure
>> the restrictions differently?
>>
>> Is there some "and" directive to tie the requires together in an "and"
>> fashion to ensure all "Require" directives are considered?
>
>
> This might be useful:
> https://httpd.apache.org/docs/2.4/mod/mod_authz_core.html#logic. By default
> the multiple requires are acting as RequireAny, meanwhile you'd probably
> need RequireAll.
>
> Hope that helps!
Sure was, thanks solved the problem :)
Later,
Robert
--
Robert Schweikert MAY THE SOURCE BE WITH YOU
Distinguished Architect LINUX
Team Lead Public Cloud
rjschwei@xxxxxxxx
IRC: robjo
Attachment:
signature.asc
Description: OpenPGP digital signature
|