On 7/29/2020 6:34 PM, Jim Albert wrote:
In Apache 2.2 I could set up an .htaccess file and establish simple and easily maintainable access control such as:<FILES abc.html> require user jim joe </FILES> <FILES def.html*> require user jim joe </FILES> <Limit GET POST> order deny,allow deny from all allow from 10.10.0.1 allow from 10.10.0.2 require valid-user </Limit> <LimitExcept GET POST> order deny,allow deny from all </LimitExcept>... and that would work very nicely so that for resources other than abc.html and def.html as defined in the FILES section the request would have to come from client 10.10.0.1 or 10.10.0.2 and be any authenticated user. The <Limit GET POST> is the only restriction.If the request were specifically for abc.html or def.html the GET request would still be required to originate from 10.10.0.1 or 10.10.0.2, but now the user must be specifically jim or joe as defined in the <FILES> restriction. So both the <Limit GET POST> restrictions were respected along with the FILES restriction requiring specific user authentication.In apache 2.4, access control configurations change so that I migrate the above to:<FILES abc.html> require user jim joe </FILES> <FILES def.html*> require user jim joe </FILES> <Limit GET POST> <RequireAll> Require ip 10.10.0.1 Require valid-user </RequireAll> <RequireAll> Require ip 10.10.0.2 Require valid-user </RequireAll> </Limit> <LimitExcept GET POST> Require all denied </LimitExcept>In Apache 2.4 combining access for multiple IPs in combination with users make the configurations somewhat more complex, but I can live with that.However, I can't easily get the same access experience as in 2.2 without a lot of redundant configuration.In my 2.4 configuration, the FILES directives are looked at without respect to the Limit on the GET/POST.I can comment out: <RequireAll> Require ip 10.10.0.1 Require valid-user </RequireAll>and I'm still allowed to make a request to either abc.html or def.html as defined in the FILES section as long as I am authenticiated as user jim or joe even with the request originating from 10.10.0.1.It seems like I'd have to do something like the following which seems absurd and incredibly redundant and difficult to maintain with changes.<FILES abc.html> <RequireAll> Require ip 10.10.0.1 require user jim joe </RequireAll> <RequireAll> Require ip 10.10.0.2 require user jim joe </RequireAll> </FILES> <FILES def.html*> <RequireAll> Require ip 10.10.0.1 require user jim joe </RequireAll> <RequireAll> Require ip 10.10.0.2 require user jim joe </RequireAll> </FILES> <Limit GET POST> <RequireAll> Require ip 10.10.0.1 Require valid-user </RequireAll> <RequireAll> Require ip 10.10.0.2 Require valid-user </RequireAll> </Limit> <LimitExcept GET POST> Require all denied </LimitExcept>I tested and the above does seem to work in getting me the access control that I want, but the configurations are incredibly redundant and difficult to manage. Expand that out to a dozen more IPs and dozens of resources and that configuration gets very long.Note, in my production environment there are many users other than jim and joe and users are restricted to certain resources. Not all users are allowed access to the same set of resources.Can anyone simplify those Apache 2.4 restrictions or instruct me on what I might be overlooking or misunderstanding, please?
I did some more testing and I can list multiple IP addresses on the "Require ip" line, so I believe I can simplify my .htaccess controls to the following:
<FILES abc.html> <RequireAll> Require ip 10.10.0.1 10.10.0.2 require user jim joe </RequireAll> </FILES> <FILES def.html*> <RequireAll> Require ip 10.10.0.1 10.10.0.2# Note I added jack to the user list to indicate my user list access controls change per resource.
require user jim joe jack </RequireAll> </FILES> <Limit GET POST> <RequireAll> Require ip 10.10.0.1 10.10.0.2 Require valid-user </RequireAll> </Limit> <LimitExcept GET POST> Require all denied </LimitExcept>However, note how the list of IP addresses is required to be continuously repeated in Apache 2.4 access control. That looks to be my biggest issue. For each <FILES> section along with the default <Limit GET POST> I have to repeat the same Require ip line. If I have say 100 separate <FILES> sections I have to repeat that same Require ip line for each <FILES>. Adding or removing IP addresses becomes a maintenance issue.
Thanks, Jim --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx