can apache require authentication from one subnet and not another?

17/05/2005, 17h36

I want to limit a web page to only two subnets. One of the subnets I
would like the users to authenticate, the other I do not. I can
partially satisfy this by...

<Directory /var/html>

** authentciation stuff

Allow from sub1.com
Require valid-user
Satisfy any
</Directory>

>From sub1 I would not be prompted for authentication, from any other
location, I would. The only problem is I don't want to open it up to
all other locations. I want it to be something like...

deny from all
Allow from sub1.com
* no auth
Allow from sub2.com
* require auth

Does anyone know if this is possible?

17/05/2005, 18h57

On 17 May 2005 09:36:39 -0700, in comp.infosystems.www.servers.unix,
"adam" <abrust@gmail.com> wrote:

>I want to limit a web page to only two subnets. One of the subnets I
>would like the users to authenticate, the other I do not.

<snip>

>deny from all
>Allow from sub1.com
> * no auth
>Allow from sub2.com
> * require auth
>
>Does anyone know if this is possible?

I put this in my default virtual host which is only used for
monitoring and accessing the server-status page (NOTE: potentially
sensitive items masked.

<Location />
AllowOverride None

AuthType basic
AuthName "XXchallengeXX"
AuthUserFile XXdirXX/XXpassword.fileXX
require user XXusernameXX

# allow anyone from monitoring IPs
Order deny,allow
Deny from all
# monitoring systems
Allow from XXX.XXX.XXX.XXX 10.28.1.20/31
# server iron (load balancer)
Allow from XXX.XXX.XXX.XXX

Satisfy any
</Location>

Anyone connecting from any of the allowed IPs gets direct access.
Otherwise they get challenged and have to supply the username and
password.

HTH,
Jim

17/05/2005, 19h08

adam <abrust@gmail.com> wrote:
> I want to limit a web page to only two subnets. One of the subnets I
> would like the users to authenticate, the other I do not. I can
> partially satisfy this by...
>
> <Directory /var/html>

Configuration like the one that follows should allow unaunthenticated
access from the 192.168.0.0/24 netblock and also will ask for user
name/password when user connects from any other IP address.

<Directory /var/html>
Order allow,deny
Satisfy any
Allow from 192.168.0.0/24
Require valid-user
AuthType ...
AuthName ...
...
</Directory>

--
andrei

18/05/2005, 09h01

Andrei Ivanov <iva@racoon.riga.lv> wrote:
> Configuration like the one that follows should allow unaunthenticated
> access from the 192.168.0.0/24 netblock and also will ask for user
> name/password when user connects from any other IP address.

Which is not what the OP asked for.
Chris

18/05/2005, 18h57

I was able to resolve this problem by using the rewrite directive as
well...

<IfModule mod_rewrite.c>
RewriteCond %{REMOTE_ADDR} !^192.168.0.
RewriteCond %{REMOTE_ADDR} !^172.16.
RewriteRule ^/secure.*$ - [F,L]
</IfModule>

The above says that any source ip that is NOT from the above subnets
trying to access the '/secure' page, will be redirected to a
"Forbidden' page

Then I keep the same allow & satisfy directives:

<Directory /var/www/html/secure>
** authentciation stuff

Allow from 192.168.0.0/24
Require valid-user
Satisfy any
</Directory>

So, the redirect rule ensures that only traffic from the two subnets
listed above can view these pages... The 'Satisfy any' says that if
they are from the 192.168.0.0/24 subnet, there is no need for
authentication and if they are from any other subnet (only
172.16.0.0/16 will be able to view b/c of the rewrite rule), then a
valid user is required to gain access.

17/05/2005, 17h36	#1
adam Messages: n/a Hébergeur:	can apache require authentication from one subnet and not another? I want to limit a web page to only two subnets. One of the subnets I would like the users to authenticate, the other I do not. I can partially satisfy this by... <Directory /var/html> ** authentciation stuff Allow from sub1.com Require valid-user Satisfy any </Directory> >From sub1 I would not be prompted for authentication, from any other location, I would. The only problem is I don't want to open it up to all other locations. I want it to be something like... deny from all Allow from sub1.com * no auth Allow from sub2.com * require auth Does anyone know if this is possible?

17/05/2005, 18h57	#2
Jim Hayter Messages: n/a Hébergeur:	Re: can apache require authentication from one subnet and not another? On 17 May 2005 09:36:39 -0700, in comp.infosystems.www.servers.unix, "adam" <abrust@gmail.com> wrote: >I want to limit a web page to only two subnets. One of the subnets I >would like the users to authenticate, the other I do not. <snip> >deny from all >Allow from sub1.com > * no auth >Allow from sub2.com > * require auth > >Does anyone know if this is possible? I put this in my default virtual host which is only used for monitoring and accessing the server-status page (NOTE: potentially sensitive items masked. <Location /> AllowOverride None AuthType basic AuthName "XXchallengeXX" AuthUserFile XXdirXX/XXpassword.fileXX require user XXusernameXX # allow anyone from monitoring IPs Order deny,allow Deny from all # monitoring systems Allow from XXX.XXX.XXX.XXX 10.28.1.20/31 # server iron (load balancer) Allow from XXX.XXX.XXX.XXX Satisfy any </Location> Anyone connecting from any of the allowed IPs gets direct access. Otherwise they get challenged and have to supply the username and password. HTH, Jim

17/05/2005, 19h08	#3
Andrei Ivanov Messages: n/a Hébergeur:	Re: can apache require authentication from one subnet and not another? adam <abrust@gmail.com> wrote: > I want to limit a web page to only two subnets. One of the subnets I > would like the users to authenticate, the other I do not. I can > partially satisfy this by... > > <Directory /var/html> Configuration like the one that follows should allow unaunthenticated access from the 192.168.0.0/24 netblock and also will ask for user name/password when user connects from any other IP address. <Directory /var/html> Order allow,deny Satisfy any Allow from 192.168.0.0/24 Require valid-user AuthType ... AuthName ... ... </Directory> -- andrei

18/05/2005, 09h01	#4
chris-usenet@roaima.co.uk Messages: n/a Hébergeur:	Re: can apache require authentication from one subnet and not another? Andrei Ivanov <iva@racoon.riga.lv> wrote: > Configuration like the one that follows should allow unaunthenticated > access from the 192.168.0.0/24 netblock and also will ask for user > name/password when user connects from any other IP address. Which is not what the OP asked for. Chris

18/05/2005, 18h57	#5
adam Messages: n/a Hébergeur:	Re: can apache require authentication from one subnet and not another? I was able to resolve this problem by using the rewrite directive as well... <IfModule mod_rewrite.c> RewriteCond %{REMOTE_ADDR} !^192.168.0. RewriteCond %{REMOTE_ADDR} !^172.16. RewriteRule ^/secure.$ - [F,L] </IfModule> The above says that any source ip that is NOT from the above subnets trying to access the '/secure' page, will be redirected to a "Forbidden' page Then I keep the same allow & satisfy directives: <Directory /var/www/html/secure> * authentciation stuff Allow from 192.168.0.0/24 Require valid-user Satisfy any </Directory> So, the redirect rule ensures that only traffic from the two subnets listed above can view these pages... The 'Satisfy any' says that if they are from the 192.168.0.0/24 subnet, there is no need for authentication and if they are from any other subnet (only 172.16.0.0/16 will be able to view b/c of the rewrite rule), then a valid user is required to gain access.

Outils de la discussion
Afficher une version imprimable Envoyer un lien vers cette page par email