On 11/30/2020 05:34 AM, Michael wrote:
> On Sunday, 29 November 2020 18:22:09 GMT the...@sys-concept.com wrote:
>> Thelma
>>
>> On 11/29/2020 03:22 AM, Michael wrote:
>>> On Sunday, 29 November 2020 07:30:16 GMT the...@sys-concept.com wrote:
>>>> I'm trying to deny access to all except specific IP address in a
>>>> directory, just testing it.
>>>>
>>>> In modules.d/00_default_settings.conf
>>>>
>>>> <Directory "/var/www/localhost/htdocs">
>>>>
>>>> Options MultiViews
>>>> AllowOverride All
>>>> Require all granted
>>>>
>>>> </Directory>
>>>>
>>>> in admin/.htaccess
>>>>
>>>> <RequireAll>
>>>>
>>>> Require all denied
>>>> Require ip 10.0.0.100
>>>>
>>>> </RequireAll>
>>>>
>>>> My IP is 10.0.0.112 and I can still access the server /admin directory
>>>>
>>>> What am I missing?
>>>
>>> In apache 2.4 the access control syntax has changed. The RequireAll
>>> directive means *all* authorisation directives within it must succeed.
>>>
>>> https://httpd.apache.org/docs/2.4/mod/mod_authz_core.html#requireall
>>>
>>> What happens if you just remove the first line, "Require all denied"?
>>
>> As you suggested I have:
>> in admin/.htaccess
>>
>> <RequireAll>
>> Require ip 10.0.0.100
>> </RequireAll>
>>
>> My IP is: 10.0.0.112 and it still allow me to access it. I know apache
>> 2.4 is reading the file as the the below direcive works.
>
> I've tested different RequireAll directives in a .htaccess file and with
> otherwise default apache settings I can confirm:
>
> This is correct:
> =========================
> <RequireAll>
> Require ip 10.0.0.100
> </RequireAll>
> =========================
> will only allow visitors from 10.0.0.100 to access the directory content.
>
> This is also correct:
> =========================
> <RequireAll>
> Require all granted
> Require ip 10.0.0.100
> </RequireAll>
> =========================
> will only allow visitors from 10.0.0.100 to access the directory content.
>
> Finally, this won't work:
> =========================
> <RequireAll>
> Require all denied
> Require ip 10.0.0.100
> </RequireAll>
> =========================
> because it returns 403 for all clients irrespective of IP address, since both
> subdirectives must be correct for the RequireAll to be true.
>
> I notice you have 'Options MultiViews' in your modules.d/
> 00_default_settings.conf, which will parse paths to find and serve any file
> requested by the client even if the URL is not complete. It might be this
> conflicts with your .htaccess within admin/ subdirectory, but I'm not sure.
> Something in apache logs may shed light in this.
>
>
>> AuthName "restricted stuff"
>> AuthType Basic
>> AuthUserFile "/etc/apache2/users"
>> require user webmaster
>>
>> I've tried adding
>> RewriteEngine on
>>
>> With it, I can not login at all (access denied) regardless of IP.
>
> With apache 2.4 a new <If> directive was added to perform conditional checks
> and replace/augment many of the mod_rewrite functionalities. I don't know
> how
> you have structured your RewriteCond and RewriteRule, but obviously they
> don't
> work as intended if they totally block access.
>
> You could check conflicting rules between your apache config and any
> .htaccess
> directives, or any loose and contradictory .htaccess files in higher
> subdirectories.
Here is complete file: modules.d/00_default_settings.conf
I've removed 'Options MultiViews' but it disn't help.
Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 15
UseCanonicalName Off
AccessFileName .htaccess
ServerTokens Prod
TraceEnable off
ServerSignature Off
HostnameLookups Off
EnableMMAP On
EnableSendfile Off
FileETag MTime Size
ContentDigest Off
ErrorLog /var/log/apache2/error_log
LogLevel warn
<Directory />
Options FollowSymLinks
AllowOverride None
Require all denied
</Directory>
<Directory "/var/www/localhost/htdocs">
AllowOverride All
Require all granted
</Directory>
<IfModule dir_module>
DirectoryIndex index.html index.html.var
</IfModule>
<FilesMatch "^\.ht">
Require all denied
</FilesMatch>
The server root .htaccess is empty
In server root/admin/.htaccess
<RequireAll>
Require ip 10.0.0.100
</RequireAll>
AuthName "restricted stuff"
AuthType Basic
AuthUserFile "/etc/apache2/users"
require user webmaster
My IP is 10.0.0.109 so I should be denied access to admin/index.php but
I'm able to view it/access it.
It seems to me it is reading .htaccess file as "AuthType Basic" work, it
is asking me for a password. but "Require ip" doesn't work. Because my
IP is 10.0.0.109 apache should deny me access with "access denied.
It is strange as the directive: "DirectoryIndex index.html
index.html.var" does not include "index.php" and I'm able to access this
file "admin/index.php"
so the index.php must be define somewhere else. Most likely via httpd.conf:
httpd.conf:75:LoadModule autoindex_module modules/mod_autoindex.so (but
this is a binary file, can not read it).
