On 11/30/2020 12:43 PM, Michael wrote: > I don't have time to look into this in much detail, or test it, but see > comments below. > > On Monday, 30 November 2020 18:09:52 GMT the...@sys-concept.com wrote: >> On 11/30/2020 05:34 AM, Michael wrote: >>> On Sunday, 29 November 2020 18:22:09 GMT the...@sys-concept.com wrote: >>>> Thelma >>>> >>>> On 11/29/2020 03:22 AM, Michael wrote: >>>>> On Sunday, 29 November 2020 07:30:16 GMT the...@sys-concept.com wrote: >>>>>> I'm trying to deny access to all except specific IP address in a >>>>>> directory, just testing it. >>>>>> >>>>>> In modules.d/00_default_settings.conf >>>>>> >>>>>> <Directory "/var/www/localhost/htdocs"> >>>>>> >>>>>> Options MultiViews >>>>>> AllowOverride All >>>>>> Require all granted >>>>>> >>>>>> </Directory> >>>>>> >>>>>> in admin/.htaccess >>>>>> >>>>>> <RequireAll> >>>>>> >>>>>> Require all denied >>>>>> Require ip 10.0.0.100 >>>>>> >>>>>> </RequireAll> >>>>>> >>>>>> My IP is 10.0.0.112 and I can still access the server /admin directory >>>>>> >>>>>> What am I missing? >>>>> >>>>> In apache 2.4 the access control syntax has changed. The RequireAll >>>>> directive means *all* authorisation directives within it must succeed. >>>>> >>>>> https://httpd.apache.org/docs/2.4/mod/mod_authz_core.html#requireall >>>>> >>>>> What happens if you just remove the first line, "Require all denied"? >>>> >>>> As you suggested I have: >>>> in admin/.htaccess >>>> >>>> <RequireAll> >>>> >>>> Require ip 10.0.0.100 >>>> >>>> </RequireAll> >>>> >>>> My IP is: 10.0.0.112 and it still allow me to access it. I know apache >>>> 2.4 is reading the file as the the below direcive works. >>> >>> I've tested different RequireAll directives in a .htaccess file and with >>> otherwise default apache settings I can confirm: >>> >>> This is correct: >>> ========================= >>> <RequireAll> >>> >>> Require ip 10.0.0.100 >>> >>> </RequireAll> >>> ========================= >>> will only allow visitors from 10.0.0.100 to access the directory content. >>> >>> This is also correct: >>> ========================= >>> <RequireAll> >>> >>> Require all granted >>> Require ip 10.0.0.100 >>> >>> </RequireAll> >>> ========================= >>> will only allow visitors from 10.0.0.100 to access the directory content. >>> >>> Finally, this won't work: >>> ========================= >>> <RequireAll> >>> >>> Require all denied >>> Require ip 10.0.0.100 >>> >>> </RequireAll> >>> ========================= >>> because it returns 403 for all clients irrespective of IP address, since >>> both subdirectives must be correct for the RequireAll to be true. >>> >>> I notice you have 'Options MultiViews' in your modules.d/ >>> 00_default_settings.conf, which will parse paths to find and serve any >>> file >>> requested by the client even if the URL is not complete. It might be this >>> conflicts with your .htaccess within admin/ subdirectory, but I'm not >>> sure. >>> Something in apache logs may shed light in this. >>> >>>> AuthName "restricted stuff" >>>> AuthType Basic >>>> AuthUserFile "/etc/apache2/users" >>>> require user webmaster >>>> >>>> I've tried adding >>>> RewriteEngine on >>>> >>>> With it, I can not login at all (access denied) regardless of IP. >>> >>> With apache 2.4 a new <If> directive was added to perform conditional >>> checks and replace/augment many of the mod_rewrite functionalities. I >>> don't know how you have structured your RewriteCond and RewriteRule, but >>> obviously they don't work as intended if they totally block access. >>> >>> You could check conflicting rules between your apache config and any >>> .htaccess directives, or any loose and contradictory .htaccess files in >>> higher subdirectories. >> >> Here is complete file: modules.d/00_default_settings.conf >> I've removed 'Options MultiViews' but it disn't help. >> >> Timeout 300 >> KeepAlive On >> MaxKeepAliveRequests 100 >> KeepAliveTimeout 15 >> UseCanonicalName Off >> AccessFileName .htaccess >> ServerTokens Prod >> TraceEnable off >> ServerSignature Off >> HostnameLookups Off >> EnableMMAP On >> EnableSendfile Off >> FileETag MTime Size >> ContentDigest Off >> ErrorLog /var/log/apache2/error_log >> LogLevel warn >> >> <Directory /> >> Options FollowSymLinks >> AllowOverride None >> Require all denied >> </Directory> >> >> <Directory "/var/www/localhost/htdocs"> >> AllowOverride All >> Require all granted >> </Directory> >> >> <IfModule dir_module> >> DirectoryIndex index.html index.html.var >> </IfModule> >> >> <FilesMatch "^\.ht"> >> Require all denied >> </FilesMatch> >> >> The server root .htaccess is empty >> In server root/admin/.htaccess >> >> <RequireAll> >> Require ip 10.0.0.100 >> </RequireAll> > > Hmm ... as I understand it the <RequireAll> directive is evaluated to make an > authorisation decision, before the authentication directive below. If the > authorisation fails, because you're not connecting from ip 10.0.0.100, then I > would assume apache should return 403 and stop processing further directives. > > However, from what you say it does not do this. :-/ > > I wonder if you add 'AuthMerging And' above your authentication directives > below, it would work as expected - i.e. both 'ip 10.0.0.100' and 'user > webmaster' should succeed before access to /admin is allowed. > >> AuthName "restricted stuff" >> AuthType Basic >> AuthUserFile "/etc/apache2/users" >> require user webmaster >> >> My IP is 10.0.0.109 so I should be denied access to admin/index.php but >> I'm able to view it/access it. >> It seems to me it is reading .htaccess file as "AuthType Basic" work, it >> is asking me for a password. but "Require ip" doesn't work. Because my >> IP is 10.0.0.109 apache should deny me access with "access denied. > > > Something else to try instead of <RequireAll>, in case it makes a difference. > > Does it work as intended if you replace <RequireAll> with a filesystem > container: > > <Directory "/var/www/localhost/htdocs/*/admin"> > Require ip 10.0.0.100 > </Directory> > > Or, if this is a set of pages dynamically generated by php, rather than a > static file within the admin directory, use a webspace container: > > <Location "*/admin"> > Require ip blah > </Location>
Thank for looking into it and input. I must be missing someting because if I use in .htaccess file direcive: <Directory "/var/www/localhost/htdocs/*/admin"> or <Location "*/admin"> In both cases I get an error from Apache: [client 10.0.0.109] /var/www/localhost/htdocs/catalog/admin/.htaccess: <Directory not allowed here [client 10.0.0.109 /var/www/localhost/htdocs/catalog/admin/.htaccess: <Location not allowed here
