On 12/02/2013 1:50 PM, "Phil Smith" <philbo...@gmail.com> wrote: > > I'm trying to find some Apache documentation verifying that the access > configs listed below in the manner I find them to be working are truly > supported by Apache and are reasonable.(I'm using Apache 2.2.3). > > In a given directory in web space I have an .htaccess file with > information such as the following (various SSL requirements are left > out of the example for simplicity): > > AuthUserFile /home/secure/.htpasswd > AuthName "Restricted Access" > AuthType Basic > > <Files abc.html> > require user andy > </Files> > > <Files def.html> > require user bert > </Files> > > <Limit GET POST> > order deny, allow > deny from all > > allow from 10.10.10.0/24 > > require user andy bert charlie > </Limit> > > <LimitExcept GET POST> > order deny,allow > deny from all > </LimitExcept> > > > > What I'm looking to do is restrict all access to anything in this > directory to either GET or POST and then only to certain IP addresses > (anything on the 10.10.10.x network) and listed authenticated users. > Any other methods should be completely rejected. Any resource in that > directory protected by the .htaccess file should require a valid user > of andy, bert or charlie. Those requirements should be accomplished by > the Limit/LimitExcept directives. I'm reasonably confident in that. > > In addition, for certain resources in that directory such as abc.html > and def.html, I only want specific users to have access to those > resources, but still subject to the 10.10.10.x IP address restriction. > > My concern at first would be will Apache seeing the restriction on > <Files abc.html> and requiring user andy continue to respect the > Limits I have on GET and POST requiring a specific IP address range. > It would be cumbersome to have to repeat the restrictions on IP > address within each <Files> directive. > > So... the bottom line in my intention is that: > Any request to a Method other than GET or POST is completely blocked. > Anyone either not on 10.10.10.x OR not having been authenticated as > andy, bert or charlie is completely blocked. > Of the authenticated users: > only andy can access abc.html coming from 10.10.10.x > only bert can access def.html coming from 10.10.10.x > > My testing says that Apache does respect both the user requirement > with the Files directive and the IP address requirement within the > Limit directive. The access does work as I intended from the testing I > have done. However, I really can't find any Apache documentation > explaining the logic of how Apache would parse that and hence verify > that both the user requirements with <Files> and IP address > requirement within <Limit> are combined. > > Comments on this approach are very much appreciated. > #1 Does Apache support this? eg... not just a fluke that might not > work in a future apache release. > #2 Improvements or a better approach? > > Thank you. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > >From the docs:
In the general case, access control directives should not be placed within a <Limit> section.The purpose of the <Limit> directive is to restrict the effect of the access controls to the nominated HTTP methods. For all other methods, the access restrictions that are enclosed in the <Limit> bracket will have no effect. Whats not clear here???