I have problem figuring out how create right configuration for apache 2.4 with mod_authz_core specifically with combination of RequireAny/All and Require valid-user.
I need this configuration: web has blocked access from specified countries, but I have list of specific ip address, that have to be whitelisted and have access to web (even from blocked country)
And there is a part of website which require AuthBasic authentication from .htaccess file
First of all, I am trying to migrate old apache configuration from 2.2 to apache 2.4.
Old configuration:
#blocation for specified countries
SetEnvIf GEOIP_COUNTRY_CODE AB BlockCountry
SetEnvIf GEOIP_COUNTRY_CODE AC BlockCountry
SetEnvIf GEOIP_COUNTRY_CODE AD BlockCountry
SetEnvIf GEOIP_COUNTRY_CODE AE BlockCountry
<LocationMatch "/*">
Order deny,allow
deny from .zx
deny from env=BlockCountry
allow from 127.0.0.1
Include "/etc/httpd/conf/permited-xx-ip.include.old"
</LocationMatch>
This work absolutely fine on apache 2.2.
I changed it to this to match new apache 2.4
<LocationMatch "/.*">
<RequireAny>
<RequireAll>
Require all granted
Require not host .xx
Require not env BlockCountry
</RequireAll>
<RequireAny>
Require local
Include "/etc/httpd/conf/permited-xx-ip.include"
</RequireAny>
</RequireAny>
</LocationMatch>
file /etc/httpd/conf/permited-xx-ip.include contains lines:
Require ip x.x.x.x
And this works fine, but problem is when I have directory which has .htaccess with AuthBasic directive, it will not prompt for username/password.
I was checking logs and it seems that the RequireAny/All allow acces without prompting for password.
.htacces file:
AuthName "members"
AuthType Basic
AuthUserFile ./data/.htpasswd
AuthBasicProvider file
Require valid-user
If i comment Require section in apache conf file, it will prompt for user/password.
I also tried old configuration with mod_compat, but the configuration does not work as intended(it will not consider whitelisted ips).
Thanks for reading long post.
Any suggestion ?
I think i figured it out,
The right configuration should look like this:
<Directory /var/www/www-root>
<RequireAny>
<RequireAll>
Require all granted
Require not host .xx
Require not env BlockCountry
</RequireAll>
<RequireAny>
Require local
Include "/etc/httpd/conf/permited-ip.include"
</RequireAny>
</RequireAny>
</Directory>
Plus the configuration for the directory with AuthBasic .htaccess:
<Directory /var/www/www-root/dirwithauthbasic>
<RequireAll>
<RequireAny>
<RequireAll>
Require all granted
Require not host .xx
Require not env BlockCountry
</RequireAll>
<RequireAny>
Require local
Include "/etc/httpd/conf/permited-ip.include"
</RequireAny>
</RequireAny>
Require valid-user
</RequireAll>
</Directory>
sorry for messed format
Related
I have the following folder structure
domain.com (/public_html/)
sub.domain.com (/public_html/sub/)
sub.domain.com/dir1/ (/public_html/sub/dir1/)
sub.domain.com/dir1/dir2/ (/public_html/sub/dir1/dir2/)
if I put the following in my .htaccess file at any of these directories
DirectoryIndex index.php
require valid-user
<RequireAny>
Require ip x.x.x.x
</RequireAny>
It has no effect when loading any files in these directories.
Additionally if i want multiple require rules to have and/or then it gets a little more complicated for example
# Allowing Access via Password or one of the following IP Addresses
AuthName "Authorized Only"
AuthType Basic
AuthUserFile /home/.htpasswds/.htpasswd
<RequireAll>
require valid-user
<RequireAny>
Require ip x.x.x.x
Require ip y.y.y.y
</RequireAny>
</RequireAll>
Apache did follow these rules set, but switching to litespeed enterprise web server has meant that IP restrictions have been ignored
What am I missing here?
require valid-user
<RequireAny>
Require ip x.x.x.x
</RequireAny>
This would seem to be overkill for Apache 2.4. <RequireAny> is the default container. The above 4 lines is the same as the one-line Require ip x.x.x.x.
However, my experience with LiteSpeed is that it behaves more like an Apache 2.2 server and (annoyingly) silently fails on directives it does not understand (although there might be something logged in the server's error log).
Try the following (Apache 2.2 style) directives instead:
Order Allow,Deny
Allow from x.x.x.x
What I want to achieve:
one .htaccess file for production and staging
basic auth protection for staging environment (based on hostname)
block specific IP on both enviroments
What I tried so far:
SetEnvIfNoCase Host development\.foobar\.tld authRequired
<RequireAny>
<RequireAll>
Require all granted
Require not ip 1.2.3.4
</RequireAll>
<RequireAny>
<RequireAll>
Require all granted
Require not env authRequired
</RequireAll>
AuthType Basic
AuthName "Development"
AuthUserFile /path/to/.htpasswd
Require valid-user
</RequireAny>
</RequireAny>
My problem now is that the IP block is ignored. I've no idea how to properly nest the Require directives.
I have similar setup, but I'm not using password based authentication for it. However, I think that this approach should work for you too.
What you need to do is to store the result of the IP check in a variable for later use.
The code below is untested but I think it will work:
SetEnvIf X-Forwarded-For "^1\.2\.3\.4" reject-access
<If "%{HTTP_HOST} =~ /development\.foobar\.tld$/">
AuthType Basic
AuthName "Development"
AuthUserFile /path/to/.htpasswd
<RequireAll>
Require not env reject-access
Require valid-user
</RequireAll>
</If>
<Else>
<RequireAll>
Require not env reject-access
</RequireAll>
</Else>
I haven't been able to find the right answer for this on StackOverflow, so I figured I would ask and hopefully others are looking for the same:
I am using the same .htacess for local, dev and prod and want to HTTP_AUTH our DEV box. Here is my htaccess:
RewriteEngine On
RewriteBase /
SetEnvIf Host "localenv" SITE_ENV=LOCAL
SetEnvIf Host "devdomain.com" SITE_ENV=DEV
SetEnvIf Host "proddomain.com" SITE_ENV=PROD
Order deny,allow
Satisfy any
Deny from SITE_ENV=DEV
AuthType Basic
AuthName "Access"
AuthUserFile /path/to/.htpasswd
Require valid-user
This works when I'm my local enviornment, but when I switch the Deny from SITE_ENV=DEV to Deny from SITE_ENV=LOCAL I don't get the authentication requirement anymore, which leads me to believe the code isn't working. I also have changed the AuthUserFile path to point to the local .htpasswd - but I figured this would show up in the logs if it couldn't find the .htpasswd file
Any guidance here?
You can use:
SetEnvIf Host "localenv" SITE_ENV=LOCAL
SetEnvIf Host "devdomain.com" SITE_ENV=DEV
SetEnvIf Host "proddomain.com" SITE_ENV=PROD
AuthType Basic
AuthName "Access"
AuthUserFile /path/to/.htpasswd
Require valid-user
Order Allow,Deny
Allow from all
Deny from SITE_ENV=DEV
Satisfy any
I am trying to allow Amazon CDN to access the resources on my password-protected staging site (HTTP Basic Authentication).
This is the code I have in the httpd.conf file for it:
NameVirtualHost *:80
<VirtualHost *:80>
ServerName staging.domain.com
DocumentRoot /var/www/html
<Directory "/var/www/html/">
Options Indexes MultiViews FollowSymLinks
AllowOverride all
AuthName "Development Access"
AuthType Basic
AuthUserFile /path/to/password.htpasswd
Require valid-user
SetEnvIf User-Agent "^Amazon.*" cdn
Order allow,deny
Allow from env=cdn
</Directory>
</Virtualhost>
I'm using SetEnvIf to assign a variable if the user agent is Amazon and then just allowing it, but this is not working. Can somebody please help me out with this one?
the problem is that a valid user is required to get to the content, indifferent of the user agent used.
Give this article in the Apache Manual a read, specifically take a look at the RequireAny bit. That allows you to setup the rules with the complexity you require. Your config code would look something like this.
SetEnvIf User-Agent "^Amazon.*" cdn
<RequireAny>
Require valid-user
Require cdn
</RequireAny>
This only works on Apache 2.4 upwards. On 2.2 you can look at this article in the Apache Wiki and specially to the Satisfy Any directive. Hope this helps.
If you have Apache 2 and possibly the requirement to access the resources with HTTP Auth, this has worked for me:
<Directory /var/www/yourwebdirectory>
SetEnvIf User-Agent "^Amazon.*" cdn
AuthUserFile /etc/apache2/.htpasswd.forthissite
AuthType Basic
AuthName "My Files"
Require valid-user
Order allow,deny
Allow from env=cdn
Satisfy Any
</Directory>
My devsite is running with other production sites. I need to deny the dev sites, but allow one url of dev sites to be accessible.
AuthType Basic
AuthName "My Development Site"
AuthUserFile /path_to/.htpasswd
Require valid-user
# Need to deny devsite, and working!
SetEnvIf Host .*\.dev\.site\.com$ DEV_SITE
# But allow x.dev.site.com/xml/, I think the idea is to unset DEV_SITE,
# but not working!
SetEnvIf Request_URI ^/xml/ !DEV_SITE
Order Allow,Deny
Allow from all
Deny from env=DEV_SITE
Satisfy any