Apache 2.4 Require statements not parsing as expected - apache

I'm trying to migrate from Apache 2.2 over to 2.4. One problem I'm having is getting one of my .htaccess files working as it does in 2.2. Essentially what I'm trying to do is allow all of my servers to get to the website without a password, and then require a simple password when someone not from my network, or on one of our desktops trys to get to it. The statements below are from 2.2 and work as intended. The deny statement is a subset of IP's inside the allowed from group.
AuthType Basic
AuthName "Dev password"
AuthUserFile /path/.htpass
Require user devuser
order allow,deny
allow from xxx.xxx.xx.x/24 xxx.xxx.xx.x/16 xxx.xxx.xxx.x/24
deny from xxx.xxx.xxx.xxx/25
Satisfy any
This however is how I thought I would do the same thing in 2.4 but I cannot get it to work:
RequireAny
RequireAll
RequireAny
Require ip 10.0
Require ip 192.168.0
/RequireAny
RequireNone
Require ip 10.0.10
Require ip 192.168.0.128/25
/RequireNone
/RequireAll
AuthType Basic
AuthName "Dev password"
AuthUserFile /path/.htpass
Require user dev
/RequireAny
Can someone tell me what I'm doing wrong? It's not requesting authenticate from my desktops.
Sorry it's not showing my tags for requireall and requireany. so I don't have them tagged.

You seem to be doing it right. Crank-up the LogLevel for authz:
LogLevel authz_core:trace3
and see, what gets logged for each hit. It may be something as silly as a typo in the IP-range specification, for example.

Related

Basic Authentication for All Except Listed User Agents in Apache

Is it possible to require Basic Authentication for all but specified User Agents in Apache configuration?
P.S. I know that User Agents can be easily faked, but for my use case such conditional authentication would be enough.
After searching for quite a bit and experimenting, I came up with the answer. One needs these lines in their .htaccess file:
SetEnvIf User-Agent ^VipAgent1 vip_agent
SetEnvIf User-Agent ^VipAgent2 vip_agent
Order Allow,Deny
Allow from env=vip_agent
AuthType Basic
AuthName "Protected Login"
AuthUserFile /path/to/htpasswd
Require valid-user
Satisfy any
In addition, for this to work, one would need to make sure that mod_rewrite, mod_authn_file, and mod_setenvif are enabled in httpd.conf and also this directive is set there:
AllowOverride All
This configuration gives access for requests with User Agent starting "VipAgent1" and "VipAgent2", but asks for the authentication credentials for all other visitors.

Apache 2.2 htaccess Require Password and IP Address

In htaccess using Apache 2.2.x, is there a way to require a password and a certain IP address, and block outright everyone else?
I've tried all the Allow/Deny/Require/Satisfy combinations I could find or try. Maybe someone here has the answer? I did an extensive search but everyone is looking to allow bypassing a password for certain IP addresses, not demanding an IP and password.
I would suggest setting up your configuration to require just a password first, and once you have that working as intended. Add the correct allow from directive to the htaccess file. For example
Allow from 192.168.0.0
You should not need to add anything else as Satisfy All is the default, but if you are still having problems add this as well.
If you are still having problems show us the htaccess file and check the rest of your config for overriding configuration.
New config based on discussion below:
<Location />
Order allow,deny
AuthType Basic
AuthName "Restricted Files"
AuthBasicProvider file
AuthUserFile /path/to/htpasswd
Require valid-user
Satisfy all
Allow from 127.0.0.1
</Location>
Additional info, doesn't need the <Location> block if in htaccess

Apache same file with and without password from different ip

I have a question to a complex apache configuration (apache 2.2). Is the following possible, and if yes, how:
From some IPs access to particular files should be allowed without authentication.
From other IPs access to the same files should be allowed with authentication only.
From all other IPs access should not be allowed.
I've tried with
general:
Order deny,allow
deny from all
Then two blocks for the specified directory:
<Location /testverzeichnis/index.html>
AuthType Basic
AuthName "blabla"
Deny from all
Allow from <IP1>
AuthUserFile /srv/www/apache/.htpasswd
Require user scht
</Location>
This does work! I got a window for user/password, and on the second machine access is not allowed.
Then I tried to get access without password from the second machine:
<Location /testverzeichnis/index.html>
Deny from all
Allow from <IP2>
</Location>
But then I got the authentication box on the second machine!
Is this possible at all?
Thank you in advance!
Regards
Burkhard
"Satisfy any" in a single configuration section.

Password protect a cname subdomain with .htaccess?

I'm trying to build and test a "m." subdomain for a website I'm working on. "m.domain.com" is simply a cname for "domain.com" and will be used to set a server-side boolean so the mobile version of the site will serve exactly the same pages, just with different css and scripts.
While I'm testing, I want to require a password for all requests made to m.domain.com. I've tried several .htaccess variants on environment variable solutions, and this is what I have right now:
SetEnvIfNoCase Host m\.domain\.com is_mobile
AuthType basic
AuthName "Mobile site"
AuthUserFile ".htpasswd"
Require valid-user
Order allow,deny
Allow from all
Deny from env=is_mobile
Satisfy any
With this code, "domain.com" and "www.domain.com" display normally. "m.domain.com" prompts for a password as expected. However, once it's entered, the server returns a 500 error on any request.
Well, turns out that a little inversion and reordering did the trick.
SetEnvIfNoCase Host ^(www\.)domain\.com$ not_mobile
AuthType basic
AuthName "Mobile site"
AuthUserFile ".htpasswd"
Order deny,allow
Deny from all
Allow from env=not_mobile
Require valid-user
Satisfy any
I'm still curious to know why the other configuration created the 500 error, though, especially since it only occurred for the subdomain I wanted password protected.

Allowing access with .htaccess (by address AND auth)

I have the following, but its not working correctly.
I run this server locally, but have now configured for external access. I want it to work such that if you're not within my internal network, you must authenticate.
Authentication works, however cannot get httpd to accept this code so something must be wrong. Just can't figure out which!
Order Deny, Allow
Deny from all
Satisfy Any
Allow from 127.0.0.1
Allow from 192.168
AuthUserFile "C:/Program Files/wamp/htpasswd.txt"
AuthName "Piss off :-)"
AuthType Basic
Require valid-user
Swap the Order:
Order Allow,Deny