Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Apache>
  3. Users
Help with access control (.htaccess)
lists at xpec
Dec 20, 2001, 6:40 AM
Post #1 of 6 (1669 views)
Permalink
I am seeking a few hints on what I am doing wrong.

I am trying to setup apache 1.3.22 to limit access as follows:

1. access MUST be from a specified IP range
2. user MUST use name/passwd

Both conditions above must be met for access.
If there is a request from an IP that is not in the allow range,
I dont want a name/passwd to override this.

Here is what I did:
[http.conf]

DocumentRoot "/var/www/users"
<Directory />
Order Deny,Allow
Deny from All
Allow from 192.168.100.0/255.255.255.0
Options FollowSymLinks
AllowOverride AuthConfig
</Directory>
<Directory /test>
Order Deny,Allow
Deny from all
Allow from 192.168.100.0/255.255.255.0
Options FollowSymLinks
AllowOverride AuthConfig
</Directory>
------------------------------------

then I added .htaccess in the following dirs:

/var/www/users
/var/www/test

[.htaccess]
AuthName "Restriced Access"
AuthType Basic
AuthUserFile /usr/local/etc/users
require valid-user
Satisfy All

...I can seem to make this work one way or the other, but not both.
With the above configuration, an IP from 192.168.100.0 receives the following:

HTTP 403 forbidden

and the relevant log entry shows:
[Thu Dec 20 07:32:51 2001] [error] [client 192.168.100.13] client denied by
server configuration: /var/www/users

so....I have read the newsgroups and like the idea of 'ditching' the
.htaccess file and setting this up in httpd.conf
(since all the dirs and files would require the same level of security)

Can anyone help me out a little on this?

Thanks in advance.

Jeff
AuroraHealthCare


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Help with access control (.htaccess) [ In reply to ]
obo at bourse
Dec 20, 2001, 6:57 AM
Post #2 of 6 (1667 views)
Permalink
"J.D. Bronson" wrote:
>
> I am seeking a few hints on what I am doing wrong.
>
> I am trying to setup apache 1.3.22 to limit access as follows:
>
> 1. access MUST be from a specified IP range
> 2. user MUST use name/passwd
>
> Both conditions above must be met for access.
> If there is a request from an IP that is not in the allow range,
> I dont want a name/passwd to override this.
>
> Here is what I did:
> [http.conf]
>
> DocumentRoot "/var/www/users"
> <Directory />
> Order Deny,Allow
> Deny from All
> Allow from 192.168.100.0/255.255.255.0
> Options FollowSymLinks
> AllowOverride AuthConfig
> </Directory>
> <Directory /test>
> Order Deny,Allow
> Deny from all
> Allow from 192.168.100.0/255.255.255.0
> Options FollowSymLinks
> AllowOverride AuthConfig
> </Directory>
> ------------------------------------
>
> then I added .htaccess in the following dirs:
>
> /var/www/users
> /var/www/test
>
> [.htaccess]
> AuthName "Restriced Access"
> AuthType Basic
> AuthUserFile /usr/local/etc/users
> require valid-user
> Satisfy All
>
> ...I can seem to make this work one way or the other, but not both.
> With the above configuration, an IP from 192.168.100.0 receives the following:
>
> HTTP 403 forbidden
>
> and the relevant log entry shows:
> [Thu Dec 20 07:32:51 2001] [error] [client 192.168.100.13] client denied by
> server configuration: /var/www/users
>
> so....I have read the newsgroups and like the idea of 'ditching' the
> .htaccess file and setting this up in httpd.conf
> (since all the dirs and files would require the same level of security)

You're nearly there - just a slight misunderstanding on the relationship
between DocumentRoot and <Directory>.

I get the impression you think the Directory argument is *relative* to
the DocumentRoot. It's not - it is *absolute*, i.e. it needs a full path
relative to the filesystem. If you put:

DocumentRoot "/var/www/users"
<Directory /var/www/users>
..etc
<Directory /var/www/test>
..etc.

It be closer to what you are trying to achieve.

However, there is another issue. The config above is still a bit funny
because /var/www/test is not under the docroot. So if you do:

DocumentRoot "/var/www"

both directories will be below the docroot and therefore accessible from
the browser via:

http://server-name/users and http://server-name/test

Then you can check if your authentication scheme is working (looks OK).
Rgds,

Owen Boyle.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Help with access control (.htaccess) [ In reply to ]
lists at xpec
Dec 20, 2001, 7:10 AM
Post #3 of 6 (1657 views)
Permalink
At 07:57 AM 12/20/2001, you wrote:
>"J.D. Bronson" wrote:
> >
> > I am seeking a few hints on what I am doing wrong.
> >
> > I am trying to setup apache 1.3.22 to limit access as follows:
> >
> > 1. access MUST be from a specified IP range
> > 2. user MUST use name/passwd
> >
> > Both conditions above must be met for access.
> > If there is a request from an IP that is not in the allow range,
> > I dont want a name/passwd to override this.
> >
> > Here is what I did:
> > [http.conf]
> >
> > DocumentRoot "/var/www/users"
> > <Directory />
> > Order Deny,Allow
> > Deny from All
> > Allow from 192.168.100.0/255.255.255.0
> > Options FollowSymLinks
> > AllowOverride AuthConfig
> > </Directory>
> > <Directory /test>
> > Order Deny,Allow
> > Deny from all
> > Allow from 192.168.100.0/255.255.255.0
> > Options FollowSymLinks
> > AllowOverride AuthConfig
> > </Directory>
> > ------------------------------------
> >
> > then I added .htaccess in the following dirs:
> >
> > /var/www/users
> > /var/www/test
> >
> > [.htaccess]
> > AuthName "Restriced Access"
> > AuthType Basic
> > AuthUserFile /usr/local/etc/users
> > require valid-user
> > Satisfy All
> >
> > ...I can seem to make this work one way or the other, but not both.
> > With the above configuration, an IP from 192.168.100.0 receives the
> following:
> >
> > HTTP 403 forbidden
> >
> > and the relevant log entry shows:
> > [Thu Dec 20 07:32:51 2001] [error] [client 192.168.100.13] client denied by
> > server configuration: /var/www/users
> >
> > so....I have read the newsgroups and like the idea of 'ditching' the
> > .htaccess file and setting this up in httpd.conf
> > (since all the dirs and files would require the same level of security)
>
>You're nearly there - just a slight misunderstanding on the relationship
>between DocumentRoot and <Directory>.
>
>I get the impression you think the Directory argument is *relative* to
>the DocumentRoot. It's not - it is *absolute*, i.e. it needs a full path
>relative to the filesystem. If you put:
>
>DocumentRoot "/var/www/users"
><Directory /var/www/users>
>..etc
><Directory /var/www/test>
>..etc.
>
>It be closer to what you are trying to achieve.
>
>However, there is another issue. The config above is still a bit funny
>because /var/www/test is not under the docroot. So if you do:
>
>DocumentRoot "/var/www"
>
>both directories will be below the docroot and therefore accessible from
>the browser via:
>
>http://server-name/users and http://server-name/test
>
>Then you can check if your authentication scheme is working (looks OK).
>Rgds,
>
>Owen Boyle.

Ok...hmm...I changed the httpd.conf as follows:

DocumentRoot "/var/www/users"
<Directory /var/www/users>
Order Deny,Allow
Deny from All
Allow from 192.168.100.0/255.255.255.0
Options FollowSymLinks
AllowOverride AuthConfig
</Directory>
<Directory /var/www/users/test>
Order Deny,Allow
Deny from all
Allow from 192.168.100.0/255.255.255.0
Options FollowSymLinks
AllowOverride AuthConfig
</Directory>

..since I agree with your advice....but this didnt help! :(

I still (as a user) get HTTP 403 Forbidden and the apache error log reports
the exact same error.

...again I must be close and this has to be something stupid I did/didnt do.

Perhaps if I can setup httpd.conf with all the directives and information
and get rid of the .htaccess file?
(at least that might make troubleshooting easier?)

Thanxs for helping me with this!

Jeff



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Help with access control (.htaccess) [ In reply to ]
obo at bourse
Dec 20, 2001, 8:54 AM
Post #4 of 6 (1654 views)
Permalink
"J.D. Bronson" wrote:
> Ok...hmm...I changed the httpd.conf as follows:
>
> DocumentRoot "/var/www/users"
> <Directory /var/www/users>
> Order Deny,Allow
> Deny from All
> Allow from 192.168.100.0/255.255.255.0
> Options FollowSymLinks
> AllowOverride AuthConfig
> </Directory>
> <Directory /var/www/users/test>
> Order Deny,Allow
> Deny from all
> Allow from 192.168.100.0/255.255.255.0
> Options FollowSymLinks
> AllowOverride AuthConfig
> </Directory>
>
> ..since I agree with your advice....but this didnt help! :(
>
> I still (as a user) get HTTP 403 Forbidden and the apache error log reports
> the exact same error.
>
> ...again I must be close and this has to be something stupid I did/didnt do.
>
> Perhaps if I can setup httpd.conf with all the directives and information
> and get rid of the .htaccess file?
> (at least that might make troubleshooting easier?)

There is no functional difference between putting the Auth directives in
httpd.conf or in .htaccess - it should still work/not work as before.
The differences are to do with maintenance:

- if you use .htaccess, you don't need to restart the server to pick up
changes.
- if you use httpd.conf, you don't need to read .htaccess every time you
visit a directory.

you pays your money, you makes your choice...

Getting back to your problem:

- I assume you are trying to hit the site from a machine on the
192.168.100.0 network.

- do you really need to define the netmask? How about slacking off the
restriction a bit. Just define the private subnet to begin with, e.g.

Allow from 192.168

- Exactly what file is giving the 403? Check in the error log to see
what file is being "denied acces by server configuration". Is it hitting
the path you expected?

Things are working better than you think - most people can't get "Deny"
to work at all! At least for you, the mechanism is working, you just
have to slacken it off enough to allow your desired hits through.

Rgds,

Owen Boyle.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Help with access control (.htaccess) [ In reply to ]
lists at xpec
Dec 20, 2001, 10:57 AM
Post #5 of 6 (1654 views)
Permalink
At 09:54 AM 12/20/2001, you wrote:
>"J.D. Bronson" wrote:
> > Ok...hmm...I changed the httpd.conf as follows:
> >
> > DocumentRoot "/var/www/users"
> > <Directory /var/www/users>
> > Order Deny,Allow
> > Deny from All
> > Allow from 192.168.100.0/255.255.255.0
> > Options FollowSymLinks
> > AllowOverride AuthConfig
> > </Directory>
> > <Directory /var/www/users/test>
> > Order Deny,Allow
> > Deny from all
> > Allow from 192.168.100.0/255.255.255.0
> > Options FollowSymLinks
> > AllowOverride AuthConfig
> > </Directory>
> >
> > ..since I agree with your advice....but this didnt help! :(
> >
> > I still (as a user) get HTTP 403 Forbidden and the apache error log reports
> > the exact same error.
> >
> > ...again I must be close and this has to be something stupid I
> did/didnt do.
> >
> > Perhaps if I can setup httpd.conf with all the directives and information
> > and get rid of the .htaccess file?
> > (at least that might make troubleshooting easier?)
>
>There is no functional difference between putting the Auth directives in
>httpd.conf or in .htaccess - it should still work/not work as before.
>The differences are to do with maintenance:
>
>- if you use .htaccess, you don't need to restart the server to pick up
>changes.
>- if you use httpd.conf, you don't need to read .htaccess every time you
>visit a directory.
>
>you pays your money, you makes your choice...
>
>Getting back to your problem:
>
>- I assume you are trying to hit the site from a machine on the
>192.168.100.0 network.
>
>- do you really need to define the netmask? How about slacking off the
>restriction a bit. Just define the private subnet to begin with, e.g.
>
>Allow from 192.168
>
>- Exactly what file is giving the 403? Check in the error log to see
>what file is being "denied acces by server configuration". Is it hitting
>the path you expected?
>
>Things are working better than you think - most people can't get "Deny"
>to work at all! At least for you, the mechanism is working, you just
>have to slacken it off enough to allow your desired hits through.
>
>Rgds,
>
>Owen Boyle.

Well..I added the .htaccess file contents into the /dir area and it still
didnt work. SOoooooo..

I looked at the httpd.conf file over and over and found yet ANOTHER entry
for this specific directory with different directives. Obviously apache
read this AFTER my correct directives. Grrrr...

So?

Now, if you are not on the IP range (connection forbidden) if you are on
the IP range, you are prompted for a password.

While I have some more intense testing to do prior to going live, I am
pleased that this seems to be working.

MANY THANX for the tips.






J.D. Bronson
Aurora Health Care
Information Services
"Death before downtime"


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Help with access control (.htaccess) [ In reply to ]
obo at bourse
Dec 21, 2001, 1:04 AM
Post #6 of 6 (1663 views)
Permalink
"J.D. Bronson" wrote:
>
> I looked at the httpd.conf file over and over and found yet ANOTHER entry
> for this specific directory with different directives. Obviously apache
> read this AFTER my correct directives. Grrrr...

Arrgh... Equally specific directives are applied in the order in which
they are listed in the file - so later overrides earlier. "grep" is
useful for checking out multiple directives if you suspect you have a
conflict (use the "-i" switch to ignore case).

Glad you got it working!

Rgds,

owen Boyle.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal