In Apache 2.2 I could set up an .htaccess file and establish simple and
easily maintainable access control such as:
<FILES abc.html>
require user jim joe
</FILES>
<FILES def.html*>
require user jim joe
</FILES>
<Limit GET POST>
order deny,allow
deny from all
allow from 10.10.0.1
allow from 10.10.0.2
require valid-user
</Limit>
<LimitExcept GET POST>
order deny,allow
deny from all
</LimitExcept>
... and that would work very nicely so that for resources other than
abc.html and def.html as defined in the FILES section the request would
have to come from client 10.10.0.1 or 10.10.0.2 and be any authenticated
user. The <Limit GET POST> is the only restriction.
If the request were specifically for abc.html or def.html the GET
request would still be required to originate from 10.10.0.1 or
10.10.0.2, but now the user must be specifically jim or joe as defined
in the <FILES> restriction. So both the <Limit GET POST> restrictions
were respected along with the FILES restriction requiring specific user
authentication.
In apache 2.4, access control configurations change so that I migrate
the above to:
<FILES abc.html>
require user jim joe
</FILES>
<FILES def.html*>
require user jim joe
</FILES>
<Limit GET POST>
<RequireAll>
Require ip 10.10.0.1
Require valid-user
</RequireAll>
<RequireAll>
Require ip 10.10.0.2
Require valid-user
</RequireAll>
</Limit>
<LimitExcept GET POST>
Require all denied
</LimitExcept>
In Apache 2.4 combining access for multiple IPs in combination with
users make the configurations somewhat more complex, but I can live with
that.
However, I can't easily get the same access experience as in 2.2 without
a lot of redundant configuration.
In my 2.4 configuration, the FILES directives are looked at without
respect to the Limit on the GET/POST.
I can comment out:
<RequireAll>
Require ip 10.10.0.1
Require valid-user
</RequireAll>
and I'm still allowed to make a request to either abc.html or def.html
as defined in the FILES section as long as I am authenticiated as user
jim or joe even with the request originating from 10.10.0.1.
It seems like I'd have to do something like the following which seems
absurd and incredibly redundant and difficult to maintain with changes.
<FILES abc.html>
<RequireAll>
Require ip 10.10.0.1
require user jim joe
</RequireAll>
<RequireAll>
Require ip 10.10.0.2
require user jim joe
</RequireAll>
</FILES>
<FILES def.html*>
<RequireAll>
Require ip 10.10.0.1
require user jim joe
</RequireAll>
<RequireAll>
Require ip 10.10.0.2
require user jim joe
</RequireAll>
</FILES>
<Limit GET POST>
<RequireAll>
Require ip 10.10.0.1
Require valid-user
</RequireAll>
<RequireAll>
Require ip 10.10.0.2
Require valid-user
</RequireAll>
</Limit>
<LimitExcept GET POST>
Require all denied
</LimitExcept>
I tested and the above does seem to work in getting me the access
control that I want, but the configurations are incredibly redundant and
difficult to manage. Expand that out to a dozen more IPs and dozens of
resources and that configuration gets very long.
Note, in my production environment there are many users other than jim
and joe and users are restricted to certain resources. Not all users are
allowed access to the same set of resources.
Can anyone simplify those Apache 2.4 restrictions or instruct me on what
I might be overlooking or misunderstanding, please?
Thanks,
Jim
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
easily maintainable access control such as:
<FILES abc.html>
require user jim joe
</FILES>
<FILES def.html*>
require user jim joe
</FILES>
<Limit GET POST>
order deny,allow
deny from all
allow from 10.10.0.1
allow from 10.10.0.2
require valid-user
</Limit>
<LimitExcept GET POST>
order deny,allow
deny from all
</LimitExcept>
... and that would work very nicely so that for resources other than
abc.html and def.html as defined in the FILES section the request would
have to come from client 10.10.0.1 or 10.10.0.2 and be any authenticated
user. The <Limit GET POST> is the only restriction.
If the request were specifically for abc.html or def.html the GET
request would still be required to originate from 10.10.0.1 or
10.10.0.2, but now the user must be specifically jim or joe as defined
in the <FILES> restriction. So both the <Limit GET POST> restrictions
were respected along with the FILES restriction requiring specific user
authentication.
In apache 2.4, access control configurations change so that I migrate
the above to:
<FILES abc.html>
require user jim joe
</FILES>
<FILES def.html*>
require user jim joe
</FILES>
<Limit GET POST>
<RequireAll>
Require ip 10.10.0.1
Require valid-user
</RequireAll>
<RequireAll>
Require ip 10.10.0.2
Require valid-user
</RequireAll>
</Limit>
<LimitExcept GET POST>
Require all denied
</LimitExcept>
In Apache 2.4 combining access for multiple IPs in combination with
users make the configurations somewhat more complex, but I can live with
that.
However, I can't easily get the same access experience as in 2.2 without
a lot of redundant configuration.
In my 2.4 configuration, the FILES directives are looked at without
respect to the Limit on the GET/POST.
I can comment out:
<RequireAll>
Require ip 10.10.0.1
Require valid-user
</RequireAll>
and I'm still allowed to make a request to either abc.html or def.html
as defined in the FILES section as long as I am authenticiated as user
jim or joe even with the request originating from 10.10.0.1.
It seems like I'd have to do something like the following which seems
absurd and incredibly redundant and difficult to maintain with changes.
<FILES abc.html>
<RequireAll>
Require ip 10.10.0.1
require user jim joe
</RequireAll>
<RequireAll>
Require ip 10.10.0.2
require user jim joe
</RequireAll>
</FILES>
<FILES def.html*>
<RequireAll>
Require ip 10.10.0.1
require user jim joe
</RequireAll>
<RequireAll>
Require ip 10.10.0.2
require user jim joe
</RequireAll>
</FILES>
<Limit GET POST>
<RequireAll>
Require ip 10.10.0.1
Require valid-user
</RequireAll>
<RequireAll>
Require ip 10.10.0.2
Require valid-user
</RequireAll>
</Limit>
<LimitExcept GET POST>
Require all denied
</LimitExcept>
I tested and the above does seem to work in getting me the access
control that I want, but the configurations are incredibly redundant and
difficult to manage. Expand that out to a dozen more IPs and dozens of
resources and that configuration gets very long.
Note, in my production environment there are many users other than jim
and joe and users are restricted to certain resources. Not all users are
allowed access to the same set of resources.
Can anyone simplify those Apache 2.4 restrictions or instruct me on what
I might be overlooking or misunderstanding, please?
Thanks,
Jim
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org