Mailing List Archive

Hi,

Anyone able to help please?

Regards, Kwok

On Wed, 14 Oct 2020 at 4:37 pm, Anders Wong <kwokchung@gmail.com> wrote:

> Hi HTTP apache community,
>
> I have a Location and Directory directive configured within
> VirtualHost and I would like to restrict only 10.75.x.x IPs to access the
> URL "http://..../ords".
>
> The access restriction is not working in <Location> directive as any
> client IPs still can access the URL after the setting. However, the same
> "Require ip x.x " setting is working well in <Directory> directive.
>
> I can confirm that I have both modules (authz_core / authz_host) loaded
>
> [root@xxx]# httpd -f /etc/httpd/conf/httpd.conf -M | grep authz
> authz_core_module (shared)
> authz_dbd_module (shared)
> authz_dbm_module (shared)
> authz_groupfile_module (shared)
> authz_host_module (shared)
> authz_owner_module (shared)
> authz_user_module (shared)
>
> see blow:
> <VirtualHost>
> <Location "/ords">
> Require ip 10.75
> .... truncated....
> </Location>
> </VirtualHost>
>
> <Directory "/var/www/html/htdocs/myserver">
> Options Indexes FollowSymLinks
> AllowOverride None
> Require ip 10.75
> </Directory>
>
> Can someone please help out and guide me? Thanks
>
> Regards,
> Kwok
>

On Mon, Oct 19, 2020 at 7:31 AM Anders Wong <kwokchung@gmail.com> wrote:
>
> Hi,
>
> Anyone able to help please?

It would help to show the config un-redacted and to show the resulting
access_log entries.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Hi Eric,

See below the configuration I have put in the httpd.conf

<VirtualHost *:80>

<Location "/ords">
AuthType Kerberos
Krb5KeyTab /etc/my.keytab
KrbServiceName HTTP/something.com@ABC.COM
KrbAuthRealms ABC.COM
KrbMethodNegotiate on
KrbMethodK5Passwd on
require valid-user
Require ip 10.75
ProxyPass "ajp://localhost:8009/ords"
ProxyPassReverse "ajp://localhost:8009/ords"
</Location>

<Directory "/var/www/html/htdocs/something">
Options Indexes FollowSymLinks
AllowOverride None
Require ip 10.75
</Directory>

</VirtualHost>

---Access Log --
10.75.3.4 - - [13/Oct/2020:15:28:02 +1100] "GET /index.html HTTP/1.1" 200
3206 "-" "-"
10.75.3.5 - - [13/Oct/2020:15:28:04 +1100] "GET /index.html HTTP/1.1" 200
3206 "-" "-"
210.10.2.163 - dxxxx @ABC.COM [13/Oct/2020:15:28:51 +1100] "GET
/ords/f?p=4050:9:212076483029344::NO::: HTTP/1.1" 302 - "-" "Mozilla/5.0
(Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/64.0.3282.140 Safari/537.36 Edge/18.17763"
210.10.2.163 - dxxxx@ABC.COM [13/Oct/2020:15:28:54 +1100] "GET
/ords/f?p=4550:10:2982892575199::::: HTTP/1.1" 200 7101 "-" "Mozilla/5.0
(Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/64.0.3282.140 Safari/537.36 Edge/18.17763"
10.75.3.5 - - [13/Oct/2020:15:28:09 +1100] "GET /index.html HTTP/1.1" 200
3206 "-" "-"
10.75.3.4 - - [13/Oct/2020:15:28:12 +1100] "GET /index.html HTTP/1.1" 200
3206 "-" "-"
10.75.3.5 - - [13/Oct/2020:15:28:14 +1100] "GET /index.html HTTP/1.1" 200
3206 "-" "-"
10.75.3.4 - - [13/Oct/2020:15:28:17 +1100] "GET /index.html HTTP/1.1" 200
3206 "-" "-"
10.75.3.5 - - [13/Oct/2020:15:28:19 +1100] "GET /index.html HTTP/1.1" 200
3206 "-" "-"
10.75.3.4 - - [13/Oct/2020:15:28:22 +1100] "GET /index.html HTTP/1.1" 200
3206 "-" "-"
10.75.3.5 - - [13/Oct/2020:15:28:24 +1100] "GET /index.html HTTP/1.1" 200
3206 "-" "-"
10.75.3.4 - - [13/Oct/2020:15:28:27 +1100] "GET /index.html HTTP/1.1" 200
3206 "-" "-"
210.10.2.163 - - [13/Oct/2020:15:28:29 +1100] "GET /index.html HTTP/1.1"
200 3206 "-" "-"
10.75.3.4 - - [13/Oct/2020:15:28:32 +1100] "GET /index.html HTTP/1.1" 200
3206 "-" "-"
10.75.3.5 - - [13/Oct/2020:15:28:34 +1100] "GET /index.html HTTP/1.1" 200
3206 "-" "-"
10.75.3.4 - - [13/Oct/2020:15:28:37 +1100] "GET /index.html HTTP/1.1" 200
3206 "-" "-"

On Mon, Oct 19, 2020 at 10:35 PM Eric Covener <covener@gmail.com> wrote:

> On Mon, Oct 19, 2020 at 7:31 AM Anders Wong <kwokchung@gmail.com> wrote:
> >
> > Hi,
> >
> > Anyone able to help please?
>
> It would help to show the config un-redacted and to show the resulting
> access_log entries.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

> <Location "/ords">
> AuthType Kerberos
> Krb5KeyTab /etc/my.keytab
> KrbServiceName HTTP/something.com@ABC.COM
> KrbAuthRealms ABC.COM
> KrbMethodNegotiate on
> KrbMethodK5Passwd on
> require valid-user
> Require ip 10.75

It is accepting either Require directive

https://httpd.apache.org/docs/2.4/mod/mod_authz_core.html#require

When multiple Require directives are used in a single configuration
section and are not contained in another authorization directive like
<RequireAll>, they are implicitly contained within a <RequireAny>
directive. Thus the first one to authorize a user authorizes the
entire request, and subsequent Require directives are ignored.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org