On 11/30/2020 05:34 AM, Michael wrote:
[snip]
>
> I've tested different RequireAll directives in a .htaccess file and with
> otherwise default apache settings I can confirm:
>
> This is correct:
> =========================
> <RequireAll>
> Require ip 10.0.0.100
> </RequireAll>
> =========================
> will only allow visitors from 10.0.0.100 to access the directory content.
>
> This is also correct:
> =========================
> <RequireAll>
> Require all granted
> Require ip 10.0.0.100
> </RequireAll>
> =========================
> will only allow visitors from 10.0.0.100 to access the directory content.
>
> Finally, this won't work:
> =========================
> <RequireAll>
> Require all denied
> Require ip 10.0.0.100
> </RequireAll>
> =========================
> because it returns 403 for all clients irrespective of IP address, since both
> subdirectives must be correct for the RequireAll to be true.
>
> I notice you have 'Options MultiViews' in your modules.d/
> 00_default_settings.conf, which will parse paths to find and serve any file
> requested by the client even if the URL is not complete. It might be this
> conflicts with your .htaccess within admin/ subdirectory, but I'm not sure.
> Something in apache logs may shed light in this.
>
>
>> AuthName "restricted stuff"
>> AuthType Basic
>> AuthUserFile "/etc/apache2/users"
>> require user webmaster
>>
>> I've tried adding
>> RewriteEngine on
>>
>> With it, I can not login at all (access denied) regardless of IP.
>
> With apache 2.4 a new <If> directive was added to perform conditional checks
> and replace/augment many of the mod_rewrite functionalities. I don't know
> how
> you have structured your RewriteCond and RewriteRule, but obviously they
> don't
> work as intended if they totally block access.
>
> You could check conflicting rules between your apache config and any
> .htaccess
> directives, or any loose and contradictory .htaccess files in higher
> subdirectories.
Partial success. It seems to me .htaccess <RequireAll> needs: <Files *>
to work.
The blow works on IP:
<Files *>
<RequireAll>
Require ip 10.0.0.109
</RequireAll>
</Files>
But this below doesn't work.
AuthName "restricted stuff"
AuthType Basic
AuthUserFile "/etc/apache2/users"
require user webmaster
It doesn't read "AuthType Basic" it does not ask me for password.
I wish Apache 2.2 was still in portage.
