On 11/30/2020 05:34 AM, Michael wrote: [snip] > > I've tested different RequireAll directives in a .htaccess file and with > otherwise default apache settings I can confirm: > > This is correct: > ========================= > <RequireAll> > Require ip 10.0.0.100 > </RequireAll> > ========================= > will only allow visitors from 10.0.0.100 to access the directory content. > > This is also correct: > ========================= > <RequireAll> > Require all granted > Require ip 10.0.0.100 > </RequireAll> > ========================= > will only allow visitors from 10.0.0.100 to access the directory content. > > Finally, this won't work: > ========================= > <RequireAll> > Require all denied > Require ip 10.0.0.100 > </RequireAll> > ========================= > because it returns 403 for all clients irrespective of IP address, since both > subdirectives must be correct for the RequireAll to be true. > > I notice you have 'Options MultiViews' in your modules.d/ > 00_default_settings.conf, which will parse paths to find and serve any file > requested by the client even if the URL is not complete. It might be this > conflicts with your .htaccess within admin/ subdirectory, but I'm not sure. > Something in apache logs may shed light in this. > > >> AuthName "restricted stuff" >> AuthType Basic >> AuthUserFile "/etc/apache2/users" >> require user webmaster >> >> I've tried adding >> RewriteEngine on >> >> With it, I can not login at all (access denied) regardless of IP. > > With apache 2.4 a new <If> directive was added to perform conditional checks > and replace/augment many of the mod_rewrite functionalities. I don't know > how > you have structured your RewriteCond and RewriteRule, but obviously they > don't > work as intended if they totally block access. > > You could check conflicting rules between your apache config and any > .htaccess > directives, or any loose and contradictory .htaccess files in higher > subdirectories.
Partial success. It seems to me .htaccess <RequireAll> needs: <Files *> to work. The blow works on IP: <Files *> <RequireAll> Require ip 10.0.0.109 </RequireAll> </Files> But this below doesn't work. AuthName "restricted stuff" AuthType Basic AuthUserFile "/etc/apache2/users" require user webmaster It doesn't read "AuthType Basic" it does not ask me for password. I wish Apache 2.2 was still in portage.