Re: [gentoo-user] apache 2.4 - deny access to directory
On Tuesday, 1 December 2020 19:34:54 GMT the...@sys-concept.com wrote: > On 12/01/2020 07:18 AM, Michael wrote: > > On Monday, 30 November 2020 22:52:05 GMT the...@sys-concept.com wrote: > >> Access based on IP address works from .htaccess with Files directive: > >> > >> > >> > >>Require ip 10.0.0.109 > >> > >> > >> > >> But it doesn't read AuthType Basic, it doesn't ask me for any password. > >> > >> AuthName "restricted stuff" > >> AuthType Basic > >> AuthUserFile "/etc/apache2/users" > >> require user webmaster > >> > >> It seems to me Apache 2.4 is very limited what can, and can not go into > >> .htaccess. > > > > OK, probably Authentication takes precedence from Authorization on apache > > 2.4. > > > > Since you prefer to use .htaccess rather than a central apache config, > > let's check if this works in your /admin/.htaccess: > > > > === > > AuthName "restricted stuff" > > AuthType Basic > > AuthUserFile "/etc/apache2/users" > > > > > >Require ip 10.0.0.100 > >Require user webmaster > > > > > > == > > > > It should allow you to connect and then request username and passwd from > > IP > > 10.0.0.100, but return '403 Forbidden' for clients connecting from any > > other IP address, without requesting authentication. > > WOW! it worked, it worked! > Thank you Michael! > IP works and AuthType Basic works too. > > Why? It seems to me Apache 2.4 is very picky where/and order directives > are. So much more to learn. For basic operation I prefer .htaccess > files, it is much simpler and easier to block spammers, no need to > restart the main server, just update .htaccess file. > > Thank you again! You're welcome. I'm glad you got it going. There were a number of changes with apache 2.4. Have a look down this page for the specifics: https://httpd.apache.org/docs/trunk/upgrading.html signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] apache 2.4 - deny access to directory
On 12/01/2020 07:18 AM, Michael wrote: > On Monday, 30 November 2020 22:52:05 GMT the...@sys-concept.com wrote: > >> Access based on IP address works from .htaccess with Files directive: >> >> >>Require ip 10.0.0.109 >> >> >> But it doesn't read AuthType Basic, it doesn't ask me for any password. >> >> AuthName "restricted stuff" >> AuthType Basic >> AuthUserFile "/etc/apache2/users" >> require user webmaster >> >> It seems to me Apache 2.4 is very limited what can, and can not go into >> .htaccess. > > OK, probably Authentication takes precedence from Authorization on apache 2.4. > > Since you prefer to use .htaccess rather than a central apache config, let's > check if this works in your /admin/.htaccess: > > === > AuthName "restricted stuff" > AuthType Basic > AuthUserFile "/etc/apache2/users" > >Require ip 10.0.0.100 >Require user webmaster > > == > > It should allow you to connect and then request username and passwd from IP > 10.0.0.100, but return '403 Forbidden' for clients connecting from any other > IP address, without requesting authentication. WOW! it worked, it worked! Thank you Michael! IP works and AuthType Basic works too. Why? It seems to me Apache 2.4 is very picky where/and order directives are. So much more to learn. For basic operation I prefer .htaccess files, it is much simpler and easier to block spammers, no need to restart the main server, just update .htaccess file. Thank you again!
Re: [gentoo-user] apache 2.4 - deny access to directory
On Monday, 30 November 2020 22:52:05 GMT the...@sys-concept.com wrote: > Access based on IP address works from .htaccess with Files directive: > > >Require ip 10.0.0.109 > > > But it doesn't read AuthType Basic, it doesn't ask me for any password. > > AuthName "restricted stuff" > AuthType Basic > AuthUserFile "/etc/apache2/users" > require user webmaster > > It seems to me Apache 2.4 is very limited what can, and can not go into > .htaccess. OK, probably Authentication takes precedence from Authorization on apache 2.4. Since you prefer to use .htaccess rather than a central apache config, let's check if this works in your /admin/.htaccess: === AuthName "restricted stuff" AuthType Basic AuthUserFile "/etc/apache2/users" Require ip 10.0.0.100 Require user webmaster == It should allow you to connect and then request username and passwd from IP 10.0.0.100, but return '403 Forbidden' for clients connecting from any other IP address, without requesting authentication. signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] apache 2.4 - deny access to directory
On 11/30/2020 02:20 PM, Michael wrote: > On Monday, 30 November 2020 20:07:10 GMT the...@sys-concept.com wrote: > >> Thank for looking into it and input. >> I must be missing someting because if I use in .htaccess file direcive: >> or >> >> >> In both cases I get an error from Apache: >> >> [client 10.0.0.109] /var/www/localhost/htdocs/catalog/admin/.htaccess: >> > /var/www/localhost/htdocs/catalog/admin/.htaccess: > here > > Yes, the error is because Directory and/or Location directives ought to go in > the main apache config files for this vhost, rather than in .htaccess. > > Is there a particular reason you want to use .htaccess, rather than files in > the /etc/apache subdirectories? Access based on IP address works from .htaccess with Files directive: Require ip 10.0.0.109 But it doesn't read AuthType Basic, it doesn't ask me for any password. AuthName "restricted stuff" AuthType Basic AuthUserFile "/etc/apache2/users" require user webmaster It seems to me Apache 2.4 is very limited what can, and can not go into .htaccess.
Re: [gentoo-user] apache 2.4 - deny access to directory
On Monday, 30 November 2020 20:07:10 GMT the...@sys-concept.com wrote: > Thank for looking into it and input. > I must be missing someting because if I use in .htaccess file direcive: > or > > > In both cases I get an error from Apache: > > [client 10.0.0.109] /var/www/localhost/htdocs/catalog/admin/.htaccess: > /var/www/localhost/htdocs/catalog/admin/.htaccess: here Yes, the error is because Directory and/or Location directives ought to go in the main apache config files for this vhost, rather than in .htaccess. Is there a particular reason you want to use .htaccess, rather than files in the /etc/apache subdirectories? signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] apache 2.4 - deny access to directory
On 11/30/2020 12:43 PM, Michael wrote: > I don't have time to look into this in much detail, or test it, but see > comments below. > > On Monday, 30 November 2020 18:09:52 GMT the...@sys-concept.com wrote: >> On 11/30/2020 05:34 AM, Michael wrote: >>> On Sunday, 29 November 2020 18:22:09 GMT the...@sys-concept.com wrote: Thelma On 11/29/2020 03:22 AM, Michael wrote: > On Sunday, 29 November 2020 07:30:16 GMT the...@sys-concept.com wrote: >> I'm trying to deny access to all except specific IP address in a >> directory, just testing it. >> >> In modules.d/00_default_settings.conf >> >> >> >> Options MultiViews >> AllowOverride All >> Require all granted >> >> >> >> in admin/.htaccess >> >> >> >> Require all denied >> Require ip 10.0.0.100 >> >> >> >> My IP is 10.0.0.112 and I can still access the server /admin directory >> >> What am I missing? > > In apache 2.4 the access control syntax has changed. The RequireAll > directive means *all* authorisation directives within it must succeed. > > https://httpd.apache.org/docs/2.4/mod/mod_authz_core.html#requireall > > What happens if you just remove the first line, "Require all denied"? As you suggested I have: in admin/.htaccess Require ip 10.0.0.100 My IP is: 10.0.0.112 and it still allow me to access it. I know apache 2.4 is reading the file as the the below direcive works. >>> >>> I've tested different RequireAll directives in a .htaccess file and with >>> otherwise default apache settings I can confirm: >>> >>> This is correct: >>> = >>> >>> >>> Require ip 10.0.0.100 >>> >>> >>> = >>> will only allow visitors from 10.0.0.100 to access the directory content. >>> >>> This is also correct: >>> = >>> >>> >>> Require all granted >>> Require ip 10.0.0.100 >>> >>> >>> = >>> will only allow visitors from 10.0.0.100 to access the directory content. >>> >>> Finally, this won't work: >>> = >>> >>> >>> Require all denied >>> Require ip 10.0.0.100 >>> >>> >>> = >>> because it returns 403 for all clients irrespective of IP address, since >>> both subdirectives must be correct for the RequireAll to be true. >>> >>> I notice you have 'Options MultiViews' in your modules.d/ >>> 00_default_settings.conf, which will parse paths to find and serve any >>> file >>> requested by the client even if the URL is not complete. It might be this >>> conflicts with your .htaccess within admin/ subdirectory, but I'm not >>> sure. >>> Something in apache logs may shed light in this. >>> AuthName "restricted stuff" AuthType Basic AuthUserFile "/etc/apache2/users" require user webmaster I've tried adding RewriteEngine on With it, I can not login at all (access denied) regardless of IP. >>> >>> With apache 2.4 a new directive was added to perform conditional >>> checks and replace/augment many of the mod_rewrite functionalities. I >>> don't know how you have structured your RewriteCond and RewriteRule, but >>> obviously they don't work as intended if they totally block access. >>> >>> You could check conflicting rules between your apache config and any >>> .htaccess directives, or any loose and contradictory .htaccess files in >>> higher subdirectories. >> >> Here is complete file: modules.d/00_default_settings.conf >> I've removed 'Options MultiViews' but it disn't help. >> >> Timeout 300 >> KeepAlive On >> MaxKeepAliveRequests 100 >> KeepAliveTimeout 15 >> UseCanonicalName Off >> AccessFileName .htaccess >> ServerTokens Prod >> TraceEnable off >> ServerSignature Off >> HostnameLookups Off >> EnableMMAP On >> EnableSendfile Off >> FileETag MTime Size >> ContentDigest Off >> ErrorLog /var/log/apache2/error_log >> LogLevel warn >> >> >> Options FollowSymLinks >> AllowOverride None >> Require all denied >> >> >> >> AllowOverride All >> Require all granted >> >> >> >> DirectoryIndex index.html index.html.var >> >> >> >> Require all denied >> >> >> The server root .htaccess is empty >> In server root/admin/.htaccess >> >> >>Require ip 10.0.0.100 >> > > Hmm ... as I understand it the directive is evaluated to make an > authorisation decision, before the authentication directive below. If the > authorisation fails, because you're not connecting from ip 10.0.0.100, then I > would assume apache should return 403 and stop processing further directives. > > However, from what you say it does not do this. :-/ > > I wonder if you add 'AuthMerging And' above your authentication directives > below, it would work as expected - i.e. both 'ip 10.0.0.100' and 'user > webmaster' should succeed before access
Re: [gentoo-user] apache 2.4 - deny access to directory
I don't have time to look into this in much detail, or test it, but see comments below. On Monday, 30 November 2020 18:09:52 GMT the...@sys-concept.com wrote: > On 11/30/2020 05:34 AM, Michael wrote: > > On Sunday, 29 November 2020 18:22:09 GMT the...@sys-concept.com wrote: > >> Thelma > >> > >> On 11/29/2020 03:22 AM, Michael wrote: > >>> On Sunday, 29 November 2020 07:30:16 GMT the...@sys-concept.com wrote: > I'm trying to deny access to all except specific IP address in a > directory, just testing it. > > In modules.d/00_default_settings.conf > > > > Options MultiViews > AllowOverride All > Require all granted > > > > in admin/.htaccess > > > > Require all denied > Require ip 10.0.0.100 > > > > My IP is 10.0.0.112 and I can still access the server /admin directory > > What am I missing? > >>> > >>> In apache 2.4 the access control syntax has changed. The RequireAll > >>> directive means *all* authorisation directives within it must succeed. > >>> > >>> https://httpd.apache.org/docs/2.4/mod/mod_authz_core.html#requireall > >>> > >>> What happens if you just remove the first line, "Require all denied"? > >> > >> As you suggested I have: > >> in admin/.htaccess > >> > >> > >> > >> Require ip 10.0.0.100 > >> > >> > >> > >> My IP is: 10.0.0.112 and it still allow me to access it. I know apache > >> 2.4 is reading the file as the the below direcive works. > > > > I've tested different RequireAll directives in a .htaccess file and with > > otherwise default apache settings I can confirm: > > > > This is correct: > > = > > > > > > Require ip 10.0.0.100 > > > > > > = > > will only allow visitors from 10.0.0.100 to access the directory content. > > > > This is also correct: > > = > > > > > > Require all granted > > Require ip 10.0.0.100 > > > > > > = > > will only allow visitors from 10.0.0.100 to access the directory content. > > > > Finally, this won't work: > > = > > > > > > Require all denied > > Require ip 10.0.0.100 > > > > > > = > > because it returns 403 for all clients irrespective of IP address, since > > both subdirectives must be correct for the RequireAll to be true. > > > > I notice you have 'Options MultiViews' in your modules.d/ > > 00_default_settings.conf, which will parse paths to find and serve any > > file > > requested by the client even if the URL is not complete. It might be this > > conflicts with your .htaccess within admin/ subdirectory, but I'm not > > sure. > > Something in apache logs may shed light in this. > > > >> AuthName "restricted stuff" > >> AuthType Basic > >> AuthUserFile "/etc/apache2/users" > >> require user webmaster > >> > >> I've tried adding > >> RewriteEngine on > >> > >> With it, I can not login at all (access denied) regardless of IP. > > > > With apache 2.4 a new directive was added to perform conditional > > checks and replace/augment many of the mod_rewrite functionalities. I > > don't know how you have structured your RewriteCond and RewriteRule, but > > obviously they don't work as intended if they totally block access. > > > > You could check conflicting rules between your apache config and any > > .htaccess directives, or any loose and contradictory .htaccess files in > > higher subdirectories. > > Here is complete file: modules.d/00_default_settings.conf > I've removed 'Options MultiViews' but it disn't help. > > Timeout 300 > KeepAlive On > MaxKeepAliveRequests 100 > KeepAliveTimeout 15 > UseCanonicalName Off > AccessFileName .htaccess > ServerTokens Prod > TraceEnable off > ServerSignature Off > HostnameLookups Off > EnableMMAP On > EnableSendfile Off > FileETag MTime Size > ContentDigest Off > ErrorLog /var/log/apache2/error_log > LogLevel warn > > > Options FollowSymLinks > AllowOverride None > Require all denied > > > > AllowOverride All > Require all granted > > > > DirectoryIndex index.html index.html.var > > > > Require all denied > > > The server root .htaccess is empty > In server root/admin/.htaccess > > >Require ip 10.0.0.100 > Hmm ... as I understand it the directive is evaluated to make an authorisation decision, before the authentication directive below. If the authorisation fails, because you're not connecting from ip 10.0.0.100, then I would assume apache should return 403 and stop processing further directives. However, from what you say it does not do this. :-/ I wonder if you add 'AuthMerging And' above your authentication directives below, it would work as expected - i.e. both 'ip 10.0.0.100' and 'user webmaster' should succeed before access to /admin is allowed. > AuthName "restricted stuff" > AuthType
Re: [gentoo-user] apache 2.4 - deny access to directory
On 11/30/2020 05:34 AM, Michael wrote: [snip] > > I've tested different RequireAll directives in a .htaccess file and with > otherwise default apache settings I can confirm: > > This is correct: > = > > Require ip 10.0.0.100 > > = > will only allow visitors from 10.0.0.100 to access the directory content. > > This is also correct: > = > > Require all granted > Require ip 10.0.0.100 > > = > will only allow visitors from 10.0.0.100 to access the directory content. > > Finally, this won't work: > = > > Require all denied > Require ip 10.0.0.100 > > = > because it returns 403 for all clients irrespective of IP address, since both > subdirectives must be correct for the RequireAll to be true. > > I notice you have 'Options MultiViews' in your modules.d/ > 00_default_settings.conf, which will parse paths to find and serve any file > requested by the client even if the URL is not complete. It might be this > conflicts with your .htaccess within admin/ subdirectory, but I'm not sure. > Something in apache logs may shed light in this. > > >> AuthName "restricted stuff" >> AuthType Basic >> AuthUserFile "/etc/apache2/users" >> require user webmaster >> >> I've tried adding >> RewriteEngine on >> >> With it, I can not login at all (access denied) regardless of IP. > > With apache 2.4 a new directive was added to perform conditional checks > and replace/augment many of the mod_rewrite functionalities. I don't know > how > you have structured your RewriteCond and RewriteRule, but obviously they > don't > work as intended if they totally block access. > > You could check conflicting rules between your apache config and any > .htaccess > directives, or any loose and contradictory .htaccess files in higher > subdirectories. Partial success. It seems to me .htaccess needs: to work. The blow works on IP: Require ip 10.0.0.109 But this below doesn't work. AuthName "restricted stuff" AuthType Basic AuthUserFile "/etc/apache2/users" require user webmaster It doesn't read "AuthType Basic" it does not ask me for password. I wish Apache 2.2 was still in portage.
Re: [gentoo-user] apache 2.4 - deny access to directory
On Sunday, 29 November 2020 18:22:09 GMT the...@sys-concept.com wrote: > Thelma > > On 11/29/2020 03:22 AM, Michael wrote: > > On Sunday, 29 November 2020 07:30:16 GMT the...@sys-concept.com wrote: > >> I'm trying to deny access to all except specific IP address in a > >> directory, just testing it. > >> > >> In modules.d/00_default_settings.conf > >> > >> > >> > >>Options MultiViews > >>AllowOverride All > >>Require all granted > >> > >> > >> > >> in admin/.htaccess > >> > >> > >> > >> Require all denied > >> Require ip 10.0.0.100 > >> > >> > >> > >> My IP is 10.0.0.112 and I can still access the server /admin directory > >> > >> What am I missing? > > > > In apache 2.4 the access control syntax has changed. The RequireAll > > directive means *all* authorisation directives within it must succeed. > > > > https://httpd.apache.org/docs/2.4/mod/mod_authz_core.html#requireall > > > > What happens if you just remove the first line, "Require all denied"? > > As you suggested I have: > in admin/.htaccess > > > Require ip 10.0.0.100 > > > My IP is: 10.0.0.112 and it still allow me to access it. I know apache > 2.4 is reading the file as the the below direcive works. I've tested different RequireAll directives in a .htaccess file and with otherwise default apache settings I can confirm: This is correct: = Require ip 10.0.0.100 = will only allow visitors from 10.0.0.100 to access the directory content. This is also correct: = Require all granted Require ip 10.0.0.100 = will only allow visitors from 10.0.0.100 to access the directory content. Finally, this won't work: = Require all denied Require ip 10.0.0.100 = because it returns 403 for all clients irrespective of IP address, since both subdirectives must be correct for the RequireAll to be true. I notice you have 'Options MultiViews' in your modules.d/ 00_default_settings.conf, which will parse paths to find and serve any file requested by the client even if the URL is not complete. It might be this conflicts with your .htaccess within admin/ subdirectory, but I'm not sure. Something in apache logs may shed light in this. > AuthName "restricted stuff" > AuthType Basic > AuthUserFile "/etc/apache2/users" > require user webmaster > > I've tried adding > RewriteEngine on > > With it, I can not login at all (access denied) regardless of IP. With apache 2.4 a new directive was added to perform conditional checks and replace/augment many of the mod_rewrite functionalities. I don't know how you have structured your RewriteCond and RewriteRule, but obviously they don't work as intended if they totally block access. You could check conflicting rules between your apache config and any .htaccess directives, or any loose and contradictory .htaccess files in higher subdirectories. signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] apache 2.4 - deny access to directory
Thelma On 11/29/2020 03:22 AM, Michael wrote: > On Sunday, 29 November 2020 07:30:16 GMT the...@sys-concept.com wrote: >> I'm trying to deny access to all except specific IP address in a >> directory, just testing it. >> >> In modules.d/00_default_settings.conf >> >> >> Options MultiViews >> AllowOverride All >> Require all granted >> >> >> in admin/.htaccess >> >> >> Require all denied >> Require ip 10.0.0.100 >> >> >> My IP is 10.0.0.112 and I can still access the server /admin directory >> >> What am I missing? > > In apache 2.4 the access control syntax has changed. The RequireAll > directive > means *all* authorisation directives within it must succeed. > > https://httpd.apache.org/docs/2.4/mod/mod_authz_core.html#requireall > > What happens if you just remove the first line, "Require all denied"? As you suggested I have: in admin/.htaccess Require ip 10.0.0.100 My IP is: 10.0.0.112 and it still allow me to access it. I know apache 2.4 is reading the file as the the below direcive works. AuthName "restricted stuff" AuthType Basic AuthUserFile "/etc/apache2/users" require user webmaster I've tried adding RewriteEngine on With it, I can not login at all (access denied) regardless of IP.
Re: [gentoo-user] apache 2.4 - deny access to directory
On Sunday, 29 November 2020 07:30:16 GMT the...@sys-concept.com wrote: > I'm trying to deny access to all except specific IP address in a > directory, just testing it. > > In modules.d/00_default_settings.conf > > > Options MultiViews > AllowOverride All > Require all granted > > > in admin/.htaccess > > > Require all denied > Require ip 10.0.0.100 > > > My IP is 10.0.0.112 and I can still access the server /admin directory > > What am I missing? In apache 2.4 the access control syntax has changed. The RequireAll directive means *all* authorisation directives within it must succeed. https://httpd.apache.org/docs/2.4/mod/mod_authz_core.html#requireall What happens if you just remove the first line, "Require all denied"? signature.asc Description: This is a digitally signed message part.
