On Sunday, 29 November 2020 18:22:09 GMT [email protected] wrote: > Thelma > > On 11/29/2020 03:22 AM, Michael wrote: > > On Sunday, 29 November 2020 07:30:16 GMT [email protected] wrote: > >> I'm trying to deny access to all except specific IP address in a > >> directory, just testing it. > >> > >> In modules.d/00_default_settings.conf > >> > >> <Directory "/var/www/localhost/htdocs"> > >> > >> Options MultiViews > >> AllowOverride All > >> Require all granted > >> > >> </Directory> > >> > >> in admin/.htaccess > >> > >> <RequireAll> > >> > >> Require all denied > >> Require ip 10.0.0.100 > >> > >> </RequireAll> > >> > >> My IP is 10.0.0.112 and I can still access the server /admin directory > >> > >> What am I missing? > > > > In apache 2.4 the access control syntax has changed. The RequireAll > > directive means *all* authorisation directives within it must succeed. > > > > https://httpd.apache.org/docs/2.4/mod/mod_authz_core.html#requireall > > > > What happens if you just remove the first line, "Require all denied"? > > As you suggested I have: > in admin/.htaccess > > <RequireAll> > Require ip 10.0.0.100 > </RequireAll> > > My IP is: 10.0.0.112 and it still allow me to access it. I know apache > 2.4 is reading the file as the the below direcive works.
I've tested different RequireAll directives in a .htaccess file and with
otherwise default apache settings I can confirm:
This is correct:
=========================
<RequireAll>
Require ip 10.0.0.100
</RequireAll>
=========================
will only allow visitors from 10.0.0.100 to access the directory content.
This is also correct:
=========================
<RequireAll>
Require all granted
Require ip 10.0.0.100
</RequireAll>
=========================
will only allow visitors from 10.0.0.100 to access the directory content.
Finally, this won't work:
=========================
<RequireAll>
Require all denied
Require ip 10.0.0.100
</RequireAll>
=========================
because it returns 403 for all clients irrespective of IP address, since both
subdirectives must be correct for the RequireAll to be true.
I notice you have 'Options MultiViews' in your modules.d/
00_default_settings.conf, which will parse paths to find and serve any file
requested by the client even if the URL is not complete. It might be this
conflicts with your .htaccess within admin/ subdirectory, but I'm not sure.
Something in apache logs may shed light in this.
> AuthName "restricted stuff"
> AuthType Basic
> AuthUserFile "/etc/apache2/users"
> require user webmaster
>
> I've tried adding
> RewriteEngine on
>
> With it, I can not login at all (access denied) regardless of IP.
With apache 2.4 a new <If> directive was added to perform conditional checks
and replace/augment many of the mod_rewrite functionalities. I don't know how
you have structured your RewriteCond and RewriteRule, but obviously they don't
work as intended if they totally block access.
You could check conflicting rules between your apache config and any .htaccess
directives, or any loose and contradictory .htaccess files in higher
subdirectories.
signature.asc
Description: This is a digitally signed message part.
