I don't have time to look into this in much detail, or test it, but see comments below.
On Monday, 30 November 2020 18:09:52 GMT [email protected] wrote: > On 11/30/2020 05:34 AM, Michael wrote: > > On Sunday, 29 November 2020 18:22:09 GMT [email protected] wrote: > >> Thelma > >> > >> On 11/29/2020 03:22 AM, Michael wrote: > >>> On Sunday, 29 November 2020 07:30:16 GMT [email protected] wrote: > >>>> I'm trying to deny access to all except specific IP address in a > >>>> directory, just testing it. > >>>> > >>>> In modules.d/00_default_settings.conf > >>>> > >>>> <Directory "/var/www/localhost/htdocs"> > >>>> > >>>> Options MultiViews > >>>> AllowOverride All > >>>> Require all granted > >>>> > >>>> </Directory> > >>>> > >>>> in admin/.htaccess > >>>> > >>>> <RequireAll> > >>>> > >>>> Require all denied > >>>> Require ip 10.0.0.100 > >>>> > >>>> </RequireAll> > >>>> > >>>> My IP is 10.0.0.112 and I can still access the server /admin directory > >>>> > >>>> What am I missing? > >>> > >>> In apache 2.4 the access control syntax has changed. The RequireAll > >>> directive means *all* authorisation directives within it must succeed. > >>> > >>> https://httpd.apache.org/docs/2.4/mod/mod_authz_core.html#requireall > >>> > >>> What happens if you just remove the first line, "Require all denied"? > >> > >> As you suggested I have: > >> in admin/.htaccess > >> > >> <RequireAll> > >> > >> Require ip 10.0.0.100 > >> > >> </RequireAll> > >> > >> My IP is: 10.0.0.112 and it still allow me to access it. I know apache > >> 2.4 is reading the file as the the below direcive works. > > > > I've tested different RequireAll directives in a .htaccess file and with > > otherwise default apache settings I can confirm: > > > > This is correct: > > ========================= > > <RequireAll> > > > > Require ip 10.0.0.100 > > > > </RequireAll> > > ========================= > > will only allow visitors from 10.0.0.100 to access the directory content. > > > > This is also correct: > > ========================= > > <RequireAll> > > > > Require all granted > > Require ip 10.0.0.100 > > > > </RequireAll> > > ========================= > > will only allow visitors from 10.0.0.100 to access the directory content. > > > > Finally, this won't work: > > ========================= > > <RequireAll> > > > > Require all denied > > Require ip 10.0.0.100 > > > > </RequireAll> > > ========================= > > because it returns 403 for all clients irrespective of IP address, since > > both subdirectives must be correct for the RequireAll to be true. > > > > I notice you have 'Options MultiViews' in your modules.d/ > > 00_default_settings.conf, which will parse paths to find and serve any > > file > > requested by the client even if the URL is not complete. It might be this > > conflicts with your .htaccess within admin/ subdirectory, but I'm not > > sure. > > Something in apache logs may shed light in this. > > > >> AuthName "restricted stuff" > >> AuthType Basic > >> AuthUserFile "/etc/apache2/users" > >> require user webmaster > >> > >> I've tried adding > >> RewriteEngine on > >> > >> With it, I can not login at all (access denied) regardless of IP. > > > > With apache 2.4 a new <If> directive was added to perform conditional > > checks and replace/augment many of the mod_rewrite functionalities. I > > don't know how you have structured your RewriteCond and RewriteRule, but > > obviously they don't work as intended if they totally block access. > > > > You could check conflicting rules between your apache config and any > > .htaccess directives, or any loose and contradictory .htaccess files in > > higher subdirectories. > > Here is complete file: modules.d/00_default_settings.conf > I've removed 'Options MultiViews' but it disn't help. > > Timeout 300 > KeepAlive On > MaxKeepAliveRequests 100 > KeepAliveTimeout 15 > UseCanonicalName Off > AccessFileName .htaccess > ServerTokens Prod > TraceEnable off > ServerSignature Off > HostnameLookups Off > EnableMMAP On > EnableSendfile Off > FileETag MTime Size > ContentDigest Off > ErrorLog /var/log/apache2/error_log > LogLevel warn > > <Directory /> > Options FollowSymLinks > AllowOverride None > Require all denied > </Directory> > > <Directory "/var/www/localhost/htdocs"> > AllowOverride All > Require all granted > </Directory> > > <IfModule dir_module> > DirectoryIndex index.html index.html.var > </IfModule> > > <FilesMatch "^\.ht"> > Require all denied > </FilesMatch> > > The server root .htaccess is empty > In server root/admin/.htaccess > > <RequireAll> > Require ip 10.0.0.100 > </RequireAll> Hmm ... as I understand it the <RequireAll> directive is evaluated to make an authorisation decision, before the authentication directive below. If the authorisation fails, because you're not connecting from ip 10.0.0.100, then I would assume apache should return 403 and stop processing further directives. However, from what you say it does not do this. :-/ I wonder if you add 'AuthMerging And' above your authentication directives below, it would work as expected - i.e. both 'ip 10.0.0.100' and 'user webmaster' should succeed before access to /admin is allowed. > AuthName "restricted stuff" > AuthType Basic > AuthUserFile "/etc/apache2/users" > require user webmaster > > My IP is 10.0.0.109 so I should be denied access to admin/index.php but > I'm able to view it/access it. > It seems to me it is reading .htaccess file as "AuthType Basic" work, it > is asking me for a password. but "Require ip" doesn't work. Because my > IP is 10.0.0.109 apache should deny me access with "access denied. Something else to try instead of <RequireAll>, in case it makes a difference. Does it work as intended if you replace <RequireAll> with a filesystem container: <Directory "/var/www/localhost/htdocs/*/admin"> Require ip 10.0.0.100 </Directory> Or, if this is a set of pages dynamically generated by php, rather than a static file within the admin directory, use a webspace container: <Location "*/admin"> Require ip blah </Location> > It is strange as the directive: "DirectoryIndex index.html > index.html.var" does not include "index.php" and I'm able to access this > file "admin/index.php" > so the index.php must be define somewhere else. Most likely via httpd.conf: > > httpd.conf:75:LoadModule autoindex_module modules/mod_autoindex.so (but > this is a binary file, can not read it). The index.php is defined by /etc/apache2/modules.d/70_mod_php.conf.
signature.asc
Description: This is a digitally signed message part.
