I think it's just the way you use allow, deny. I would have put this myself:
Order deny,allow
Deny from all
Allow from 127.0.0.1, 199.85.99.
The Allow syntax has always seemed odd to me. What appears in the
documentation at http://httpd.apache.org/docs/mod/mod_access.html#allow
doesn't all work for me.
-
John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED]
Reality TV - the ultimate oxymoron
> -----Original Message-----
> From: Harald Koch [mailto:[EMAIL PROTECTED]]
> Sent: 22 September 2002 23:53
> To: [EMAIL PROTECTED]
> Subject: certificate + network ACL + passwords problem?
>
>
> I've tried this both with the stock (fully patched) RedHat
> 7.2, and with
> a fresh-built Apache 1.3.26 + modssl-2.8.10-1.3.26 + openssl-0.9.6g.
>
> With the attached config snippet for a "private" directory,
> based on the
> samples from the documentation, the webserver first asks me for my
> certificate, successfully validates it, and *then* asks me for a
> username/password. I know the certificate is successfully
> authenticated,
> as I've modified my CustomLog entry to log the values of
> SSL_CLIENT_S_DN, SSL_CLIENT_VERIFY, and SSL_CIPHER_USEKEYSIZE.
>
> If I comment out the four lines for network-based access control:
>
> #Order deny,allow
> #Deny from all
> #Allow from 127.0.0.1
> #Allow from 199.85.99.0/24
>
> Then I get my expected behaviour, which is:
> - if I give a certificate, I get access
> - if I don't give a certificate, I am asked for username/password
>
> Am I being dense about combining access control methods, or is there a
> bug somewhere?
>
> Thanks in advance,
>
> --
> Harald Koch <[EMAIL PROTECTED]>
>
> "It takes a child to raze a village."
> -Michael T. Fry
>
>
> <Directory /var/www/html/private>
> # any "intranet' access is allowed
> # but from the Internet only HTTPS + Strong-Cipher
> + Password
> # or the alternative HTTPS + Strong-Cipher +
> Client-Certificate
>
> # If HTTPS is used, make sure a strong cipher is used.
> # Additionally, allow client certs as an alternative to
> basic auth.
> SSLRequireSSL
> SSLVerifyClient optional
> SSLVerifyDepth 2
> SSLOptions -StrictRequire +OptRenegotiate +StdEnvVars
> SSLRequire ( %{SSL_CIPHER_USEKEYSIZE} >= 128 and
> %{SSL_CLIENT_VERIFY} eq "SUCCESS" )
>
> # Allow any of certs, network access or basic auth
> Satisfy any
>
> # Network Access Control
> Order deny,allow
> Deny from all
> Allow from 127.0.0.1
> Allow from 199.85.99.0/24
>
> # HTTP Basic Authentication
> AuthType Basic
> AuthName "CFRQ users"
> AuthUserFile /etc/httpd/conf/passwd
> Require valid-user
> </Directory>
> ______________________________________________________________________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
>
-
NOTICE: The information contained in this email and any attachments is
confidential and may be legally privileged. If you are not the
intended recipient you are hereby notified that you must not use,
disclose, distribute, copy, print or rely on this email's content. If
you are not the intended recipient, please notify the sender
immediately and then delete the email and any attachments from your
system.
RNIB has made strenuous efforts to ensure that emails and any
attachments generated by its staff are free from viruses. However, it
cannot accept any responsibility for any viruses which are
transmitted. We therefore recommend you scan all attachments.
Please note that the statements and views expressed in this email
and any attachments are those of the author and do not necessarily
represent those of RNIB.
RNIB Registered Charity Number: 226227
Website: http://www.rnib.org.uk
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
