On Thu, 7 Dec 2006, Joshua Slive wrote:
On 12/7/06, Ara.T.Howard <[EMAIL PROTECTED]> wrote:
does this make sense? i'm sure that is based on a mis-understanding on my
part
about Order/Allow/Deny, but i'm sure what i'm trying to do should be
possible
solely from this .htaccess file.
thoughts?
You should include an
Order Allow,Deny
Directive.
thanks. this is what i've got now: seems to work
SetEnvIfNoCase Client-Ip ^123\.456 INTRANET=123.456
Order Deny,Allow
Deny from all
Allow from env=INTRANET
Satisfy Any
AuthType Digest
AuthName "authname"
AuthDigestFile htdigest.txt
Require valid-user
make sense?
ps. any thoughts on why 'Allow from x.x.x.x' uses REMOTE_ADDR and not
HTTP_CLIENT_IP?
Because HTTP_CLIENT_IP is completely non-standard and could be
trivially manipulated by the client in most circumstances?
hmmm. in this case i'm behind a server iron, so i assume HTTP_CLIENT_IP is
actually set via the REMOTE_ADDR on __that__ machine. but the point is well
taken.
still, i think even REMOTE_ADDR could be spoofed easily couldn't it?
There used to be a module out there that takes the more-standard
X-Forwarded-For and shoves it into the internal apache structure that
sets REMOTE_ADDR. You could write a module to do the same with
Client-IP if you want.
hmmm. unless someone see issues with above i'll avoid doing any work ;-) but
i'll file that away.
-a
--
if you want others to be happy, practice compassion.
if you want to be happy, practice compassion. -- the dalai lama
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
