On 7/29/2020 6:34 PM, Jim Albert wrote:
In Apache 2.2 I could set up an .htaccess file and establish simple
and easily maintainable access control such as:
<FILES abc.html>
require user jim joe
</FILES>
<FILES def.html*>
require user jim joe
</FILES>
<Limit GET POST>
order deny,allow
deny from all
allow from 10.10.0.1
allow from 10.10.0.2
require valid-user
</Limit>
<LimitExcept GET POST>
order deny,allow
deny from all
</LimitExcept>
... and that would work very nicely so that for resources other than
abc.html and def.html as defined in the FILES section the request
would have to come from client 10.10.0.1 or 10.10.0.2 and be any
authenticated user. The <Limit GET POST> is the only restriction.
If the request were specifically for abc.html or def.html the GET
request would still be required to originate from 10.10.0.1 or
10.10.0.2, but now the user must be specifically jim or joe as defined
in the <FILES> restriction. So both the <Limit GET POST> restrictions
were respected along with the FILES restriction requiring specific
user authentication.
In apache 2.4, access control configurations change so that I migrate
the above to:
<FILES abc.html>
require user jim joe
</FILES>
<FILES def.html*>
require user jim joe
</FILES>
<Limit GET POST>
<RequireAll>
Require ip 10.10.0.1
Require valid-user
</RequireAll>
<RequireAll>
Require ip 10.10.0.2
Require valid-user
</RequireAll>
</Limit>
<LimitExcept GET POST>
Require all denied
</LimitExcept>
In Apache 2.4 combining access for multiple IPs in combination with
users make the configurations somewhat more complex, but I can live
with that.
However, I can't easily get the same access experience as in 2.2
without a lot of redundant configuration.
In my 2.4 configuration, the FILES directives are looked at without
respect to the Limit on the GET/POST.
I can comment out:
<RequireAll>
Require ip 10.10.0.1
Require valid-user
</RequireAll>
and I'm still allowed to make a request to either abc.html or def.html
as defined in the FILES section as long as I am authenticiated as user
jim or joe even with the request originating from 10.10.0.1.
It seems like I'd have to do something like the following which seems
absurd and incredibly redundant and difficult to maintain with changes.
<FILES abc.html>
<RequireAll>
Require ip 10.10.0.1
require user jim joe
</RequireAll>
<RequireAll>
Require ip 10.10.0.2
require user jim joe
</RequireAll>
</FILES>
<FILES def.html*>
<RequireAll>
Require ip 10.10.0.1
require user jim joe
</RequireAll>
<RequireAll>
Require ip 10.10.0.2
require user jim joe
</RequireAll>
</FILES>
<Limit GET POST>
<RequireAll>
Require ip 10.10.0.1
Require valid-user
</RequireAll>
<RequireAll>
Require ip 10.10.0.2
Require valid-user
</RequireAll>
</Limit>
<LimitExcept GET POST>
Require all denied
</LimitExcept>
I tested and the above does seem to work in getting me the access
control that I want, but the configurations are incredibly redundant
and difficult to manage. Expand that out to a dozen more IPs and
dozens of resources and that configuration gets very long.
Note, in my production environment there are many users other than jim
and joe and users are restricted to certain resources. Not all users
are allowed access to the same set of resources.
Can anyone simplify those Apache 2.4 restrictions or instruct me on
what I might be overlooking or misunderstanding, please?
I did some more testing and I can list multiple IP addresses on the
"Require ip" line, so I believe I can simplify my .htaccess controls to
the following:
<FILES abc.html>
<RequireAll>
Require ip 10.10.0.1 10.10.0.2
require user jim joe
</RequireAll>
</FILES>
<FILES def.html*>
<RequireAll>
Require ip 10.10.0.1 10.10.0.2
# Note I added jack to the user list to indicate my user list access
controls change per resource.
require user jim joe jack
</RequireAll>
</FILES>
<Limit GET POST>
<RequireAll>
Require ip 10.10.0.1 10.10.0.2
Require valid-user
</RequireAll>
</Limit>
<LimitExcept GET POST>
Require all denied
</LimitExcept>
However, note how the list of IP addresses is required to be
continuously repeated in Apache 2.4 access control.
That looks to be my biggest issue. For each <FILES> section along with
the default <Limit GET POST> I have to repeat the same Require ip line.
If I have say 100 separate <FILES> sections I have to repeat that same
Require ip line for each <FILES>. Adding or removing IP addresses
becomes a maintenance issue.
Thanks,
Jim
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
