This is doable with the new auth syntax.
For example:
<RequireAll>
# Clients in these IP ranges are blocked
Require not ip 10.83.2.0/24
Require not ip 10.83.3.0/24
<RequireAny>
<RequireAny>
# Clients in these IP ranges are allowed
Require ip 127.0.0.1
Require ip 10.83.0.0/24
</RequireAny>
# All others must authenticate
<RequireAll>
Require valid-user
AuthType Basic
AuthName Login
AuthBasicProvider file
AuthUserFile "/var/www/private/.htpasswd"
</RequireAll>
</RequireAny>
</RequireAll>
Tested on my computer.
- Y
On Tue, Dec 16, 2025 at 5:32 AM Nutchanon Wetchasit <[email protected]>
wrote:
> Hello folks,
>
> I'm using shared hosting based on Apache 2.4, and I have been using
> the old-school `mod_access_compat` access-control directives
> `Allow from` and `Deny from` for some years now; they work okay
> and are straighforward to read and understand.
>
> However, I found that when I used these in combination with
> HTTP Basic Authentication, even under the control of `Satisfy` directive,
> only allowed a 2 states of entry allowance in `Satisfy` configuration:
>
> - `Satisfy any`: let in if allowed, authenticate if denied
> - `Satisfy both`: authenticate if allowed, reject if denied
>
> I'm currently using the latter style in some part of my site
> (with `Order Allow,Deny` precedence); but it is not ideal,
> because I actually would like to *also* let requests
> from whitelisted locations to also bypass the "authentication" [1]
> entirely,
> which would make the check tri-state:
>
> A. If `Allow from` (or its newer equivalent) matches the request,
> bypass the HTTP Basic authentication and allow the request in.
>
> B. If `Deny from` (or its newer equivalent) matches the request,
> fail the request with 403 response, *without* ever allowing it
> to authenicate to bypass this restriction.
>
> C. If neither matched, then present a 401 response requesting credential
> for HTTP Basic authentication.
>
> I have read relevant parts of 2.4's `mod_access_compat` documentation [2]
> several times, and I couldn't find a way to configure tri-state
> access control in the manner I described above.
>
> So I would like to ask: how to configure Apache HTTPd 2.4
> to do this kind of tri-state access control based on remote IP address
> and HTTP Basic Authentication (using old-style `Allow from`/`Deny from`
> or newer `Require` notwithstanding)?
>
> Or is this being impossible and I'd have to resort to roll-my-own
> last-ditch option in order to do so? [3]
>
> Thanks in advance,
> Nutchanon Wetchasit
>
>
> [1] I'm scare-quoting "authentication", because I'm (ab)using this for
> non-authentication uses where things entered were not secret:
> it is rather for gauging user's ability to understand what's on the page
> and take unusual action based on what he understood.
>
> ^ There is a specific all-caps C-word term that describe this technique,
> but I'm intentionally not writing it here to prevent this email
> from becoming searchable to unsavory people aiming to circumvent this.
>
> (And the reason that HTTP Basic Authentication is used for this is exactly
> because it is *not* intended for this task; and also because it could be
> set up solely via server configuration directives without having to
> write additional CGI programs or install third-party software,
> nor having to maintain session cookie)
>
> [2]
> https://httpd.apache.org/docs/2.4/mod/mod_access_compat.html
>
> [3]
> While it is possible to implement this less-usual kind of tri-state ACL
> using CGI program that produces internal-forwarding `Location: `
> response line; I would prefer to relegate that as a last-resort measure,
> since it involves reinventing many wheels (partially re-parsing
> the `.htaccess` file), as well as the clash with complex `mod_rewrite`
> rules
> I additionally use (many of them depend on $REDIRECT_STATUS
> internal environment variable-- which CGI-issued redirections would
> bungle).
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [email protected]
> For additional commands, e-mail: [email protected]
>
>
