1 |
I don't have time to look into this in much detail, or test it, but see |
2 |
comments below. |
3 |
|
4 |
On Monday, 30 November 2020 18:09:52 GMT thelma@×××××××××××.com wrote: |
5 |
> On 11/30/2020 05:34 AM, Michael wrote: |
6 |
> > On Sunday, 29 November 2020 18:22:09 GMT thelma@×××××××××××.com wrote: |
7 |
> >> Thelma |
8 |
> >> |
9 |
> >> On 11/29/2020 03:22 AM, Michael wrote: |
10 |
> >>> On Sunday, 29 November 2020 07:30:16 GMT thelma@×××××××××××.com wrote: |
11 |
> >>>> I'm trying to deny access to all except specific IP address in a |
12 |
> >>>> directory, just testing it. |
13 |
> >>>> |
14 |
> >>>> In modules.d/00_default_settings.conf |
15 |
> >>>> |
16 |
> >>>> <Directory "/var/www/localhost/htdocs"> |
17 |
> >>>> |
18 |
> >>>> Options MultiViews |
19 |
> >>>> AllowOverride All |
20 |
> >>>> Require all granted |
21 |
> >>>> |
22 |
> >>>> </Directory> |
23 |
> >>>> |
24 |
> >>>> in admin/.htaccess |
25 |
> >>>> |
26 |
> >>>> <RequireAll> |
27 |
> >>>> |
28 |
> >>>> Require all denied |
29 |
> >>>> Require ip 10.0.0.100 |
30 |
> >>>> |
31 |
> >>>> </RequireAll> |
32 |
> >>>> |
33 |
> >>>> My IP is 10.0.0.112 and I can still access the server /admin directory |
34 |
> >>>> |
35 |
> >>>> What am I missing? |
36 |
> >>> |
37 |
> >>> In apache 2.4 the access control syntax has changed. The RequireAll |
38 |
> >>> directive means *all* authorisation directives within it must succeed. |
39 |
> >>> |
40 |
> >>> https://httpd.apache.org/docs/2.4/mod/mod_authz_core.html#requireall |
41 |
> >>> |
42 |
> >>> What happens if you just remove the first line, "Require all denied"? |
43 |
> >> |
44 |
> >> As you suggested I have: |
45 |
> >> in admin/.htaccess |
46 |
> >> |
47 |
> >> <RequireAll> |
48 |
> >> |
49 |
> >> Require ip 10.0.0.100 |
50 |
> >> |
51 |
> >> </RequireAll> |
52 |
> >> |
53 |
> >> My IP is: 10.0.0.112 and it still allow me to access it. I know apache |
54 |
> >> 2.4 is reading the file as the the below direcive works. |
55 |
> > |
56 |
> > I've tested different RequireAll directives in a .htaccess file and with |
57 |
> > otherwise default apache settings I can confirm: |
58 |
> > |
59 |
> > This is correct: |
60 |
> > ========================= |
61 |
> > <RequireAll> |
62 |
> > |
63 |
> > Require ip 10.0.0.100 |
64 |
> > |
65 |
> > </RequireAll> |
66 |
> > ========================= |
67 |
> > will only allow visitors from 10.0.0.100 to access the directory content. |
68 |
> > |
69 |
> > This is also correct: |
70 |
> > ========================= |
71 |
> > <RequireAll> |
72 |
> > |
73 |
> > Require all granted |
74 |
> > Require ip 10.0.0.100 |
75 |
> > |
76 |
> > </RequireAll> |
77 |
> > ========================= |
78 |
> > will only allow visitors from 10.0.0.100 to access the directory content. |
79 |
> > |
80 |
> > Finally, this won't work: |
81 |
> > ========================= |
82 |
> > <RequireAll> |
83 |
> > |
84 |
> > Require all denied |
85 |
> > Require ip 10.0.0.100 |
86 |
> > |
87 |
> > </RequireAll> |
88 |
> > ========================= |
89 |
> > because it returns 403 for all clients irrespective of IP address, since |
90 |
> > both subdirectives must be correct for the RequireAll to be true. |
91 |
> > |
92 |
> > I notice you have 'Options MultiViews' in your modules.d/ |
93 |
> > 00_default_settings.conf, which will parse paths to find and serve any |
94 |
> > file |
95 |
> > requested by the client even if the URL is not complete. It might be this |
96 |
> > conflicts with your .htaccess within admin/ subdirectory, but I'm not |
97 |
> > sure. |
98 |
> > Something in apache logs may shed light in this. |
99 |
> > |
100 |
> >> AuthName "restricted stuff" |
101 |
> >> AuthType Basic |
102 |
> >> AuthUserFile "/etc/apache2/users" |
103 |
> >> require user webmaster |
104 |
> >> |
105 |
> >> I've tried adding |
106 |
> >> RewriteEngine on |
107 |
> >> |
108 |
> >> With it, I can not login at all (access denied) regardless of IP. |
109 |
> > |
110 |
> > With apache 2.4 a new <If> directive was added to perform conditional |
111 |
> > checks and replace/augment many of the mod_rewrite functionalities. I |
112 |
> > don't know how you have structured your RewriteCond and RewriteRule, but |
113 |
> > obviously they don't work as intended if they totally block access. |
114 |
> > |
115 |
> > You could check conflicting rules between your apache config and any |
116 |
> > .htaccess directives, or any loose and contradictory .htaccess files in |
117 |
> > higher subdirectories. |
118 |
> |
119 |
> Here is complete file: modules.d/00_default_settings.conf |
120 |
> I've removed 'Options MultiViews' but it disn't help. |
121 |
> |
122 |
> Timeout 300 |
123 |
> KeepAlive On |
124 |
> MaxKeepAliveRequests 100 |
125 |
> KeepAliveTimeout 15 |
126 |
> UseCanonicalName Off |
127 |
> AccessFileName .htaccess |
128 |
> ServerTokens Prod |
129 |
> TraceEnable off |
130 |
> ServerSignature Off |
131 |
> HostnameLookups Off |
132 |
> EnableMMAP On |
133 |
> EnableSendfile Off |
134 |
> FileETag MTime Size |
135 |
> ContentDigest Off |
136 |
> ErrorLog /var/log/apache2/error_log |
137 |
> LogLevel warn |
138 |
> |
139 |
> <Directory /> |
140 |
> Options FollowSymLinks |
141 |
> AllowOverride None |
142 |
> Require all denied |
143 |
> </Directory> |
144 |
> |
145 |
> <Directory "/var/www/localhost/htdocs"> |
146 |
> AllowOverride All |
147 |
> Require all granted |
148 |
> </Directory> |
149 |
> |
150 |
> <IfModule dir_module> |
151 |
> DirectoryIndex index.html index.html.var |
152 |
> </IfModule> |
153 |
> |
154 |
> <FilesMatch "^\.ht"> |
155 |
> Require all denied |
156 |
> </FilesMatch> |
157 |
> |
158 |
> The server root .htaccess is empty |
159 |
> In server root/admin/.htaccess |
160 |
> |
161 |
> <RequireAll> |
162 |
> Require ip 10.0.0.100 |
163 |
> </RequireAll> |
164 |
|
165 |
Hmm ... as I understand it the <RequireAll> directive is evaluated to make an |
166 |
authorisation decision, before the authentication directive below. If the |
167 |
authorisation fails, because you're not connecting from ip 10.0.0.100, then I |
168 |
would assume apache should return 403 and stop processing further directives. |
169 |
However, from what you say it does not do this. :-/ |
170 |
|
171 |
I wonder if you add 'AuthMerging And' above your authentication directives |
172 |
below, it would work as expected - i.e. both 'ip 10.0.0.100' and 'user |
173 |
webmaster' should succeed before access to /admin is allowed. |
174 |
|
175 |
> AuthName "restricted stuff" |
176 |
> AuthType Basic |
177 |
> AuthUserFile "/etc/apache2/users" |
178 |
> require user webmaster |
179 |
> |
180 |
> My IP is 10.0.0.109 so I should be denied access to admin/index.php but |
181 |
> I'm able to view it/access it. |
182 |
> It seems to me it is reading .htaccess file as "AuthType Basic" work, it |
183 |
> is asking me for a password. but "Require ip" doesn't work. Because my |
184 |
> IP is 10.0.0.109 apache should deny me access with "access denied. |
185 |
|
186 |
|
187 |
Something else to try instead of <RequireAll>, in case it makes a difference. |
188 |
Does it work as intended if you replace <RequireAll> with a filesystem |
189 |
container: |
190 |
|
191 |
<Directory "/var/www/localhost/htdocs/*/admin"> |
192 |
Require ip 10.0.0.100 |
193 |
</Directory> |
194 |
|
195 |
Or, if this is a set of pages dynamically generated by php, rather than a |
196 |
static file within the admin directory, use a webspace container: |
197 |
|
198 |
<Location "*/admin"> |
199 |
Require ip blah |
200 |
</Location> |
201 |
|
202 |
|
203 |
> It is strange as the directive: "DirectoryIndex index.html |
204 |
> index.html.var" does not include "index.php" and I'm able to access this |
205 |
> file "admin/index.php" |
206 |
> so the index.php must be define somewhere else. Most likely via httpd.conf: |
207 |
> |
208 |
> httpd.conf:75:LoadModule autoindex_module modules/mod_autoindex.so (but |
209 |
> this is a binary file, can not read it). |
210 |
|
211 |
The index.php is defined by /etc/apache2/modules.d/70_mod_php.conf. |