Hi Robert,
2018-04-17 16:27 GMT+02:00 Robert Schweikert <rjsch...@suse.com>:
> Hi,
>
> Configuration question.
>
> Apache version 2.4.23
>
> What I am trying to do is have users authenticate but only allow access
> to that authentication method from known IP ranges. To this effect I
> have a config file that sets:
>
> <Directory "some_path>
> Options +Indexes +FollowSymLinks
> IndexOptions +NameWidth=*
>
> PerlAuthenHandler THE::PERL::MODULE
> AuthName MODULE
> AuthType Basic
> Require valid-user
> Require expr %{REQUEST_URI} =~ m#^/SOME_EXCEPTION/.*#
>
> Require ip A_VERY_LONG_LIST_OF_IP_RANGES
> Require ip ANOTHER_VERY_LONG_LIST_OF_IP_RANGES
> </Directory>
>
> The observed behavior is what could be described as "or" behavior.
> Meaning even traffic from outside the specified IP ranges is allowed to
> hit the auth handler, i.e. the user gets a username/password request
> when accessing a path that is not in the "SOME_EXCEPTION" path.
>
> What I am trying to achieve is that Apache blocks any access if the
> traffic originates from outside the specified IP ranges.
>
> Is there a potential that I am hitting some limit of the number of IP
> ranges specified and thus the whole mechanism of limiting by IP is ignored?
>
> Am I simply mis-interpreting the documentation and I need to structure
> the restrictions differently?
>
> Is there some "and" directive to tie the requires together in an "and"
> fashion to ensure all "Require" directives are considered?
This might be useful:
https://httpd.apache.org/docs/2.4/mod/mod_authz_core.html#logic. By default
the multiple requires are acting as RequireAny, meanwhile you'd probably
need RequireAll.
Hope that helps!
Luca
