|
Home > Archive > Web Servers on Unix and Linux > May 2005 > can apache require authentication from one subnet and not another?
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
can apache require authentication from one subnet and not another?
|
|
|
| I want to limit a web page to only two subnets. One of the subnets I
would like the users to authenticate, the other I do not. I can
partially satisfy this by...
<Directory /var/html>
** authentciation stuff
Allow from sub1.com
Require valid-user
Satisfy any
</Directory>
>From sub1 I would not be prompted for authentication, from any other
location, I would. The only problem is I don't want to open it up to
all other locations. I want it to be something like...
deny from all
Allow from sub1.com
* no auth
Allow from sub2.com
* require auth
Does anyone know if this is possible?
| |
| Jim Hayter 2005-05-17, 5:50 pm |
| On 17 May 2005 09:36:39 -0700, in comp.infosystems.www.servers.unix,
"adam" <abrust@gmail.com> wrote:
>I want to limit a web page to only two subnets. One of the subnets I
>would like the users to authenticate, the other I do not.
<snip>
>deny from all
>Allow from sub1.com
> * no auth
>Allow from sub2.com
> * require auth
>
>Does anyone know if this is possible?
I put this in my default virtual host which is only used for
monitoring and accessing the server-status page (NOTE: potentially
sensitive items masked.
<Location />
AllowOverride None
AuthType basic
AuthName "XXchallengeXX"
AuthUserFile XXdirXX/XXpassword.fileXX
require user XXusernameXX
# allow anyone from monitoring IPs
Order deny,allow
Deny from all
# monitoring systems
Allow from XXX.XXX.XXX.XXX 10.28.1.20/31
# server iron (load balancer)
Allow from XXX.XXX.XXX.XXX
Satisfy any
</Location>
Anyone connecting from any of the allowed IPs gets direct access.
Otherwise they get challenged and have to supply the username and
password.
HTH,
Jim
| |
| Andrei Ivanov 2005-05-17, 5:50 pm |
| adam <abrust@gmail.com> wrote:
> I want to limit a web page to only two subnets. One of the subnets I
> would like the users to authenticate, the other I do not. I can
> partially satisfy this by...
>
> <Directory /var/html>
Configuration like the one that follows should allow unaunthenticated
access from the 192.168.0.0/24 netblock and also will ask for user
name/password when user connects from any other IP address.
<Directory /var/html>
Order allow,deny
Satisfy any
Allow from 192.168.0.0/24
Require valid-user
AuthType ...
AuthName ...
...
</Directory>
--
andrei
| |
| chris-usenet@roaima.co.uk 2005-05-18, 2:47 am |
| Andrei Ivanov <iva@racoon.riga.lv> wrote:
> Configuration like the one that follows should allow unaunthenticated
> access from the 192.168.0.0/24 netblock and also will ask for user
> name/password when user connects from any other IP address.
Which is not what the OP asked for.
Chris
| |
|
| I was able to resolve this problem by using the rewrite directive as
well...
<IfModule mod_rewrite.c>
RewriteCond %{REMOTE_ADDR} !^192.168.0.
RewriteCond %{REMOTE_ADDR} !^172.16.
RewriteRule ^/secure.*$ - [F,L]
</IfModule>
The above says that any source ip that is NOT from the above subnets
trying to access the '/secure' page, will be redirected to a
"Forbidden' page
Then I keep the same allow & satisfy directives:
<Directory /var/www/html/secure>
** authentciation stuff
Allow from 192.168.0.0/24
Require valid-user
Satisfy any
</Directory>
So, the redirect rule ensures that only traffic from the two subnets
listed above can view these pages... The 'Satisfy any' says that if
they are from the 192.168.0.0/24 subnet, there is no need for
authentication and if they are from any other subnet (only
172.16.0.0/16 will be able to view b/c of the rewrite rule), then a
valid user is required to gain access.
|
|
|
|
|