3

I have problem figuring out how create right configuration for apache 2.4 with mod_authz_core specifically with combination of RequireAny/All and Require valid-user.

I need this configuration: web has blocked access from specified countries, but I have list of specific ip address, that have to be whitelisted and have access to web (even from blocked country) And there is a part of website which require AuthBasic authentication from .htaccess file

First of all, I am trying to migrate old apache configuration from 2.2 to apache 2.4.

Old configuration:

 #blocation for specified countries
 SetEnvIf GEOIP_COUNTRY_CODE AB BlockCountry
 SetEnvIf GEOIP_COUNTRY_CODE AC BlockCountry
 SetEnvIf GEOIP_COUNTRY_CODE AD BlockCountry
 SetEnvIf GEOIP_COUNTRY_CODE AE BlockCountry
 <LocationMatch "/*">
     Order deny,allow
     deny from .zx
     deny from env=BlockCountry
     allow from  127.0.0.1
     Include "/etc/httpd/conf/permited-xx-ip.include.old"
 </LocationMatch>

This work absolutely fine on apache 2.2. I changed it to this to match new apache 2.4

<LocationMatch "/.*">         
            <RequireAny>
                    <RequireAll>
                            Require all granted
                            Require not host .xx
                            Require not env BlockCountry
                    </RequireAll>
                    <RequireAny>
                            Require local
                            Include "/etc/httpd/conf/permited-xx-ip.include"
                    </RequireAny>
            </RequireAny>
</LocationMatch>

file /etc/httpd/conf/permited-xx-ip.include contains lines:

Require ip x.x.x.x

And this works fine, but problem is when I have directory which has .htaccess with AuthBasic directive, it will not prompt for username/password. I was checking logs and it seems that the RequireAny/All allow acces without prompting for password.

.htacces file:

    AuthName "members"
    AuthType Basic
    AuthUserFile ./data/.htpasswd
    AuthBasicProvider file
    Require valid-user

If i comment Require section in apache conf file, it will prompt for user/password.

I also tried old configuration with mod_compat, but the configuration does not work as intended(it will not consider whitelisted ips).

Thanks for reading long post. Any suggestion ?

Improve this question
1
  • anyone has any idea ? :p Commented Feb 5, 2015 at 15:09

1 Answer 1

Reset to default
4

I think i figured it out,

The right configuration should look like this:

     <Directory  /var/www/www-root>
            <RequireAny>
                    <RequireAll>
                            Require all granted
                            Require not host .xx
                            Require not env BlockCountry
                    </RequireAll>
                    <RequireAny>
                            Require local
                            Include "/etc/httpd/conf/permited-ip.include"
                    </RequireAny>
            </RequireAny>
     </Directory>

Plus the configuration for the directory with AuthBasic .htaccess:

<Directory /var/www/www-root/dirwithauthbasic>
    <RequireAll>
          <RequireAny>
                    <RequireAll>
                        Require all granted
                        Require not host .xx
                        Require not env BlockCountry
                    </RequireAll>
                    <RequireAny>
                        Require local
                        Include "/etc/httpd/conf/permited-ip.include"
                    </RequireAny>
          </RequireAny>
          Require valid-user
    </RequireAll>
</Directory>

sorry for messed format

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.