7

Apache 2.4 seems to mixed all: IP denying and user denying are not working independent anymore..

In older versions I am able to enable the two things, and work with it without one affecting the other, for example:

deny from all
allow from ip1
allow from ip2

In apache2.4 the equivalent is:

require ip ip1
require ip ip2

Until this point, all is good.

But when you have htacess+htpasswd in your website, the behavior is not as you expected because it thinks that the required ips are trusted to enter without password, anulating the .htaccess, and even worst, ips out of the desired list are able thanks to .htaccess to try to login with a password and that is not what Apache 2.2 do!

In the ancient Apache the hosts on allow from are the only that can try to authenticate... and even if they are allowed, it still will need a password from .htaccess to open the website.

I am able to workaround the behavior using the mod_acess_compat for now... but I think this is not a solution, as I am using the ancient commands on the Apache 2.4... and I am afraid about some unexpected behavior or the deprecation of this module...

Gerrit Griebel
  • 129
  • 5
Luciano Andress Martini
  • 6,628

1 Answers1

14

It sounds like what you want would be something like this:

<RequireAll>
    <RequireAny>
        Require ip ip1
        Require ip ip2
     </RequireAny>
    Require valid-user
</RequireAll>
Gerrit Griebel
  • 129
  • 5
Shadur-don't-feed-the-AI
  • 31,260
  • ... In that case, please try to reword your question, because if this isn't the correct answer then I'm no longer sure if I've understood your question correctly. You can use any combination of RequireAll and RequireAny directives nested in order to get what you want, but I recommend not using more than once source for auth -- either in the virtualhost stanza, or in a .htaccess. – Shadur-don't-feed-the-AI Dec 27 '17 at 20:18
  • In that case you'd want both. A RequireAny for the list of IPs, nested within a RequireAll together with a valid-user. – Shadur-don't-feed-the-AI Dec 28 '17 at 11:21
  • Thank you very much, i will give a try, with that example, is more easy for me a not english speaker understand how require all and require any works, because for me any and all are very close words... when i try to translate it... using a dictionary for example.... but i think i understand the difference now, require any is very like to have a or condition beetween the requirements and require all a and condition beetween the requirements. – Luciano Andress Martini Dec 28 '17 at 11:24
  • A better and more correctly formatted answer here https://stackoverflow.com/a/35599844/47680. – Artem Russakovskii Jan 27 '21 at 15:26
  • 1
    @LucianoAndressMartini This is a great answer, thanks a million. – jiraiya Oct 26 '21 at 14:03