[gentoo-user] Restrict certain web users by IP

[gentoo-user] Restrict certain web users by IP

[Grant]

[-- Attachment #1: Type: text/plain, Size: 311 bytes --]

I use apache2 authentication for web users and I would like to require
logins from certain users to be from a certain IP address.  I experimented
with Allow and Require but couldn't find a way to restrict only certain
users.  Can this be done via apache2 authentication or should I use another
method?

- Grant

[-- Attachment #2: Type: text/html, Size: 342 bytes --]

Re: [gentoo-user] Restrict certain web users by IP

[Joseph]

On 11/28/12 16:34, Grant wrote:
>   I use apache2 authentication for web users and I would like to require
>   logins from certain users to be from a certain IP address.  I
>   experimented with Allow and Require but couldn't find a way to restrict
>   only certain users.  Can this be done via apache2 authentication or
>   should I use another method?
>
>   - Grant

very simple via .htaccess

<Limit GET POST>
order deny,allow
deny from all
allow from IP_address
</Limit>

AuthName "restricted stuff"
AuthType Basic
AuthUserFile /etc/apache2/users
require user webmaster

-- 
Joseph

Re: [gentoo-user] Restrict certain web users by IP

[Grant]

[-- Attachment #1: Type: text/plain, Size: 798 bytes --]

>>   I use apache2 authentication for web users and I would like to require
>>   logins from certain users to be from a certain IP address.  I
>>   experimented with Allow and Require but couldn't find a way to restrict
>>   only certain users.  Can this be done via apache2 authentication or
>>   should I use another method?
>>
>>   - Grant
>
>
> very simple via .htaccess
>
> <Limit GET POST>
> order deny,allow
> deny from all
> allow from IP_address
> </Limit>
>
> AuthName "restricted stuff"
> AuthType Basic
> AuthUserFile /etc/apache2/users
> require user webmaster

I think that will require any usernames specified to come from IP_address.
 I'm trying to allow certain usernames to come from any IP, and restrict
other usernames to a certain IP.  Can that be done via .htaccess?

- Grant

[-- Attachment #2: Type: text/html, Size: 1022 bytes --]

Re: [gentoo-user] Restrict certain web users by IP

[Joseph]

On 11/28/12 20:10, Grant wrote:
>   >>   I use apache2 authentication for web users and I would like to
>   require
>   >>   logins from certain users to be from a certain IP address.  I
>   >>   experimented with Allow and Require but couldn't find a way to
>   restrict
>   >>   only certain users.  Can this be done via apache2 authentication
>   or
>   >>   should I use another method?
>   >>
>   >>   - Grant
>   >
>   >
>   > very simple via .htaccess
>   >
>   > <Limit GET POST>
>   > order deny,allow
>   > deny from all
>   > allow from IP_address
>   > </Limit>
>   >
>   > AuthName "restricted stuff"
>   > AuthType Basic
>   > AuthUserFile /etc/apache2/users
>   > require user webmaster
>
>   I think that will require any usernames specified to come from
>   IP_address.  I'm trying to allow certain usernames to come from any IP,
>   and restrict other usernames to a certain IP.  Can that be done via
>   .htaccess?
>
>   - Grant

You originally wanted "...logins from certain users to be from a certain IP address"
Now, you want from "any IP" 
In this case just restrict users with:

  AuthName "restricted stuff"
  AuthType Basic
  AuthUserFile /etc/apache2/users
  require user webmaster

Just assign "password and user" from root:
# htpasswd2 -c /etc/apache2/users your-user-name

-- 
Joseph

Re: [gentoo-user] Restrict certain web users by IP

[Grant]

[-- Attachment #1: Type: text/plain, Size: 1659 bytes --]

>>   >>   I use apache2 authentication for web users and I would like to
>>   require
>>   >>   logins from certain users to be from a certain IP address.  I
>>   >>   experimented with Allow and Require but couldn't find a way to
>>   restrict
>>   >>   only certain users.  Can this be done via apache2 authentication
>>   or
>>   >>   should I use another method?
>>   >>
>>   >>   - Grant
>>   >
>>   >
>>   > very simple via .htaccess
>>   >
>>   > <Limit GET POST>
>>   > order deny,allow
>>   > deny from all
>>   > allow from IP_address
>>   > </Limit>
>>   >
>>   > AuthName "restricted stuff"
>>   > AuthType Basic
>>   > AuthUserFile /etc/apache2/users
>>   > require user webmaster
>>
>>   I think that will require any usernames specified to come from
>>   IP_address.  I'm trying to allow certain usernames to come from any IP,
>>   and restrict other usernames to a certain IP.  Can that be done via
>>   .htaccess?
>>
>>   - Grant
>
>
> You originally wanted "...logins from certain users to be from a certain
IP address"
> Now, you want from "any IP" In this case just restrict users with:
>
>
>  AuthName "restricted stuff"
>  AuthType Basic
>  AuthUserFile /etc/apache2/users
>  require user webmaster
>
> Just assign "password and user" from root:
> # htpasswd2 -c /etc/apache2/users your-user-name

I'm sorry I haven't been clear about this.  Sometimes an example is the
best way.

I want users jack and jill to be able to access the web content from any IP
address, and I want users john and jacob to be able to access the web
content only if they are coming from a certain IP address.  I don't want
anyone else to have access.

- Grant

[-- Attachment #2: Type: text/html, Size: 2261 bytes --]

Re: [gentoo-user] Restrict certain web users by IP

[Alan McKinnon]

On Thu, 29 Nov 2012 11:55:17 -0800
Grant <emailgrant@gmail.com> wrote:

> >>   >>   I use apache2 authentication for web users and I would like
> >>   >> to
> >>   require
> >>   >>   logins from certain users to be from a certain IP address.
> >>   >> I experimented with Allow and Require but couldn't find a way
> >>   >> to
> >>   restrict
> >>   >>   only certain users.  Can this be done via apache2
> >>   >> authentication
> >>   or
> >>   >>   should I use another method?
> >>   >>
> >>   >>   - Grant
> >>   >
> >>   >
> >>   > very simple via .htaccess
> >>   >
> >>   > <Limit GET POST>
> >>   > order deny,allow
> >>   > deny from all
> >>   > allow from IP_address
> >>   > </Limit>
> >>   >
> >>   > AuthName "restricted stuff"
> >>   > AuthType Basic
> >>   > AuthUserFile /etc/apache2/users
> >>   > require user webmaster
> >>
> >>   I think that will require any usernames specified to come from
> >>   IP_address.  I'm trying to allow certain usernames to come from
> >> any IP, and restrict other usernames to a certain IP.  Can that be
> >> done via .htaccess?
> >>
> >>   - Grant
> >
> >
> > You originally wanted "...logins from certain users to be from a
> > certain
> IP address"
> > Now, you want from "any IP" In this case just restrict users with:
> >
> >
> >  AuthName "restricted stuff"
> >  AuthType Basic
> >  AuthUserFile /etc/apache2/users
> >  require user webmaster
> >
> > Just assign "password and user" from root:
> > # htpasswd2 -c /etc/apache2/users your-user-name
> 
> I'm sorry I haven't been clear about this.  Sometimes an example is
> the best way.
> 
> I want users jack and jill to be able to access the web content from
> any IP address, and I want users john and jacob to be able to access
> the web content only if they are coming from a certain IP address.  I
> don't want anyone else to have access.
> 
> - Grant

Run two vhosts that deliver the same content from the same DocumentRoot

One has jack and jill as users in htpasswd with no acls in place
The other has john and jacob as users in a different htpasswd with IP
acls in place

Trying to specify access rules to a group of users and not to other
users all in the same context is a problem that will drive you nuts in a
day. Rather side-step it entirely by applying your rules globaly to two
different things.

-- 
Alan McKinnon
alan.mckinnon@gmail.com

Re: [gentoo-user] Restrict certain web users by IP

[Joseph]

On 11/29/12 11:55, Grant wrote:
>   > You originally wanted "...logins from certain users to be from a
>   certain IP address"
>   > Now, you want from "any IP" In this case just restrict users with:
>   >
>   >
>   >  AuthName "restricted stuff"
>   >  AuthType Basic
>   >  AuthUserFile /etc/apache2/users
>   >  require user webmaster
>   >
>   > Just assign "password and user" from root:
>   > # htpasswd2 -c /etc/apache2/users your-user-name
>
>   I'm sorry I haven't been clear about this.  Sometimes an example is the
>   best way.
>
>   I want users jack and jill to be able to access the web content from
>   any IP address, and I want users john and jacob to be able to access
>   the web content only if they are coming from a certain IP address.  I
>   don't want anyone else to have access.
>
>   - Grant

For this I think you need to use IPtables, apache will not filter outgoing traffic. 

-- 
Joseph

Re: [gentoo-user] Restrict certain web users by IP

[Grant]

[-- Attachment #1: Type: text/plain, Size: 972 bytes --]

> > I want users jack and jill to be able to access the web content from
> > any IP address, and I want users john and jacob to be able to access
> > the web content only if they are coming from a certain IP address.  I
> > don't want anyone else to have access.
> >
> > - Grant
>
> Run two vhosts that deliver the same content from the same DocumentRoot
>
> One has jack and jill as users in htpasswd with no acls in place
> The other has john and jacob as users in a different htpasswd with IP
> acls in place
>
> Trying to specify access rules to a group of users and not to other
> users all in the same context is a problem that will drive you nuts in a
> day. Rather side-step it entirely by applying your rules globaly to two
> different things.

So I'm sure I understand, if I want to keep the IP address which accesses
the web content the same, this means setting up a vhost for a port other
than 80 and 443 which the other vhosts are already set up on?

- Grant

[-- Attachment #2: Type: text/html, Size: 1147 bytes --]

Re: [gentoo-user] Restrict certain web users by IP

[Adam Carter]

[-- Attachment #1: Type: text/plain, Size: 439 bytes --]

>
>
> So I'm sure I understand, if I want to keep the IP address which accesses
> the web content the same, this means setting up a vhost for a port other
> than 80 and 443 which the other vhosts are already set up on?
>

No, vhosts can use http host headers, so you just need a second dns entry
pointing to the same ip address. The browser will include the hostname in
its request and apache will use it to decide which content to serve.

[-- Attachment #2: Type: text/html, Size: 602 bytes --]

Re: [gentoo-user] Restrict certain web users by IP

[Michael Orlitzky]

On 11/29/2012 03:43 PM, Alan McKinnon wrote:
> 
> Run two vhosts that deliver the same content from the same DocumentRoot
> 
> One has jack and jill as users in htpasswd with no acls in place
> The other has john and jacob as users in a different htpasswd with IP
> acls in place
> 
> Trying to specify access rules to a group of users and not to other
> users all in the same context is a problem that will drive you nuts in a
> day. Rather side-step it entirely by applying your rules globaly to two
> different things.
> 

You can probably accomplish the same with path aliases and <Location>
restrictions. Untested:

  Alias /jackjill /var/www/your-stuff
  Alias /johnjacob /var/www/your-stuff

  <Location /jackjill>
    AuthType Basic
    AuthName "Restricted"
    AuthUserFile /var/www/jackjill.passwd
    Require valid-user
    Allow from <jack-ip>
    Allow from <jill-ip>
    Deny from all
  </Location>

  <Location /johnjacob>
    AuthType Basic
    AuthName "Restricted"
    AuthUserFile /var/www/johnjacob.passwd
    Require valid-user
  </Location>


I tried to come up with a less stupid way; I don't think there is one.

Re: [gentoo-user] Restrict certain web users by IP

[Alan McKinnon]

On Thu, 29 Nov 2012 15:36:51 -0800
Grant <emailgrant@gmail.com> wrote:

> > > I want users jack and jill to be able to access the web content
> > > from any IP address, and I want users john and jacob to be able
> > > to access the web content only if they are coming from a certain
> > > IP address.  I don't want anyone else to have access.
> > >
> > > - Grant
> >
> > Run two vhosts that deliver the same content from the same
> > DocumentRoot
> >
> > One has jack and jill as users in htpasswd with no acls in place
> > The other has john and jacob as users in a different htpasswd with
> > IP acls in place
> >
> > Trying to specify access rules to a group of users and not to other
> > users all in the same context is a problem that will drive you nuts
> > in a day. Rather side-step it entirely by applying your rules
> > globaly to two different things.
> 
> So I'm sure I understand, if I want to keep the IP address which
> accesses the web content the same, this means setting up a vhost for
> a port other than 80 and 443 which the other vhosts are already set
> up on?

No need for that, use name-based vhosting:

the same IP, port and Apache instance, with different names in DNS the
return the same IP. Apache can tell them apart based on the site name in
the HTTP request and keeps the config separate with the
<NameVirtualHost> directive.

I don't know what sort of scale you are working at, if it's two users
or many more. I have to deal with the same sort of thing in a
corporate setting (not necessarily web sites) often for 50 or more
users and that's how I would do it.

Just a tip though: many times when I ponder complex access control
systems I find out at the end that I'm just being really silly and
don't actually need it. If I can't trust a user to behave outside of
office hours that often means I can't trust them at all and they get no
access :-)  By all means continue with your original post if that's
what you need but in your shoes I'd first be proving to myself it
really is what I need (rather than what I think I want)

-- 
Alan McKinnon
alan.mckinnon@gmail.com

Re: [gentoo-user] Restrict certain web users by IP

[Grant]

[-- Attachment #1: Type: text/plain, Size: 1500 bytes --]

> > Run two vhosts that deliver the same content from the same DocumentRoot
> >
> > One has jack and jill as users in htpasswd with no acls in place
> > The other has john and jacob as users in a different htpasswd with IP
> > acls in place
> >
> > Trying to specify access rules to a group of users and not to other
> > users all in the same context is a problem that will drive you nuts in a
> > day. Rather side-step it entirely by applying your rules globaly to two
> > different things.
> >
>
> You can probably accomplish the same with path aliases and <Location>
> restrictions. Untested:
>
>   Alias /jackjill /var/www/your-stuff
>   Alias /johnjacob /var/www/your-stuff
>
>   <Location /jackjill>
>     AuthType Basic
>     AuthName "Restricted"
>     AuthUserFile /var/www/jackjill.passwd
>     Require valid-user
>     Allow from <jack-ip>
>     Allow from <jill-ip>
>     Deny from all
>   </Location>
>
>   <Location /johnjacob>
>     AuthType Basic
>     AuthName "Restricted"
>     AuthUserFile /var/www/johnjacob.passwd
>     Require valid-user
>   </Location>

I like this idea since it means I don't need to mess with another domain
name.  The only problem I'm running into is one of the applications on the
server doesn't work with www.example.com/jackjill/app, it only works with
www.example.com/app.  I set up a RewriteRule to rewrite /jackjill/app to
/app, and that makes the application work, but then <Location /jackjill>
doesn't work.  Is there any way around this?

- Grant

[-- Attachment #2: Type: text/html, Size: 1963 bytes --]

Re: [gentoo-user] Restrict certain web users by IP

[Michael Orlitzky]

On 11/30/12 03:37, Grant wrote:
> 
> I like this idea since it means I don't need to mess with another domain
> name.  The only problem I'm running into is one of the applications on
> the server doesn't work with www.example.com/jackjill/app
> <http://www.example.com/jackjill/app>, it only works with
> www.example.com/app <http://www.example.com/app>.  I set up a
> RewriteRule to rewrite /jackjill/app to /app, and that makes the
> application work, but then <Location /jackjill> doesn't work.  Is there
> any way around this?
> 

Fix the app =)

If that's not possible, the vhost solution may be the simplest solution.
You're allowed to mangle environment variables with each rewrite rule --
that might allow you to chain together your restrictions, but it would
be ugly.

  http://jackjill.example.com/app
  http://johnjacob.example.com/app

Seem like a good idea at that point.

Re: [gentoo-user] Restrict certain web users by IP

[Grant]

[-- Attachment #1: Type: text/plain, Size: 595 bytes --]

> > I like this idea since it means I don't need to mess with another domain
> > name.  The only problem I'm running into is one of the applications on
> > the server doesn't work with www.example.com/jackjill/app
> > <http://www.example.com/jackjill/app>, it only works with
> > www.example.com/app <http://www.example.com/app>.  I set up a
> > RewriteRule to rewrite /jackjill/app to /app, and that makes the
> > application work, but then <Location /jackjill> doesn't work.  Is there
> > any way around this?
> >
>
> Fix the app =)

Fixed! :)

Thanks to all for your help with this.

- Grant

[-- Attachment #2: Type: text/html, Size: 966 bytes --]