From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-user+bounces-142916-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	by finch.gentoo.org (Postfix) with ESMTP id E970E1381F3
	for <garchives@archives.gentoo.org>; Thu, 29 Nov 2012 20:49:08 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 27FF121C0B5;
	Thu, 29 Nov 2012 20:48:35 +0000 (UTC)
Received: from mail-wi0-f171.google.com (mail-wi0-f171.google.com [209.85.212.171])
	(using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 0E43121C0AA
	for <gentoo-user@lists.gentoo.org>; Thu, 29 Nov 2012 20:46:42 +0000 (UTC)
Received: by mail-wi0-f171.google.com with SMTP id hn14so5243081wib.10
        for <gentoo-user@lists.gentoo.org>; Thu, 29 Nov 2012 12:46:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=date:from:to:cc:subject:message-id:in-reply-to:references
         :organization:x-mailer:mime-version:content-type
         :content-transfer-encoding;
        bh=AK6oSoUKfmOF9mTSQ74LY52ufK9PE1CRA+v50lofDaw=;
        b=kNDiz01sfiKzhstp2EGquTfpTiJ8Sdhmg7KoF+RjT9gFehvCZiDvrV/7aJmntRn7Av
         zP+xKVA47NAlNahqMx+ZT+9ZXvghPZTq/wLnwEKbDChCNcVtsB/qV43RziAOnEeTHwsh
         R8GymFRlpc51w8q42mdyewX8Tu3tCjvggKRZj3bigsurMow0tr5dR4tz3BE31oT9ohuq
         fzW+UDRsUb+uaIB8HWLyF5SXGFNTtJJ0Qq4/PO2Qok2pEUQLijnwoSQoaN52SuJ9faSg
         naLRi+p9ArbhfdwZlgMoB2CxS50MsSAqi3GySR91sZqMBJH5zHFIEHzhdhREAlBFrcjw
         /BRA==
Received: by 10.180.100.132 with SMTP id ey4mr40653535wib.9.1354222001697;
        Thu, 29 Nov 2012 12:46:41 -0800 (PST)
Received: from khamul.example.com (196-209-227-124.dynamic.isadsl.co.za. [196.209.227.124])
        by mx.google.com with ESMTPS id gz3sm12652276wib.2.2012.11.29.12.46.38
        (version=SSLv3 cipher=OTHER);
        Thu, 29 Nov 2012 12:46:40 -0800 (PST)
Date: Thu, 29 Nov 2012 22:43:38 +0200
From: Alan McKinnon <alan.mckinnon@gmail.com>
To: gentoo-user@lists.gentoo.org
Cc: emailgrant@gmail.com
Subject: Re: [gentoo-user] Restrict certain web users by IP
Message-ID: <20121129224338.7a18e0d5@khamul.example.com>
In-Reply-To: <CAN0CFw2hJrTumOOB6=QoOPGKyNnjwg93U0oGEJ6XyR_nT1v2rg@mail.gmail.com>
References: <CAN0CFw0sjTXi2wv8y9Gg==48pFWzQQYsdGT43XBV02p-NoP_Mg@mail.gmail.com>
	<20121129013519.GA14272@syscon7.inet>
	<CAN0CFw0WcXX4U+VavobdgCYZ-gzL+WBqeu78hUn5qG=+7zqW1w@mail.gmail.com>
	<20121129175559.GB14272@syscon7.inet>
	<CAN0CFw2hJrTumOOB6=QoOPGKyNnjwg93U0oGEJ6XyR_nT1v2rg@mail.gmail.com>
Organization: Internet Solutions
X-Mailer: Claws Mail 3.8.1 (GTK+ 2.24.13; x86_64-pc-linux-gnu)
Precedence: bulk
List-Post: <mailto:gentoo-user@lists.gentoo.org>
List-Help: <mailto:gentoo-user+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-user+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-user+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-user.gentoo.org>
X-BeenThere: gentoo-user@lists.gentoo.org
Reply-to: gentoo-user@lists.gentoo.org
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-Archives-Salt: 5f003bdf-bd2b-45c6-909b-d576cdcf74b9
X-Archives-Hash: 321cfc0c769f34fb8455b77815343579

On Thu, 29 Nov 2012 11:55:17 -0800
Grant <emailgrant@gmail.com> wrote:

> >>   >>   I use apache2 authentication for web users and I would like
> >>   >> to
> >>   require
> >>   >>   logins from certain users to be from a certain IP address.
> >>   >> I experimented with Allow and Require but couldn't find a way
> >>   >> to
> >>   restrict
> >>   >>   only certain users.  Can this be done via apache2
> >>   >> authentication
> >>   or
> >>   >>   should I use another method?
> >>   >>
> >>   >>   - Grant
> >>   >
> >>   >
> >>   > very simple via .htaccess
> >>   >
> >>   > <Limit GET POST>
> >>   > order deny,allow
> >>   > deny from all
> >>   > allow from IP_address
> >>   > </Limit>
> >>   >
> >>   > AuthName "restricted stuff"
> >>   > AuthType Basic
> >>   > AuthUserFile /etc/apache2/users
> >>   > require user webmaster
> >>
> >>   I think that will require any usernames specified to come from
> >>   IP_address.  I'm trying to allow certain usernames to come from
> >> any IP, and restrict other usernames to a certain IP.  Can that be
> >> done via .htaccess?
> >>
> >>   - Grant
> >
> >
> > You originally wanted "...logins from certain users to be from a
> > certain
> IP address"
> > Now, you want from "any IP" In this case just restrict users with:
> >
> >
> >  AuthName "restricted stuff"
> >  AuthType Basic
> >  AuthUserFile /etc/apache2/users
> >  require user webmaster
> >
> > Just assign "password and user" from root:
> > # htpasswd2 -c /etc/apache2/users your-user-name
> 
> I'm sorry I haven't been clear about this.  Sometimes an example is
> the best way.
> 
> I want users jack and jill to be able to access the web content from
> any IP address, and I want users john and jacob to be able to access
> the web content only if they are coming from a certain IP address.  I
> don't want anyone else to have access.
> 
> - Grant

Run two vhosts that deliver the same content from the same DocumentRoot

One has jack and jill as users in htpasswd with no acls in place
The other has john and jacob as users in a different htpasswd with IP
acls in place

Trying to specify access rules to a group of users and not to other
users all in the same context is a problem that will drive you nuts in a
day. Rather side-step it entirely by applying your rules globaly to two
different things.

-- 
Alan McKinnon
alan.mckinnon@gmail.com