From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-user+bounces-142933-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	by finch.gentoo.org (Postfix) with ESMTP id 5001D1381F3
	for <garchives@archives.gentoo.org>; Fri, 30 Nov 2012 07:01:55 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id CDD2A21C031;
	Fri, 30 Nov 2012 07:01:37 +0000 (UTC)
Received: from mail-wg0-f43.google.com (mail-wg0-f43.google.com [74.125.82.43])
	(using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id CCFCB21C007
	for <gentoo-user@lists.gentoo.org>; Fri, 30 Nov 2012 07:00:26 +0000 (UTC)
Received: by mail-wg0-f43.google.com with SMTP id e12so51839wge.10
        for <gentoo-user@lists.gentoo.org>; Thu, 29 Nov 2012 23:00:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=date:from:to:subject:message-id:in-reply-to:references:organization
         :x-mailer:mime-version:content-type:content-transfer-encoding;
        bh=5cR5onuOs0YwJqR4S+P1d+aC9sBsP/nEFr5XtFUR59k=;
        b=P3pC+4ilHPnF/uiYRpEaOYyIA/Uod8z010aI733TLxGS1ZqKRdoG8UEDEmSY2G7b4e
         4JTA5o/T5hvcvRqT7jInT7zPDBN3tblASyrS+GYnRWtG03dyIm+Ud384a67Cwub5rYVv
         riKbcvNpIhKLfO3yrBg4ahXdnJ/vysHRYhsPDvTYzPM6kPVIdqFrVGvt7iKGMXPjhjHn
         nNRZFtz1mXMjSPn+meh80JUw2/U994peRULXJyJ5mp4M2Kd2ubYSZzQPmby9kqq8OUYr
         0xxU/oRnh+jlUoYbTWakoQRrKgul6DV+QKsVbg4tZ97p3GQBtzHmZQIC9An+L8w+dyO9
         QufQ==
Received: by 10.180.92.132 with SMTP id cm4mr42120091wib.12.1354258824824;
        Thu, 29 Nov 2012 23:00:24 -0800 (PST)
Received: from khamul.example.com (196-209-227-124.dynamic.isadsl.co.za. [196.209.227.124])
        by mx.google.com with ESMTPS id bz12sm5649391wib.5.2012.11.29.23.00.21
        (version=SSLv3 cipher=OTHER);
        Thu, 29 Nov 2012 23:00:23 -0800 (PST)
Date: Fri, 30 Nov 2012 08:57:21 +0200
From: Alan McKinnon <alan.mckinnon@gmail.com>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] Restrict certain web users by IP
Message-ID: <20121130085721.3f9ef936@khamul.example.com>
In-Reply-To: <CAN0CFw3w5YmxZBmSsNCY29B3FxLmQLsDDK44SudnRzRm3udfmA@mail.gmail.com>
References: <CAN0CFw0sjTXi2wv8y9Gg==48pFWzQQYsdGT43XBV02p-NoP_Mg@mail.gmail.com>
	<20121129013519.GA14272@syscon7.inet>
	<CAN0CFw0WcXX4U+VavobdgCYZ-gzL+WBqeu78hUn5qG=+7zqW1w@mail.gmail.com>
	<20121129175559.GB14272@syscon7.inet>
	<CAN0CFw2hJrTumOOB6=QoOPGKyNnjwg93U0oGEJ6XyR_nT1v2rg@mail.gmail.com>
	<20121129224338.7a18e0d5@khamul.example.com>
	<CAN0CFw3w5YmxZBmSsNCY29B3FxLmQLsDDK44SudnRzRm3udfmA@mail.gmail.com>
Organization: Internet Solutions
X-Mailer: Claws Mail 3.8.1 (GTK+ 2.24.13; x86_64-pc-linux-gnu)
Precedence: bulk
List-Post: <mailto:gentoo-user@lists.gentoo.org>
List-Help: <mailto:gentoo-user+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-user+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-user+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-user.gentoo.org>
X-BeenThere: gentoo-user@lists.gentoo.org
Reply-to: gentoo-user@lists.gentoo.org
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-Archives-Salt: 751c602d-e345-48d2-b899-8ed51e2fae47
X-Archives-Hash: 944b32ee1dd2d7db24a7984f439fd2f2

On Thu, 29 Nov 2012 15:36:51 -0800
Grant <emailgrant@gmail.com> wrote:

> > > I want users jack and jill to be able to access the web content
> > > from any IP address, and I want users john and jacob to be able
> > > to access the web content only if they are coming from a certain
> > > IP address.  I don't want anyone else to have access.
> > >
> > > - Grant
> >
> > Run two vhosts that deliver the same content from the same
> > DocumentRoot
> >
> > One has jack and jill as users in htpasswd with no acls in place
> > The other has john and jacob as users in a different htpasswd with
> > IP acls in place
> >
> > Trying to specify access rules to a group of users and not to other
> > users all in the same context is a problem that will drive you nuts
> > in a day. Rather side-step it entirely by applying your rules
> > globaly to two different things.
> 
> So I'm sure I understand, if I want to keep the IP address which
> accesses the web content the same, this means setting up a vhost for
> a port other than 80 and 443 which the other vhosts are already set
> up on?

No need for that, use name-based vhosting:

the same IP, port and Apache instance, with different names in DNS the
return the same IP. Apache can tell them apart based on the site name in
the HTTP request and keeps the config separate with the
<NameVirtualHost> directive.

I don't know what sort of scale you are working at, if it's two users
or many more. I have to deal with the same sort of thing in a
corporate setting (not necessarily web sites) often for 50 or more
users and that's how I would do it.

Just a tip though: many times when I ponder complex access control
systems I find out at the end that I'm just being really silly and
don't actually need it. If I can't trust a user to behave outside of
office hours that often means I can't trust them at all and they get no
access :-)  By all means continue with your original post if that's
what you need but in your shoes I'd first be proving to myself it
really is what I need (rather than what I think I want)

-- 
Alan McKinnon
alan.mckinnon@gmail.com