[gentoo-user] apache 2.4 - deny access to directory

[gentoo-user] apache 2.4 - deny access to directory

[thelma]

I'm trying to deny access to all except specific IP address in a
directory, just testing it.

In modules.d/00_default_settings.conf

<Directory "/var/www/localhost/htdocs">
	Options MultiViews
	AllowOverride All
	Require all granted
</Directory>

in admin/.htaccess

<RequireAll>
    Require all denied
    Require ip 10.0.0.100
</RequireAll>

My IP is 10.0.0.112 and I can still access the server /admin directory

What am I missing?
-- 
Thelma

Re: [gentoo-user] apache 2.4 - deny access to directory

[Michael]

[-- Attachment #1: Type: text/plain, Size: 834 bytes --]

On Sunday, 29 November 2020 07:30:16 GMT thelma@sys-concept.com wrote:
> I'm trying to deny access to all except specific IP address in a
> directory, just testing it.
> 
> In modules.d/00_default_settings.conf
> 
> <Directory "/var/www/localhost/htdocs">
> 	Options MultiViews
> 	AllowOverride All
> 	Require all granted
> </Directory>
> 
> in admin/.htaccess
> 
> <RequireAll>
>     Require all denied
>     Require ip 10.0.0.100
> </RequireAll>
> 
> My IP is 10.0.0.112 and I can still access the server /admin directory
> 
> What am I missing?

In apache 2.4 the access control syntax has changed.  The RequireAll directive 
means *all* authorisation directives within it must succeed.

https://httpd.apache.org/docs/2.4/mod/mod_authz_core.html#requireall

What happens if you just remove the first line, "Require all denied"?




[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-user] apache 2.4 - deny access to directory

[thelma]

Thelma
On 11/29/2020 03:22 AM, Michael wrote:
> On Sunday, 29 November 2020 07:30:16 GMT thelma@sys-concept.com wrote:
>> I'm trying to deny access to all except specific IP address in a
>> directory, just testing it.
>>
>> In modules.d/00_default_settings.conf
>>
>> <Directory "/var/www/localhost/htdocs">
>> 	Options MultiViews
>> 	AllowOverride All
>> 	Require all granted
>> </Directory>
>>
>> in admin/.htaccess
>>
>> <RequireAll>
>>     Require all denied
>>     Require ip 10.0.0.100
>> </RequireAll>
>>
>> My IP is 10.0.0.112 and I can still access the server /admin directory
>>
>> What am I missing?
> 
> In apache 2.4 the access control syntax has changed.  The RequireAll directive 
> means *all* authorisation directives within it must succeed.
> 
> https://httpd.apache.org/docs/2.4/mod/mod_authz_core.html#requireall
> 
> What happens if you just remove the first line, "Require all denied"?

As you suggested I have:
in admin/.htaccess

<RequireAll>
    Require ip 10.0.0.100
</RequireAll>

My IP is: 10.0.0.112 and it still allow me to access it.  I know apache
2.4 is reading the file as the the below direcive works.

AuthName "restricted stuff"
AuthType Basic
AuthUserFile "/etc/apache2/users"
require user webmaster

I've tried adding
RewriteEngine on

With it, I can not login at all (access denied) regardless of IP.

Re: [gentoo-user] apache 2.4 - deny access to directory

[Michael]

[-- Attachment #1: Type: text/plain, Size: 3179 bytes --]

On Sunday, 29 November 2020 18:22:09 GMT thelma@sys-concept.com wrote:
> Thelma
> 
> On 11/29/2020 03:22 AM, Michael wrote:
> > On Sunday, 29 November 2020 07:30:16 GMT thelma@sys-concept.com wrote:
> >> I'm trying to deny access to all except specific IP address in a
> >> directory, just testing it.
> >> 
> >> In modules.d/00_default_settings.conf
> >> 
> >> <Directory "/var/www/localhost/htdocs">
> >> 
> >> 	Options MultiViews
> >> 	AllowOverride All
> >> 	Require all granted
> >> 
> >> </Directory>
> >> 
> >> in admin/.htaccess
> >> 
> >> <RequireAll>
> >> 
> >>     Require all denied
> >>     Require ip 10.0.0.100
> >> 
> >> </RequireAll>
> >> 
> >> My IP is 10.0.0.112 and I can still access the server /admin directory
> >> 
> >> What am I missing?
> > 
> > In apache 2.4 the access control syntax has changed.  The RequireAll
> > directive means *all* authorisation directives within it must succeed.
> > 
> > https://httpd.apache.org/docs/2.4/mod/mod_authz_core.html#requireall
> > 
> > What happens if you just remove the first line, "Require all denied"?
> 
> As you suggested I have:
> in admin/.htaccess
> 
> <RequireAll>
>     Require ip 10.0.0.100
> </RequireAll>
> 
> My IP is: 10.0.0.112 and it still allow me to access it.  I know apache
> 2.4 is reading the file as the the below direcive works.

I've tested different RequireAll directives in a .htaccess file and with 
otherwise default apache  settings I can confirm:

This is correct:
=========================
<RequireAll>
    Require ip 10.0.0.100
</RequireAll>
=========================
will only allow visitors from 10.0.0.100 to access the directory content.

This is also correct:
=========================
<RequireAll>
    Require all granted
    Require ip 10.0.0.100
</RequireAll>
=========================
will only allow visitors from 10.0.0.100 to access the directory content.

Finally, this won't work:
=========================
<RequireAll>
    Require all denied
    Require ip 10.0.0.100
</RequireAll>
=========================
because it returns 403 for all clients irrespective of IP address, since both 
subdirectives must be correct for the RequireAll to be true.

I notice you have 'Options MultiViews' in your modules.d/
00_default_settings.conf, which will parse paths to find and serve any file 
requested by the client even if the URL is not complete.  It might be this 
conflicts with your .htaccess within admin/ subdirectory, but I'm not sure.  
Something in apache logs may shed light in this.


> AuthName "restricted stuff"
> AuthType Basic
> AuthUserFile "/etc/apache2/users"
> require user webmaster
> 
> I've tried adding
> RewriteEngine on
> 
> With it, I can not login at all (access denied) regardless of IP.

With apache 2.4 a new <If> directive was added to perform conditional checks 
and replace/augment many of the mod_rewrite functionalities.  I don't know how 
you have structured your RewriteCond and RewriteRule, but obviously they don't 
work as intended if they totally block access.

You could check conflicting rules between your apache config and any .htaccess 
directives, or any loose and contradictory .htaccess files in higher 
subdirectories.

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

[gentoo-user] apache 2.4 - deny access to directory

[thelma]

On 11/30/2020 05:34 AM, Michael wrote:
> On Sunday, 29 November 2020 18:22:09 GMT thelma@sys-concept.com wrote:
>> Thelma
>>
>> On 11/29/2020 03:22 AM, Michael wrote:
>>> On Sunday, 29 November 2020 07:30:16 GMT thelma@sys-concept.com wrote:
>>>> I'm trying to deny access to all except specific IP address in a
>>>> directory, just testing it.
>>>>
>>>> In modules.d/00_default_settings.conf
>>>>
>>>> <Directory "/var/www/localhost/htdocs">
>>>>
>>>> 	Options MultiViews
>>>> 	AllowOverride All
>>>> 	Require all granted
>>>>
>>>> </Directory>
>>>>
>>>> in admin/.htaccess
>>>>
>>>> <RequireAll>
>>>>
>>>>     Require all denied
>>>>     Require ip 10.0.0.100
>>>>
>>>> </RequireAll>
>>>>
>>>> My IP is 10.0.0.112 and I can still access the server /admin directory
>>>>
>>>> What am I missing?
>>>
>>> In apache 2.4 the access control syntax has changed.  The RequireAll
>>> directive means *all* authorisation directives within it must succeed.
>>>
>>> https://httpd.apache.org/docs/2.4/mod/mod_authz_core.html#requireall
>>>
>>> What happens if you just remove the first line, "Require all denied"?
>>
>> As you suggested I have:
>> in admin/.htaccess
>>
>> <RequireAll>
>>     Require ip 10.0.0.100
>> </RequireAll>
>>
>> My IP is: 10.0.0.112 and it still allow me to access it.  I know apache
>> 2.4 is reading the file as the the below direcive works.
> 
> I've tested different RequireAll directives in a .htaccess file and with 
> otherwise default apache  settings I can confirm:
> 
> This is correct:
> =========================
> <RequireAll>
>     Require ip 10.0.0.100
> </RequireAll>
> =========================
> will only allow visitors from 10.0.0.100 to access the directory content.
> 
> This is also correct:
> =========================
> <RequireAll>
>     Require all granted
>     Require ip 10.0.0.100
> </RequireAll>
> =========================
> will only allow visitors from 10.0.0.100 to access the directory content.
> 
> Finally, this won't work:
> =========================
> <RequireAll>
>     Require all denied
>     Require ip 10.0.0.100
> </RequireAll>
> =========================
> because it returns 403 for all clients irrespective of IP address, since both 
> subdirectives must be correct for the RequireAll to be true.
> 
> I notice you have 'Options MultiViews' in your modules.d/
> 00_default_settings.conf, which will parse paths to find and serve any file 
> requested by the client even if the URL is not complete.  It might be this 
> conflicts with your .htaccess within admin/ subdirectory, but I'm not sure.  
> Something in apache logs may shed light in this.
> 
> 
>> AuthName "restricted stuff"
>> AuthType Basic
>> AuthUserFile "/etc/apache2/users"
>> require user webmaster
>>
>> I've tried adding
>> RewriteEngine on
>>
>> With it, I can not login at all (access denied) regardless of IP.
> 
> With apache 2.4 a new <If> directive was added to perform conditional checks 
> and replace/augment many of the mod_rewrite functionalities.  I don't know how 
> you have structured your RewriteCond and RewriteRule, but obviously they don't 
> work as intended if they totally block access.
> 
> You could check conflicting rules between your apache config and any .htaccess 
> directives, or any loose and contradictory .htaccess files in higher 
> subdirectories.

Here is complete file:   modules.d/00_default_settings.conf
I've removed 'Options MultiViews' but it disn't help.

Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 15
UseCanonicalName Off
AccessFileName .htaccess
ServerTokens Prod
TraceEnable off
ServerSignature Off
HostnameLookups Off
EnableMMAP On
EnableSendfile Off
FileETag MTime Size
ContentDigest Off
ErrorLog /var/log/apache2/error_log
LogLevel warn

<Directory />
	Options FollowSymLinks
	AllowOverride None
	Require all denied
</Directory>

<Directory "/var/www/localhost/htdocs">
	AllowOverride All
	Require all granted
</Directory>

<IfModule dir_module>
	DirectoryIndex index.html index.html.var
</IfModule>

<FilesMatch "^\.ht">
	Require all denied
</FilesMatch>

The server root .htaccess is empty
In server root/admin/.htaccess

<RequireAll>
   Require ip 10.0.0.100
</RequireAll>

AuthName "restricted stuff"
AuthType Basic
AuthUserFile "/etc/apache2/users"
require user webmaster

My IP is 10.0.0.109 so I should be denied access to admin/index.php but
I'm able to view it/access it.
It seems to me it is reading .htaccess file as "AuthType Basic" work, it
is asking me for a password. but "Require ip" doesn't work.  Because my
IP is 10.0.0.109 apache should deny me access with "access denied.

It is strange as the directive: "DirectoryIndex index.html
index.html.var" does not include "index.php" and I'm able to access this
file "admin/index.php"
so the index.php must be define somewhere else. Most likely via httpd.conf:

httpd.conf:75:LoadModule autoindex_module modules/mod_autoindex.so  (but
this is a binary file, can not read it).

Re: [gentoo-user] apache 2.4 - deny access to directory

[thelma]

On 11/30/2020 05:34 AM, Michael wrote:
[snip]
> 
> I've tested different RequireAll directives in a .htaccess file and with 
> otherwise default apache  settings I can confirm:
> 
> This is correct:
> =========================
> <RequireAll>
>     Require ip 10.0.0.100
> </RequireAll>
> =========================
> will only allow visitors from 10.0.0.100 to access the directory content.
> 
> This is also correct:
> =========================
> <RequireAll>
>     Require all granted
>     Require ip 10.0.0.100
> </RequireAll>
> =========================
> will only allow visitors from 10.0.0.100 to access the directory content.
> 
> Finally, this won't work:
> =========================
> <RequireAll>
>     Require all denied
>     Require ip 10.0.0.100
> </RequireAll>
> =========================
> because it returns 403 for all clients irrespective of IP address, since both 
> subdirectives must be correct for the RequireAll to be true.
> 
> I notice you have 'Options MultiViews' in your modules.d/
> 00_default_settings.conf, which will parse paths to find and serve any file 
> requested by the client even if the URL is not complete.  It might be this 
> conflicts with your .htaccess within admin/ subdirectory, but I'm not sure.  
> Something in apache logs may shed light in this.
> 
> 
>> AuthName "restricted stuff"
>> AuthType Basic
>> AuthUserFile "/etc/apache2/users"
>> require user webmaster
>>
>> I've tried adding
>> RewriteEngine on
>>
>> With it, I can not login at all (access denied) regardless of IP.
> 
> With apache 2.4 a new <If> directive was added to perform conditional checks 
> and replace/augment many of the mod_rewrite functionalities.  I don't know how 
> you have structured your RewriteCond and RewriteRule, but obviously they don't 
> work as intended if they totally block access.
> 
> You could check conflicting rules between your apache config and any .htaccess 
> directives, or any loose and contradictory .htaccess files in higher 
> subdirectories.

Partial success. It seems to me .htaccess <RequireAll> needs: <Files *>
to work.
The blow works on IP:

<Files *>
   <RequireAll>
        Require ip 10.0.0.109
  </RequireAll>
</Files>

But this below doesn't work.

AuthName "restricted stuff"
AuthType Basic
AuthUserFile "/etc/apache2/users"
require user webmaster

It doesn't read "AuthType Basic" it does not ask me for password.
I wish Apache 2.2 was still in portage.

Re: [gentoo-user] apache 2.4 - deny access to directory

[Michael]

[-- Attachment #1: Type: text/plain, Size: 6599 bytes --]

I don't have time to look into this in much detail, or test it, but see 
comments below.

On Monday, 30 November 2020 18:09:52 GMT thelma@sys-concept.com wrote:
> On 11/30/2020 05:34 AM, Michael wrote:
> > On Sunday, 29 November 2020 18:22:09 GMT thelma@sys-concept.com wrote:
> >> Thelma
> >> 
> >> On 11/29/2020 03:22 AM, Michael wrote:
> >>> On Sunday, 29 November 2020 07:30:16 GMT thelma@sys-concept.com wrote:
> >>>> I'm trying to deny access to all except specific IP address in a
> >>>> directory, just testing it.
> >>>> 
> >>>> In modules.d/00_default_settings.conf
> >>>> 
> >>>> <Directory "/var/www/localhost/htdocs">
> >>>> 
> >>>> 	Options MultiViews
> >>>> 	AllowOverride All
> >>>> 	Require all granted
> >>>> 
> >>>> </Directory>
> >>>> 
> >>>> in admin/.htaccess
> >>>> 
> >>>> <RequireAll>
> >>>> 
> >>>>     Require all denied
> >>>>     Require ip 10.0.0.100
> >>>> 
> >>>> </RequireAll>
> >>>> 
> >>>> My IP is 10.0.0.112 and I can still access the server /admin directory
> >>>> 
> >>>> What am I missing?
> >>> 
> >>> In apache 2.4 the access control syntax has changed.  The RequireAll
> >>> directive means *all* authorisation directives within it must succeed.
> >>> 
> >>> https://httpd.apache.org/docs/2.4/mod/mod_authz_core.html#requireall
> >>> 
> >>> What happens if you just remove the first line, "Require all denied"?
> >> 
> >> As you suggested I have:
> >> in admin/.htaccess
> >> 
> >> <RequireAll>
> >> 
> >>     Require ip 10.0.0.100
> >> 
> >> </RequireAll>
> >> 
> >> My IP is: 10.0.0.112 and it still allow me to access it.  I know apache
> >> 2.4 is reading the file as the the below direcive works.
> > 
> > I've tested different RequireAll directives in a .htaccess file and with
> > otherwise default apache  settings I can confirm:
> > 
> > This is correct:
> > =========================
> > <RequireAll>
> > 
> >     Require ip 10.0.0.100
> > 
> > </RequireAll>
> > =========================
> > will only allow visitors from 10.0.0.100 to access the directory content.
> > 
> > This is also correct:
> > =========================
> > <RequireAll>
> > 
> >     Require all granted
> >     Require ip 10.0.0.100
> > 
> > </RequireAll>
> > =========================
> > will only allow visitors from 10.0.0.100 to access the directory content.
> > 
> > Finally, this won't work:
> > =========================
> > <RequireAll>
> > 
> >     Require all denied
> >     Require ip 10.0.0.100
> > 
> > </RequireAll>
> > =========================
> > because it returns 403 for all clients irrespective of IP address, since
> > both subdirectives must be correct for the RequireAll to be true.
> > 
> > I notice you have 'Options MultiViews' in your modules.d/
> > 00_default_settings.conf, which will parse paths to find and serve any
> > file
> > requested by the client even if the URL is not complete.  It might be this
> > conflicts with your .htaccess within admin/ subdirectory, but I'm not
> > sure.
> > Something in apache logs may shed light in this.
> > 
> >> AuthName "restricted stuff"
> >> AuthType Basic
> >> AuthUserFile "/etc/apache2/users"
> >> require user webmaster
> >> 
> >> I've tried adding
> >> RewriteEngine on
> >> 
> >> With it, I can not login at all (access denied) regardless of IP.
> > 
> > With apache 2.4 a new <If> directive was added to perform conditional
> > checks and replace/augment many of the mod_rewrite functionalities.  I
> > don't know how you have structured your RewriteCond and RewriteRule, but
> > obviously they don't work as intended if they totally block access.
> > 
> > You could check conflicting rules between your apache config and any
> > .htaccess directives, or any loose and contradictory .htaccess files in
> > higher subdirectories.
> 
> Here is complete file:   modules.d/00_default_settings.conf
> I've removed 'Options MultiViews' but it disn't help.
> 
> Timeout 300
> KeepAlive On
> MaxKeepAliveRequests 100
> KeepAliveTimeout 15
> UseCanonicalName Off
> AccessFileName .htaccess
> ServerTokens Prod
> TraceEnable off
> ServerSignature Off
> HostnameLookups Off
> EnableMMAP On
> EnableSendfile Off
> FileETag MTime Size
> ContentDigest Off
> ErrorLog /var/log/apache2/error_log
> LogLevel warn
> 
> <Directory />
> 	Options FollowSymLinks
> 	AllowOverride None
> 	Require all denied
> </Directory>
> 
> <Directory "/var/www/localhost/htdocs">
> 	AllowOverride All
> 	Require all granted
> </Directory>
> 
> <IfModule dir_module>
> 	DirectoryIndex index.html index.html.var
> </IfModule>
> 
> <FilesMatch "^\.ht">
> 	Require all denied
> </FilesMatch>
> 
> The server root .htaccess is empty
> In server root/admin/.htaccess
> 
> <RequireAll>
>    Require ip 10.0.0.100
> </RequireAll>

Hmm ... as I understand it the <RequireAll> directive is evaluated to make an 
authorisation decision, before the authentication directive below.  If the 
authorisation fails, because you're not connecting from ip 10.0.0.100, then I 
would assume apache should return 403 and stop processing further directives.  
However, from what you say it does not do this.  :-/

I wonder if you add 'AuthMerging And' above your authentication directives 
below, it would work as expected - i.e. both 'ip 10.0.0.100' and 'user 
webmaster' should succeed before access to /admin is allowed.

> AuthName "restricted stuff"
> AuthType Basic
> AuthUserFile "/etc/apache2/users"
> require user webmaster
> 
> My IP is 10.0.0.109 so I should be denied access to admin/index.php but
> I'm able to view it/access it.
> It seems to me it is reading .htaccess file as "AuthType Basic" work, it
> is asking me for a password. but "Require ip" doesn't work.  Because my
> IP is 10.0.0.109 apache should deny me access with "access denied.


Something else to try instead of <RequireAll>, in case it makes a difference.  
Does it work as intended if you replace <RequireAll> with a filesystem 
container:

 <Directory "/var/www/localhost/htdocs/*/admin">
     Require ip 10.0.0.100
 </Directory>

Or, if this is a set of pages dynamically generated by php, rather than a 
static file within the admin directory, use a webspace container:

 <Location "*/admin">
     Require ip blah
 </Location>


> It is strange as the directive: "DirectoryIndex index.html
> index.html.var" does not include "index.php" and I'm able to access this
> file "admin/index.php"
> so the index.php must be define somewhere else. Most likely via httpd.conf:
> 
> httpd.conf:75:LoadModule autoindex_module modules/mod_autoindex.so  (but
> this is a binary file, can not read it).

The index.php is defined by /etc/apache2/modules.d/70_mod_php.conf.

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-user] apache 2.4 - deny access to directory

[thelma]

On 11/30/2020 12:43 PM, Michael wrote:
> I don't have time to look into this in much detail, or test it, but see 
> comments below.
> 
> On Monday, 30 November 2020 18:09:52 GMT thelma@sys-concept.com wrote:
>> On 11/30/2020 05:34 AM, Michael wrote:
>>> On Sunday, 29 November 2020 18:22:09 GMT thelma@sys-concept.com wrote:
>>>> Thelma
>>>>
>>>> On 11/29/2020 03:22 AM, Michael wrote:
>>>>> On Sunday, 29 November 2020 07:30:16 GMT thelma@sys-concept.com wrote:
>>>>>> I'm trying to deny access to all except specific IP address in a
>>>>>> directory, just testing it.
>>>>>>
>>>>>> In modules.d/00_default_settings.conf
>>>>>>
>>>>>> <Directory "/var/www/localhost/htdocs">
>>>>>>
>>>>>> 	Options MultiViews
>>>>>> 	AllowOverride All
>>>>>> 	Require all granted
>>>>>>
>>>>>> </Directory>
>>>>>>
>>>>>> in admin/.htaccess
>>>>>>
>>>>>> <RequireAll>
>>>>>>
>>>>>>     Require all denied
>>>>>>     Require ip 10.0.0.100
>>>>>>
>>>>>> </RequireAll>
>>>>>>
>>>>>> My IP is 10.0.0.112 and I can still access the server /admin directory
>>>>>>
>>>>>> What am I missing?
>>>>>
>>>>> In apache 2.4 the access control syntax has changed.  The RequireAll
>>>>> directive means *all* authorisation directives within it must succeed.
>>>>>
>>>>> https://httpd.apache.org/docs/2.4/mod/mod_authz_core.html#requireall
>>>>>
>>>>> What happens if you just remove the first line, "Require all denied"?
>>>>
>>>> As you suggested I have:
>>>> in admin/.htaccess
>>>>
>>>> <RequireAll>
>>>>
>>>>     Require ip 10.0.0.100
>>>>
>>>> </RequireAll>
>>>>
>>>> My IP is: 10.0.0.112 and it still allow me to access it.  I know apache
>>>> 2.4 is reading the file as the the below direcive works.
>>>
>>> I've tested different RequireAll directives in a .htaccess file and with
>>> otherwise default apache  settings I can confirm:
>>>
>>> This is correct:
>>> =========================
>>> <RequireAll>
>>>
>>>     Require ip 10.0.0.100
>>>
>>> </RequireAll>
>>> =========================
>>> will only allow visitors from 10.0.0.100 to access the directory content.
>>>
>>> This is also correct:
>>> =========================
>>> <RequireAll>
>>>
>>>     Require all granted
>>>     Require ip 10.0.0.100
>>>
>>> </RequireAll>
>>> =========================
>>> will only allow visitors from 10.0.0.100 to access the directory content.
>>>
>>> Finally, this won't work:
>>> =========================
>>> <RequireAll>
>>>
>>>     Require all denied
>>>     Require ip 10.0.0.100
>>>
>>> </RequireAll>
>>> =========================
>>> because it returns 403 for all clients irrespective of IP address, since
>>> both subdirectives must be correct for the RequireAll to be true.
>>>
>>> I notice you have 'Options MultiViews' in your modules.d/
>>> 00_default_settings.conf, which will parse paths to find and serve any
>>> file
>>> requested by the client even if the URL is not complete.  It might be this
>>> conflicts with your .htaccess within admin/ subdirectory, but I'm not
>>> sure.
>>> Something in apache logs may shed light in this.
>>>
>>>> AuthName "restricted stuff"
>>>> AuthType Basic
>>>> AuthUserFile "/etc/apache2/users"
>>>> require user webmaster
>>>>
>>>> I've tried adding
>>>> RewriteEngine on
>>>>
>>>> With it, I can not login at all (access denied) regardless of IP.
>>>
>>> With apache 2.4 a new <If> directive was added to perform conditional
>>> checks and replace/augment many of the mod_rewrite functionalities.  I
>>> don't know how you have structured your RewriteCond and RewriteRule, but
>>> obviously they don't work as intended if they totally block access.
>>>
>>> You could check conflicting rules between your apache config and any
>>> .htaccess directives, or any loose and contradictory .htaccess files in
>>> higher subdirectories.
>>
>> Here is complete file:   modules.d/00_default_settings.conf
>> I've removed 'Options MultiViews' but it disn't help.
>>
>> Timeout 300
>> KeepAlive On
>> MaxKeepAliveRequests 100
>> KeepAliveTimeout 15
>> UseCanonicalName Off
>> AccessFileName .htaccess
>> ServerTokens Prod
>> TraceEnable off
>> ServerSignature Off
>> HostnameLookups Off
>> EnableMMAP On
>> EnableSendfile Off
>> FileETag MTime Size
>> ContentDigest Off
>> ErrorLog /var/log/apache2/error_log
>> LogLevel warn
>>
>> <Directory />
>> 	Options FollowSymLinks
>> 	AllowOverride None
>> 	Require all denied
>> </Directory>
>>
>> <Directory "/var/www/localhost/htdocs">
>> 	AllowOverride All
>> 	Require all granted
>> </Directory>
>>
>> <IfModule dir_module>
>> 	DirectoryIndex index.html index.html.var
>> </IfModule>
>>
>> <FilesMatch "^\.ht">
>> 	Require all denied
>> </FilesMatch>
>>
>> The server root .htaccess is empty
>> In server root/admin/.htaccess
>>
>> <RequireAll>
>>    Require ip 10.0.0.100
>> </RequireAll>
> 
> Hmm ... as I understand it the <RequireAll> directive is evaluated to make an 
> authorisation decision, before the authentication directive below.  If the 
> authorisation fails, because you're not connecting from ip 10.0.0.100, then I 
> would assume apache should return 403 and stop processing further directives.  
> However, from what you say it does not do this.  :-/
> 
> I wonder if you add 'AuthMerging And' above your authentication directives 
> below, it would work as expected - i.e. both 'ip 10.0.0.100' and 'user 
> webmaster' should succeed before access to /admin is allowed.
> 
>> AuthName "restricted stuff"
>> AuthType Basic
>> AuthUserFile "/etc/apache2/users"
>> require user webmaster
>>
>> My IP is 10.0.0.109 so I should be denied access to admin/index.php but
>> I'm able to view it/access it.
>> It seems to me it is reading .htaccess file as "AuthType Basic" work, it
>> is asking me for a password. but "Require ip" doesn't work.  Because my
>> IP is 10.0.0.109 apache should deny me access with "access denied.
> 
> 
> Something else to try instead of <RequireAll>, in case it makes a difference.  
> Does it work as intended if you replace <RequireAll> with a filesystem 
> container:
> 
>  <Directory "/var/www/localhost/htdocs/*/admin">
>      Require ip 10.0.0.100
>  </Directory>
> 
> Or, if this is a set of pages dynamically generated by php, rather than a 
> static file within the admin directory, use a webspace container:
> 
>  <Location "*/admin">
>      Require ip blah
>  </Location>

Thank for looking into it and input.
I must be missing someting because if I use in .htaccess file direcive:
 <Directory "/var/www/localhost/htdocs/*/admin"> or
 <Location "*/admin">

In both cases I get an error from Apache:

[client 10.0.0.109] /var/www/localhost/htdocs/catalog/admin/.htaccess: <Directory not allowed here
[client 10.0.0.109 /var/www/localhost/htdocs/catalog/admin/.htaccess: <Location not allowed here

Re: [gentoo-user] apache 2.4 - deny access to directory

[Michael]

[-- Attachment #1: Type: text/plain, Size: 778 bytes --]

On Monday, 30 November 2020 20:07:10 GMT thelma@sys-concept.com wrote:

> Thank for looking into it and input.
> I must be missing someting because if I use in .htaccess file direcive:
>  <Directory "/var/www/localhost/htdocs/*/admin"> or
>  <Location "*/admin">
> 
> In both cases I get an error from Apache:
> 
> [client 10.0.0.109] /var/www/localhost/htdocs/catalog/admin/.htaccess:
> <Directory not allowed here [client 10.0.0.109
> /var/www/localhost/htdocs/catalog/admin/.htaccess: <Location not allowed
> here

Yes, the error is because Directory and/or Location directives ought to go in 
the main apache config files for this vhost, rather than in .htaccess.

Is there a particular reason you want to use .htaccess, rather than files in 
the /etc/apache subdirectories?

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-user] apache 2.4 - deny access to directory

[thelma]

On 11/30/2020 02:20 PM, Michael wrote:
> On Monday, 30 November 2020 20:07:10 GMT thelma@sys-concept.com wrote:
> 
>> Thank for looking into it and input.
>> I must be missing someting because if I use in .htaccess file direcive:
>>  <Directory "/var/www/localhost/htdocs/*/admin"> or
>>  <Location "*/admin">
>>
>> In both cases I get an error from Apache:
>>
>> [client 10.0.0.109] /var/www/localhost/htdocs/catalog/admin/.htaccess:
>> <Directory not allowed here [client 10.0.0.109
>> /var/www/localhost/htdocs/catalog/admin/.htaccess: <Location not allowed
>> here
> 
> Yes, the error is because Directory and/or Location directives ought to go in 
> the main apache config files for this vhost, rather than in .htaccess.
> 
> Is there a particular reason you want to use .htaccess, rather than files in 
> the /etc/apache subdirectories?

Access based on IP address works from .htaccess with Files directive:

<Files *>
   Require ip 10.0.0.109
</Files>

But it doesn't read AuthType Basic, it doesn't ask me for any password.

AuthName "restricted stuff"
AuthType Basic
AuthUserFile "/etc/apache2/users"
require user webmaster

It seems to me Apache 2.4 is very limited what can, and can not go into
.htaccess.

Re: [gentoo-user] apache 2.4 - deny access to directory

[Michael]

[-- Attachment #1: Type: text/plain, Size: 1093 bytes --]

On Monday, 30 November 2020 22:52:05 GMT thelma@sys-concept.com wrote:

> Access based on IP address works from .htaccess with Files directive:
> 
> <Files *>
>    Require ip 10.0.0.109
> </Files>
> 
> But it doesn't read AuthType Basic, it doesn't ask me for any password.
> 
> AuthName "restricted stuff"
> AuthType Basic
> AuthUserFile "/etc/apache2/users"
> require user webmaster
> 
> It seems to me Apache 2.4 is very limited what can, and can not go into
> .htaccess.

OK, probably Authentication takes precedence from Authorization on apache 2.4.

Since you prefer to use .htaccess rather than a central apache config, let's 
check if this works in your /admin/.htaccess:

===========================
AuthName "restricted stuff"
AuthType Basic
AuthUserFile "/etc/apache2/users"
<RequireAll>
   Require ip 10.0.0.100
   Require user webmaster
</RequireAll>
==========================

It should allow you to connect and then request username and passwd from IP 
10.0.0.100, but return '403 Forbidden' for clients connecting from any other 
IP address, without requesting authentication.

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-user] apache 2.4 - deny access to directory

[thelma]

On 12/01/2020 07:18 AM, Michael wrote:
> On Monday, 30 November 2020 22:52:05 GMT thelma@sys-concept.com wrote:
> 
>> Access based on IP address works from .htaccess with Files directive:
>>
>> <Files *>
>>    Require ip 10.0.0.109
>> </Files>
>>
>> But it doesn't read AuthType Basic, it doesn't ask me for any password.
>>
>> AuthName "restricted stuff"
>> AuthType Basic
>> AuthUserFile "/etc/apache2/users"
>> require user webmaster
>>
>> It seems to me Apache 2.4 is very limited what can, and can not go into
>> .htaccess.
> 
> OK, probably Authentication takes precedence from Authorization on apache 2.4.
> 
> Since you prefer to use .htaccess rather than a central apache config, let's 
> check if this works in your /admin/.htaccess:
> 
> ===========================
> AuthName "restricted stuff"
> AuthType Basic
> AuthUserFile "/etc/apache2/users"
> <RequireAll>
>    Require ip 10.0.0.100
>    Require user webmaster
> </RequireAll>
> ==========================
> 
> It should allow you to connect and then request username and passwd from IP 
> 10.0.0.100, but return '403 Forbidden' for clients connecting from any other 
> IP address, without requesting authentication.

WOW! it worked, it worked!
Thank you Michael!
IP works and AuthType Basic works too.

Why? It seems to me Apache 2.4 is very picky where/and order directives
are.  So much more to learn.  For basic operation I prefer .htaccess
files, it is much simpler and easier to block spammers, no need to
restart the main server, just update .htaccess file.

Thank you again!

Re: [gentoo-user] apache 2.4 - deny access to directory

[Michael]

[-- Attachment #1: Type: text/plain, Size: 1939 bytes --]

On Tuesday, 1 December 2020 19:34:54 GMT thelma@sys-concept.com wrote:
> On 12/01/2020 07:18 AM, Michael wrote:
> > On Monday, 30 November 2020 22:52:05 GMT thelma@sys-concept.com wrote:
> >> Access based on IP address works from .htaccess with Files directive:
> >> 
> >> <Files *>
> >> 
> >>    Require ip 10.0.0.109
> >> 
> >> </Files>
> >> 
> >> But it doesn't read AuthType Basic, it doesn't ask me for any password.
> >> 
> >> AuthName "restricted stuff"
> >> AuthType Basic
> >> AuthUserFile "/etc/apache2/users"
> >> require user webmaster
> >> 
> >> It seems to me Apache 2.4 is very limited what can, and can not go into
> >> .htaccess.
> > 
> > OK, probably Authentication takes precedence from Authorization on apache
> > 2.4.
> > 
> > Since you prefer to use .htaccess rather than a central apache config,
> > let's check if this works in your /admin/.htaccess:
> > 
> > ===========================
> > AuthName "restricted stuff"
> > AuthType Basic
> > AuthUserFile "/etc/apache2/users"
> > <RequireAll>
> > 
> >    Require ip 10.0.0.100
> >    Require user webmaster
> > 
> > </RequireAll>
> > ==========================
> > 
> > It should allow you to connect and then request username and passwd from
> > IP
> > 10.0.0.100, but return '403 Forbidden' for clients connecting from any
> > other IP address, without requesting authentication.
> 
> WOW! it worked, it worked!
> Thank you Michael!
> IP works and AuthType Basic works too.
> 
> Why? It seems to me Apache 2.4 is very picky where/and order directives
> are.  So much more to learn.  For basic operation I prefer .htaccess
> files, it is much simpler and easier to block spammers, no need to
> restart the main server, just update .htaccess file.
> 
> Thank you again!

You're welcome.  I'm glad you got it going.  There were a number of changes 
with apache 2.4.  Have a look down this page for the specifics:

https://httpd.apache.org/docs/trunk/upgrading.html

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]