SOLVED: The idea is that if the visitor comes from China they have to pass a basic authentication. If you have any other IP address you can visit the site without being hassled (including proxies)
//1400 rules....
SetEnvIf Remote_Addr 222.249.128.0/19 china
SetEnvIf Remote_Addr 222.249.160.0/20 china
SetEnvIf Remote_Addr 222.249.176.0/20 china
AuthType Basic
AuthName "Restricted"
AuthUserFile /www/passwd/users
Require valid-user
Order allow,deny
Allow from All
Deny from env=china
Satisfy any
-
Just add 'allow from myiprange' or 'allow from myinternalnetwork.com'. The 'Satisfy any' will require either a valid-user or the allow from.
See: Authentication, Authorization, and Access Control
Moak : I updated my post. Using satisfy any. Right now everybody is being prompted no matter where.From chankster -
Generally the default config has unrestricted access for everyone
<Directory "/home/web/htdocs"> Order allow,deny Allow from all </Directory>Then you must force authentication for your restricted area by denying all, then allowing just those subnets, followed by any requirements for how they actually would authenticate. Satisfy all is used to insure both policies of access are required.
<Directory "/home/web/htdocs/restricted"> Order Deny,Allow Deny from all Allow from 58.240.0.0/15 Allow from 58.242.0.0/15 Require valid-user Satisfy all AuthName "Restricted Area" AuthType Basic AuthUserFile /home/web/.htpasswds/.htpasswd Require valid-user </Directory>Caveat!
Every single time I think I understand the rules for how authentication works, I have to futz with the config repeatedly until I get some nuance correct. Use this only as a starting point. Re-read the apache documentation on mod_auth and mod_access in particular, paying special attention to the Order directive. Therein lies your answer.
Hope this helps, and please post your working example if it doesn't match this one, as this is a pretty good recipe to have in an apache cookbook.
--edit--
Testing the above shows that restricted area is forbidden to all except for those from the IP address, who must provide authentication.
It is not clear from your question if users from other IPs need unfettered access to this 'restricted area' or if they are simply forbidden?
Moak : Sorry Eric, I'll try to put things into perspective. A user visits the page. If his IP is from e.g. North Korea then he must provide authentication. In all other cases he should be free to visit the site. So if you are from Iceland fro example, you just see the page, no prompt.ericslaw : Here is a total stab in the dark, try using a rewrite rule based on SetEnvIf causing the actual Location or Directory to change just for the china IPs (while a rewrite, it is NOT a redirect). I'm not sure if you should simply symlink the directories underneath or if apache can tell you are doing that. From reading the docs, I dont see where 'satisfy any' can still force authentication just for china but not for anyone else. It sounds like you almost want "Allow except from XX.XX.XX.XX/mask"Moak : Thanks for trying. I solved it. Almost like yours, just Allow All / deny from env=china / satisfy any. This ends up requesting the authentication only from chinese visitors.From ericslaw -
This is the code I use to allow all users, deny the ones form China and password prompt those:
AuthType Basic AuthName "Restricted" AuthUserFile /home/.htpasswds/.htpasswd Require valid-user Order Allow,Deny Allow from all deny from 58.14.0.0/15 .... deny from 222.249.192.0/18 satisfy anyFrom Moak -
I can't get it to work the other way around. I want to allow users from the local network to access without getting prompted to login, but external visitors should have to authenticate. This is what i have right now:
AuthUserFile /var/www/.htsnowballs AuthType Basic AuthName "Torrent" Require valid-user Order Allow,Deny Allow from 192.168.1.0/24 Deny from All Satisfy anyMoak : maybe switch the Deny, Allow so it denies everything first then allows the ips. right now you are saying allow these guys then deny everyone including the people i allowed.
0 comments:
Post a Comment