httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Boyle Owen" <Owen.Bo...@swx.com>
Subject RE: [users@httpd] Three-way access
Date Tue, 01 Feb 2005 11:46:24 GMT


> -----Original Message-----
> From: Alonso Lara [mailto:keko@khor-ha.net]
> Sent: Montag, 31. Januar 2005 22:48
> To: users@httpd.apache.org
> Subject: [users@httpd] Three-way access
> 
> 
> Hi!
> 
> I would like to configure a directory with this access method:
> 
> 1.- Direct access to 192.168.0.1
> 2.- Login access to subnet (192.168.0.*, user: local)
> 3.- Deny rest

Interesting question... My opinion (which could be wrong), having read
over the docs, is that the access control algorithms always boil down to
a simple if-else construct. The contents of the if-clause can be
arbitrarily complex but at the end of the day you are left with a simple
two-way switch. So a three-way switch to a single directory as you
require is logically impossible using just Allow,Deny,Satisfy and
Require.

There might be a workaround possible by using mod_rewrite conditonally
to rewrite the request based on the Host IP address and creating an
empty directory to direct denied requests to. Basically, the rewrite
condition gives you another if-else so now with two if-elses, it's
possible to construct a 3-way switch.

eg:

First make two dirs, call them "forbidden" (may be empty) and
"protected" (contains the data you want protected).

RewriteCond ip != 192.168.0
RewriteRule /protected /forbidden

<Directory /path/to/dir/forbidden>
  Deny from all
</Directory>

<Directory /path/to/dir/protected>
  Deny from 192.168.0
  Allow from 192.168.0.1
  Satisfy any
  Require valid-user
  etc...
</Directory>

So if the request comes from 192.168.0.1 it will skip the Rewrite, enter
the second Directory-block, get Allowed and, since it passes Satisfy
any, will skip the authentication.

>From 192.168.0 (NB - don't add a wildcard to the network range), it will
skip the Rewrite, enter the second Directory-block, get Denied but,
since it passes Satisfy any, will trigger the authentication.

>From !192.168.0, it will trigger the Rewrite, re-submit the request,
enter the first Directory-block and get Denied unconditionally.

BTW, the RewriteCond is pseudo-code; you'll have to figure out yourself
how to code up that rule. BTW2 - the 2nd dir-block is a bit of a guess;
you might need to tweak the exact directives to get it to work (might
need an Order...)

Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored. 
 




> 
> I can only configure two of the above lines to work at the same time.
> 
> # Direct Access to .1 and user login to the rest (subnet and Inet)
> Order Allow,Deny
> Allow from 192.168.0.1
> AuthType Basic
> AuthName "foo"
> AuthUserFile /etc/httpd/pw
> Require user local
> Satisfy Any
> 
> Or
> 
> # Login entire subnet (and .1), deny rest
> Order Allow,Deny
> Allow from 192.168.0.*
> AuthType Basic
> AuthName "foo"
> AuthUserFile /etc/httpd/pw
> Require user local
> Satisfy All
> 
> There's any way to configure this three-way access?
> 
> Thanks! :)
> 
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP 
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 
> 
Diese E-mail ist eine private und persönliche Kommunikation. Sie hat
keinen Bezug zur Börsen- bzw. Geschäftstätigkeit der SWX Gruppe. This
e-mail is of a private and personal nature. It is not related to the
exchange or business activities of the SWX Group. Le présent e-mail est
un message privé et personnel, sans rapport avec l'activité boursière du
Groupe SWX.

This message is for the named person's use only. It may contain
confidential, proprietary or legally privileged information. No
confidentiality or privilege is waived or lost by any mistransmission.
If you receive this message in error, please notify the sender urgently
and then immediately delete the message and any copies of it from your
system. Please also immediately destroy any hardcopies of the message.
You must not, directly or indirectly, use, disclose, distribute, print,
or copy any part of this message if you are not the intended recipient.
The sender's company reserves the right to monitor all e-mail
communications through their networks. Any views expressed in this
message are those of the individual sender, except where the message
states otherwise and the sender is authorised to state them to be the
views of the sender's company. 



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message