httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Igor Cicimov <>
Subject Re: [users@httpd] Access configurations
Date Tue, 12 Feb 2013 03:05:09 GMT
On 12/02/2013 1:50 PM, "Phil Smith" <> wrote:
> I'm trying to find some Apache documentation verifying that the access
> configs listed below in the manner I find them to be working are truly
> supported by Apache and are reasonable.(I'm using Apache 2.2.3).
> In a given directory in web space I have an .htaccess file with
> information such as the following (various SSL requirements are left
> out of the example for simplicity):
> AuthUserFile /home/secure/.htpasswd
> AuthName "Restricted Access"
> AuthType Basic
> <Files abc.html>
>    require user andy
> </Files>
> <Files def.html>
>    require user bert
> </Files>
> <Limit GET POST>
> order deny, allow
> deny from all
> allow from
> require user andy bert charlie
> </Limit>
> <LimitExcept GET POST>
> order deny,allow
> deny from all
> </LimitExcept>
> What I'm looking to do is restrict all access to anything in this
> directory to either GET or POST and then only to certain IP addresses
> (anything on the 10.10.10.x network) and listed authenticated users.
> Any other methods should be completely rejected. Any resource in that
> directory protected by the .htaccess file should require a valid user
> of andy, bert or charlie. Those requirements should be accomplished by
> the Limit/LimitExcept directives. I'm reasonably confident in that.
> In addition, for certain resources in that directory such as abc.html
> and def.html, I only want specific users to have access to those
> resources, but still subject to the 10.10.10.x IP address restriction.
> My concern at first would be will Apache seeing the restriction on
> <Files abc.html> and requiring user andy continue to respect the
> Limits I have on GET and POST requiring a specific IP address range.
> It would be cumbersome to have to repeat the restrictions on IP
> address within each <Files> directive.
> So... the bottom line in my intention is that:
> Any request to a Method other than GET or POST is completely blocked.
> Anyone either not on 10.10.10.x OR not having been authenticated as
> andy, bert or charlie is completely blocked.
> Of the authenticated users:
>    only andy can access abc.html coming from 10.10.10.x
>    only bert can access def.html coming from 10.10.10.x
> My testing says that Apache does respect both the user requirement
> with the Files directive and the IP address requirement within the
> Limit directive. The access does work as I intended from the testing I
> have done. However, I really can't find any Apache documentation
> explaining the logic of how Apache would parse that and hence verify
> that both the user requirements with <Files> and IP address
> requirement within <Limit> are combined.
> Comments on this approach are very much appreciated.
> #1 Does Apache support this? eg... not just a fluke that might not
> work in a future apache release.
> #2 Improvements or a better approach?
> Thank you.
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:
>From the docs:

In the general case, access control directives should not be placed within
a <Limit> section.The purpose of the <Limit> directive is to restrict the
effect of the access controls to the nominated HTTP methods. For all other
methods, the access restrictions that are enclosed in the <Limit> bracket
will have no effect.

Whats not clear here???

View raw message