Apache 2.4 access control (.htaccess)

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Apache 2.4 access control (.htaccess)

Jim Albert
In Apache 2.2 I could set up an .htaccess file and establish simple and
easily maintainable access control such as:

<FILES abc.html>
require user jim joe
</FILES>
<FILES def.html*>
require user jim joe
</FILES>

<Limit GET POST>
order deny,allow
deny from all

allow from 10.10.0.1
allow from 10.10.0.2
require valid-user
</Limit>

<LimitExcept GET POST>
order deny,allow
deny from all
</LimitExcept>

... and that would work very nicely so that for resources other than
abc.html and def.html as defined in the FILES section the request would
have to come from client 10.10.0.1 or 10.10.0.2 and be any authenticated
user. The <Limit GET POST> is the only restriction.

If the request were specifically for abc.html or def.html the GET
request would still be required to originate from 10.10.0.1 or
10.10.0.2, but now the user must be specifically jim or joe as defined
in the <FILES> restriction. So both the <Limit GET POST> restrictions
were respected along with the FILES restriction requiring specific user
authentication.


In apache 2.4, access control configurations change so that I migrate
the above to:

<FILES abc.html>
require user jim joe
</FILES>
<FILES def.html*>
require user jim joe
</FILES>

<Limit GET POST>

<RequireAll>
Require ip 10.10.0.1
Require valid-user
</RequireAll>
<RequireAll>
Require ip 10.10.0.2
Require valid-user
</RequireAll>

</Limit>

<LimitExcept GET POST>
Require all denied
</LimitExcept>

In Apache 2.4 combining access for multiple IPs in combination with
users make the configurations somewhat more complex, but I can live with
that.

However, I can't easily get the same access experience as in 2.2 without
a lot of redundant configuration.

In my 2.4 configuration, the FILES directives are looked at without
respect to the Limit on the GET/POST.
I can comment out:
<RequireAll>
Require ip 10.10.0.1
Require valid-user
</RequireAll>

and I'm still allowed to make a request to either abc.html or def.html
as defined in the FILES section as long as I am authenticiated as user
jim or joe even with the request originating from 10.10.0.1.

It seems like I'd have to do something like the following which seems
absurd and incredibly redundant and difficult to maintain with changes.

<FILES abc.html>
<RequireAll>
Require ip 10.10.0.1
require user jim joe
</RequireAll>
<RequireAll>
Require ip 10.10.0.2
require user jim joe
</RequireAll>
</FILES>

<FILES def.html*>
<RequireAll>
Require ip 10.10.0.1
require user jim joe
</RequireAll>
<RequireAll>
Require ip 10.10.0.2
require user jim joe
</RequireAll>
</FILES>

<Limit GET POST>

<RequireAll>
Require ip 10.10.0.1
Require valid-user
</RequireAll>
<RequireAll>
Require ip 10.10.0.2
Require valid-user
</RequireAll>

</Limit>

<LimitExcept GET POST>
Require all denied
</LimitExcept>

I tested and the above does seem to work in getting me the access
control that I want, but the configurations are incredibly redundant and
difficult to manage. Expand that out to a dozen more IPs and dozens of
resources and that configuration gets very long.

Note, in my production environment there are many users other than jim
and joe and users are restricted to certain resources. Not all users are
allowed access to the same set of resources.

Can anyone simplify those Apache 2.4 restrictions or instruct me on what
I might be overlooking or misunderstanding, please?


Thanks,
Jim


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Apache 2.4 access control (.htaccess)

Jim Albert
On 7/29/2020 6:34 PM, Jim Albert wrote:

> In Apache 2.2 I could set up an .htaccess file and establish simple
> and easily maintainable access control such as:
>
> <FILES abc.html>
> require user jim joe
> </FILES>
> <FILES def.html*>
> require user jim joe
> </FILES>
>
> <Limit GET POST>
> order deny,allow
> deny from all
>
> allow from 10.10.0.1
> allow from 10.10.0.2
> require valid-user
> </Limit>
>
> <LimitExcept GET POST>
> order deny,allow
> deny from all
> </LimitExcept>
>
> ... and that would work very nicely so that for resources other than
> abc.html and def.html as defined in the FILES section the request
> would have to come from client 10.10.0.1 or 10.10.0.2 and be any
> authenticated user. The <Limit GET POST> is the only restriction.
>
> If the request were specifically for abc.html or def.html the GET
> request would still be required to originate from 10.10.0.1 or
> 10.10.0.2, but now the user must be specifically jim or joe as defined
> in the <FILES> restriction. So both the <Limit GET POST> restrictions
> were respected along with the FILES restriction requiring specific
> user authentication.
>
>
> In apache 2.4, access control configurations change so that I migrate
> the above to:
>
> <FILES abc.html>
> require user jim joe
> </FILES>
> <FILES def.html*>
> require user jim joe
> </FILES>
>
> <Limit GET POST>
>
> <RequireAll>
> Require ip 10.10.0.1
> Require valid-user
> </RequireAll>
> <RequireAll>
> Require ip 10.10.0.2
> Require valid-user
> </RequireAll>
>
> </Limit>
>
> <LimitExcept GET POST>
> Require all denied
> </LimitExcept>
>
> In Apache 2.4 combining access for multiple IPs in combination with
> users make the configurations somewhat more complex, but I can live
> with that.
>
> However, I can't easily get the same access experience as in 2.2
> without a lot of redundant configuration.
>
> In my 2.4 configuration, the FILES directives are looked at without
> respect to the Limit on the GET/POST.
> I can comment out:
> <RequireAll>
> Require ip 10.10.0.1
> Require valid-user
> </RequireAll>
>
> and I'm still allowed to make a request to either abc.html or def.html
> as defined in the FILES section as long as I am authenticiated as user
> jim or joe even with the request originating from 10.10.0.1.
>
> It seems like I'd have to do something like the following which seems
> absurd and incredibly redundant and difficult to maintain with changes.
>
> <FILES abc.html>
> <RequireAll>
> Require ip 10.10.0.1
> require user jim joe
> </RequireAll>
> <RequireAll>
> Require ip 10.10.0.2
> require user jim joe
> </RequireAll>
> </FILES>
>
> <FILES def.html*>
> <RequireAll>
> Require ip 10.10.0.1
> require user jim joe
> </RequireAll>
> <RequireAll>
> Require ip 10.10.0.2
> require user jim joe
> </RequireAll>
> </FILES>
>
> <Limit GET POST>
>
> <RequireAll>
> Require ip 10.10.0.1
> Require valid-user
> </RequireAll>
> <RequireAll>
> Require ip 10.10.0.2
> Require valid-user
> </RequireAll>
>
> </Limit>
>
> <LimitExcept GET POST>
> Require all denied
> </LimitExcept>
>
> I tested and the above does seem to work in getting me the access
> control that I want, but the configurations are incredibly redundant
> and difficult to manage. Expand that out to a dozen more IPs and
> dozens of resources and that configuration gets very long.
>
> Note, in my production environment there are many users other than jim
> and joe and users are restricted to certain resources. Not all users
> are allowed access to the same set of resources.
>
> Can anyone simplify those Apache 2.4 restrictions or instruct me on
> what I might be overlooking or misunderstanding, please?
>

I did some more testing and I can list multiple IP addresses on the
"Require ip" line, so I believe I can simplify my .htaccess controls to
the following:

<FILES abc.html>
<RequireAll>
Require ip 10.10.0.1 10.10.0.2
require user jim joe
</RequireAll>
</FILES>

<FILES def.html*>
<RequireAll>
Require ip 10.10.0.1 10.10.0.2
# Note I added jack to the user list to indicate my user list access
controls change per resource.
require user jim joe jack
</RequireAll>
</FILES>

<Limit GET POST>

<RequireAll>
Require ip 10.10.0.1 10.10.0.2
Require valid-user
</RequireAll>

</Limit>

<LimitExcept GET POST>
Require all denied
</LimitExcept>

However, note how the list of IP addresses is required to be
continuously repeated in Apache 2.4 access control.
That looks to be my biggest issue. For each <FILES> section along with
the default <Limit GET POST> I have to repeat the same Require ip line.
If I have say 100 separate <FILES> sections I have to repeat that same
Require ip line for each <FILES>. Adding or removing IP addresses
becomes a maintenance issue.

Thanks,
Jim


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Apache 2.4 access control (.htaccess)

@lbutlr
On 29 Jul 2020, at 17:57, Jim Albert <[hidden email]> wrote:
> If I have say 100 separate <FILES> sections I have to repeat that same Require ip line for each <FILES>. Adding or removing IP addresses becomes a maintenance issue.

In regular conf files you can do something like

Define DOMAIN example.com
Define ROOT /usr/local/www/${DOMAIN}/
Define WEBROOT /usr/local/www/${DOMAIN}/html/

<virtualhost *:80>
   ServerName ${DOMAIN}
   Serveralias www.${DOMAIN}
   Redirect / https://www.${DOMAIN}/
</virtualhost>

Perhaps something along those lines is possible in htaccess files as well?

I normally do the <files …> blocks in the chest conf file and not in htaccess though, but it looks like you can use a rewrite rule to create a variable that you then use later in the file.

<http://httpd.apache.org/docs/current/rewrite/flags.html#flag_e>

Or you can use SetEnvIf

<http://httpd.apache.org/docs/current/mod/mod_setenvif.html#setenvif>

Hope that helps?



--
I WILL NOT FAKE RABIES Bart chalkboard Ep. 8F07


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]