The Require Directives

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

The Require Directives

Bill Tantzen
Experts,

My environment is RHEL7 and apache 2.4.6

I am looking for the seemingly tricky combination of directives
(Require, RequireAll, RequireAny...) that will allow me to deny access
to an entire domain except for, say, one particular host.

For instance, how do deny access to
   yyy.zzz.com
 except for
   ok.yyy.zzz.com

Is this even possible?  I have tried every combination of
authorization containers that I can think of, each of which so far is
either too restrictive or too weak.

Any ideas or suggestions for a good tutorial (believe me, I have searched)!!
Thanks in advance!
-- Bill
--
Human wheels spin round and round
While the clock keeps the pace... -- John Mellencamp
________________________________________________________________
Bill Tantzen    University of Minnesota Libraries
612-626-9949 (U of M)    612-325-1777 (cell)

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: The Require Directives

Jonathon Koyle
You want to only allow access to a server at a specific hostname, (that is how I understand you question).   One way, that would work, is something like

Listen 80
<VirtualHost *:80>
    # This is the default host for this port (assuming it is the first declaration for a host on this port) all server names that do not match another will hit this location
   <Location />
       Require all denied
    </Location>
</VirtualHost>

<VirtualHost *:80>
    ServerName ok.yyy.zzz.com
    # Put the rest of the host configuration here
</VirtualHost>

Assuming there are no other virtual hosts defined on this machine, this should return a forbidden for any attempt to access the host at port 80 through any method name but ok.yyy.zzz.com

On Thu, Nov 29, 2018 at 11:18 AM Bill Tantzen <[hidden email]> wrote:
Experts,

My environment is RHEL7 and apache 2.4.6

I am looking for the seemingly tricky combination of directives
(Require, RequireAll, RequireAny...) that will allow me to deny access
to an entire domain except for, say, one particular host.

For instance, how do deny access to
   yyy.zzz.com
 except for
   ok.yyy.zzz.com

Is this even possible?  I have tried every combination of
authorization containers that I can think of, each of which so far is
either too restrictive or too weak.

Any ideas or suggestions for a good tutorial (believe me, I have searched)!!
Thanks in advance!
-- Bill
--
Human wheels spin round and round
While the clock keeps the pace... -- John Mellencamp
________________________________________________________________
Bill Tantzen    University of Minnesota Libraries
612-626-9949 (U of M)    612-325-1777 (cell)

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]



--
Jonathon Koyle
Reply | Threaded
Open this post in threaded view
|

Re: The Require Directives

Bill Tantzen
No that's not exactly what I meant.  What I mean is something like
this -- although actually typing it seems like it can't possibly be
done:

<RequireAny>
  Require not host xxx.com
  Require host ok.xxx.com
</ReqiureAny>

I realize "not host" is not allowed here, but it maybe helps explain
what I want to do: Block an entire domain except for a single host.
--Bill
On Thu, Nov 29, 2018 at 1:24 PM Jonathon Koyle <[hidden email]> wrote:

>
> You want to only allow access to a server at a specific hostname, (that is how I understand you question).   One way, that would work, is something like
>
> Listen 80
> <VirtualHost *:80>
>     # This is the default host for this port (assuming it is the first declaration for a host on this port) all server names that do not match another will hit this location
>    <Location />
>        Require all denied
>     </Location>
> </VirtualHost>
>
> <VirtualHost *:80>
>     ServerName ok.yyy.zzz.com
>     # Put the rest of the host configuration here
> </VirtualHost>
>
> Assuming there are no other virtual hosts defined on this machine, this should return a forbidden for any attempt to access the host at port 80 through any method name but ok.yyy.zzz.com
>
> On Thu, Nov 29, 2018 at 11:18 AM Bill Tantzen <[hidden email]> wrote:
>>
>> Experts,
>>
>> My environment is RHEL7 and apache 2.4.6
>>
>> I am looking for the seemingly tricky combination of directives
>> (Require, RequireAll, RequireAny...) that will allow me to deny access
>> to an entire domain except for, say, one particular host.
>>
>> For instance, how do deny access to
>>    yyy.zzz.com
>>  except for
>>    ok.yyy.zzz.com
>>
>> Is this even possible?  I have tried every combination of
>> authorization containers that I can think of, each of which so far is
>> either too restrictive or too weak.
>>
>> Any ideas or suggestions for a good tutorial (believe me, I have searched)!!
>> Thanks in advance!
>> -- Bill
>> --
>> Human wheels spin round and round
>> While the clock keeps the pace... -- John Mellencamp
>> ________________________________________________________________
>> Bill Tantzen    University of Minnesota Libraries
>> 612-626-9949 (U of M)    612-325-1777 (cell)
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email]
>> For additional commands, e-mail: [hidden email]
>>
>
>
> --
> Jonathon Koyle



--
Human wheels spin round and round
While the clock keeps the pace... -- John Mellencamp
________________________________________________________________
Bill Tantzen    University of Minnesota Libraries
612-626-9949 (U of M)    612-325-1777 (cell)

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: The Require Directives

Jonathon Koyle
So, you want to restrict access to the host to a single machine on a specific domain with a non-static IP, OR to any machine not on the domain?

On Thu, Nov 29, 2018 at 12:34 PM Bill Tantzen <[hidden email]> wrote:
No that's not exactly what I meant.  What I mean is something like
this -- although actually typing it seems like it can't possibly be
done:

<RequireAny>
  Require not host xxx.com
  Require host ok.xxx.com
</ReqiureAny>

I realize "not host" is not allowed here, but it maybe helps explain
what I want to do: Block an entire domain except for a single host.
--Bill
On Thu, Nov 29, 2018 at 1:24 PM Jonathon Koyle <[hidden email]> wrote:
>
> You want to only allow access to a server at a specific hostname, (that is how I understand you question).   One way, that would work, is something like
>
> Listen 80
> <VirtualHost *:80>
>     # This is the default host for this port (assuming it is the first declaration for a host on this port) all server names that do not match another will hit this location
>    <Location />
>        Require all denied
>     </Location>
> </VirtualHost>
>
> <VirtualHost *:80>
>     ServerName ok.yyy.zzz.com
>     # Put the rest of the host configuration here
> </VirtualHost>
>
> Assuming there are no other virtual hosts defined on this machine, this should return a forbidden for any attempt to access the host at port 80 through any method name but ok.yyy.zzz.com
>
> On Thu, Nov 29, 2018 at 11:18 AM Bill Tantzen <[hidden email]> wrote:
>>
>> Experts,
>>
>> My environment is RHEL7 and apache 2.4.6
>>
>> I am looking for the seemingly tricky combination of directives
>> (Require, RequireAll, RequireAny...) that will allow me to deny access
>> to an entire domain except for, say, one particular host.
>>
>> For instance, how do deny access to
>>    yyy.zzz.com
>>  except for
>>    ok.yyy.zzz.com
>>
>> Is this even possible?  I have tried every combination of
>> authorization containers that I can think of, each of which so far is
>> either too restrictive or too weak.
>>
>> Any ideas or suggestions for a good tutorial (believe me, I have searched)!!
>> Thanks in advance!
>> -- Bill
>> --
>> Human wheels spin round and round
>> While the clock keeps the pace... -- John Mellencamp
>> ________________________________________________________________
>> Bill Tantzen    University of Minnesota Libraries
>> 612-626-9949 (U of M)    612-325-1777 (cell)
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email]
>> For additional commands, e-mail: [hidden email]
>>
>
>
> --
> Jonathon Koyle



--
Human wheels spin round and round
While the clock keeps the pace... -- John Mellencamp
________________________________________________________________
Bill Tantzen    University of Minnesota Libraries
612-626-9949 (U of M)    612-325-1777 (cell)

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]



--
Jonathon Koyle
Reply | Threaded
Open this post in threaded view
|

Re: The Require Directives

Bill Tantzen
Sorry this is turning out to be so confusing!  What I'm hoping to do,
in pseudo-config would be something like this:

Require not host bigdomain.com .     ## nobody from the entire domain gets in!
Require host buddy.bigdomain.com   ## except this single client
Require all granted                             ## and the rest of the world!

I'm not sure this can even be done at the apache level, much less how to do it.
Thanks for looking!
Bill
On Thu, Nov 29, 2018 at 3:10 PM Jonathon Koyle <[hidden email]> wrote:

>
> So, you want to restrict access to the host to a single machine on a specific domain with a non-static IP, OR to any machine not on the domain?
>
> On Thu, Nov 29, 2018 at 12:34 PM Bill Tantzen <[hidden email]> wrote:
>>
>> No that's not exactly what I meant.  What I mean is something like
>> this -- although actually typing it seems like it can't possibly be
>> done:
>>
>> <RequireAny>
>>   Require not host xxx.com
>>   Require host ok.xxx.com
>> </ReqiureAny>
>>
>> I realize "not host" is not allowed here, but it maybe helps explain
>> what I want to do: Block an entire domain except for a single host.
>> --Bill
>> On Thu, Nov 29, 2018 at 1:24 PM Jonathon Koyle <[hidden email]> wrote:
>> >
>> > You want to only allow access to a server at a specific hostname, (that is how I understand you question).   One way, that would work, is something like
>> >
>> > Listen 80
>> > <VirtualHost *:80>
>> >     # This is the default host for this port (assuming it is the first declaration for a host on this port) all server names that do not match another will hit this location
>> >    <Location />
>> >        Require all denied
>> >     </Location>
>> > </VirtualHost>
>> >
>> > <VirtualHost *:80>
>> >     ServerName ok.yyy.zzz.com
>> >     # Put the rest of the host configuration here
>> > </VirtualHost>
>> >
>> > Assuming there are no other virtual hosts defined on this machine, this should return a forbidden for any attempt to access the host at port 80 through any method name but ok.yyy.zzz.com
>> >
>> > On Thu, Nov 29, 2018 at 11:18 AM Bill Tantzen <[hidden email]> wrote:
>> >>
>> >> Experts,
>> >>
>> >> My environment is RHEL7 and apache 2.4.6
>> >>
>> >> I am looking for the seemingly tricky combination of directives
>> >> (Require, RequireAll, RequireAny...) that will allow me to deny access
>> >> to an entire domain except for, say, one particular host.
>> >>
>> >> For instance, how do deny access to
>> >>    yyy.zzz.com
>> >>  except for
>> >>    ok.yyy.zzz.com
>> >>
>> >> Is this even possible?  I have tried every combination of
>> >> authorization containers that I can think of, each of which so far is
>> >> either too restrictive or too weak.
>> >>
>> >> Any ideas or suggestions for a good tutorial (believe me, I have searched)!!
>> >> Thanks in advance!
>> >> -- Bill
>> >> --
>> >> Human wheels spin round and round
>> >> While the clock keeps the pace... -- John Mellencamp
>> >> ________________________________________________________________
>> >> Bill Tantzen    University of Minnesota Libraries
>> >> 612-626-9949 (U of M)    612-325-1777 (cell)
>> >>
>> >> ---------------------------------------------------------------------
>> >> To unsubscribe, e-mail: [hidden email]
>> >> For additional commands, e-mail: [hidden email]
>> >>
>> >
>> >
>> > --
>> > Jonathon Koyle
>>
>>
>>
>> --
>> Human wheels spin round and round
>> While the clock keeps the pace... -- John Mellencamp
>> ________________________________________________________________
>> Bill Tantzen    University of Minnesota Libraries
>> 612-626-9949 (U of M)    612-325-1777 (cell)
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email]
>> For additional commands, e-mail: [hidden email]
>>
>
>
> --
> Jonathon Koyle



--
Human wheels spin round and round
While the clock keeps the pace... -- John Mellencamp
________________________________________________________________
Bill Tantzen    University of Minnesota Libraries
612-626-9949 (U of M)    612-325-1777 (cell)

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: The Require Directives

Jonathon Koyle
You might try this, with some simple testing it seems to work...
<RequireAll>
        Require host usurf.usu.edu denied
        Require host c01622.usurf.usu.edu
    </RequireAll>

    <RequireAll>
        Require not host usurf.usu.edu
        Require ip 0.0.0.0/1
    </RequireAll>

    <RequireAll>
        Require not host usurf.usu.edu
        Require ip 128.0.0.0/1
    </RequireAll>

On Thu, Nov 29, 2018 at 2:23 PM Bill Tantzen <[hidden email]> wrote:
Sorry this is turning out to be so confusing!  What I'm hoping to do,
in pseudo-config would be something like this:

Require not host bigdomain.com .     ## nobody from the entire domain gets in!
Require host buddy.bigdomain.com   ## except this single client
Require all granted                             ## and the rest of the world!

I'm not sure this can even be done at the apache level, much less how to do it.
Thanks for looking!
Bill
On Thu, Nov 29, 2018 at 3:10 PM Jonathon Koyle <[hidden email]> wrote:
>
> So, you want to restrict access to the host to a single machine on a specific domain with a non-static IP, OR to any machine not on the domain?
>
> On Thu, Nov 29, 2018 at 12:34 PM Bill Tantzen <[hidden email]> wrote:
>>
>> No that's not exactly what I meant.  What I mean is something like
>> this -- although actually typing it seems like it can't possibly be
>> done:
>>
>> <RequireAny>
>>   Require not host xxx.com
>>   Require host ok.xxx.com
>> </ReqiureAny>
>>
>> I realize "not host" is not allowed here, but it maybe helps explain
>> what I want to do: Block an entire domain except for a single host.
>> --Bill
>> On Thu, Nov 29, 2018 at 1:24 PM Jonathon Koyle <[hidden email]> wrote:
>> >
>> > You want to only allow access to a server at a specific hostname, (that is how I understand you question).   One way, that would work, is something like
>> >
>> > Listen 80
>> > <VirtualHost *:80>
>> >     # This is the default host for this port (assuming it is the first declaration for a host on this port) all server names that do not match another will hit this location
>> >    <Location />
>> >        Require all denied
>> >     </Location>
>> > </VirtualHost>
>> >
>> > <VirtualHost *:80>
>> >     ServerName ok.yyy.zzz.com
>> >     # Put the rest of the host configuration here
>> > </VirtualHost>
>> >
>> > Assuming there are no other virtual hosts defined on this machine, this should return a forbidden for any attempt to access the host at port 80 through any method name but ok.yyy.zzz.com
>> >
>> > On Thu, Nov 29, 2018 at 11:18 AM Bill Tantzen <[hidden email]> wrote:
>> >>
>> >> Experts,
>> >>
>> >> My environment is RHEL7 and apache 2.4.6
>> >>
>> >> I am looking for the seemingly tricky combination of directives
>> >> (Require, RequireAll, RequireAny...) that will allow me to deny access
>> >> to an entire domain except for, say, one particular host.
>> >>
>> >> For instance, how do deny access to
>> >>    yyy.zzz.com
>> >>  except for
>> >>    ok.yyy.zzz.com
>> >>
>> >> Is this even possible?  I have tried every combination of
>> >> authorization containers that I can think of, each of which so far is
>> >> either too restrictive or too weak.
>> >>
>> >> Any ideas or suggestions for a good tutorial (believe me, I have searched)!!
>> >> Thanks in advance!
>> >> -- Bill
>> >> --
>> >> Human wheels spin round and round
>> >> While the clock keeps the pace... -- John Mellencamp
>> >> ________________________________________________________________
>> >> Bill Tantzen    University of Minnesota Libraries
>> >> 612-626-9949 (U of M)    612-325-1777 (cell)
>> >>
>> >> ---------------------------------------------------------------------
>> >> To unsubscribe, e-mail: [hidden email]
>> >> For additional commands, e-mail: [hidden email]
>> >>
>> >
>> >
>> > --
>> > Jonathon Koyle
>>
>>
>>
>> --
>> Human wheels spin round and round
>> While the clock keeps the pace... -- John Mellencamp
>> ________________________________________________________________
>> Bill Tantzen    University of Minnesota Libraries
>> 612-626-9949 (U of M)    612-325-1777 (cell)
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email]
>> For additional commands, e-mail: [hidden email]
>>
>
>
> --
> Jonathon Koyle



--
Human wheels spin round and round
While the clock keeps the pace... -- John Mellencamp
________________________________________________________________
Bill Tantzen    University of Minnesota Libraries
612-626-9949 (U of M)    612-325-1777 (cell)

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]



--
Jonathon Koyle
Reply | Threaded
Open this post in threaded view
|

Re: The Require Directives

Bill Tantzen
Awesome, I will try it out -- I was seriously overthinking and
over-engineering this thing.  In the meantime, a little mod_rewrite
magic works too...
Thanks a million!
Bill
On Thu, Nov 29, 2018 at 4:41 PM Jonathon Koyle <[hidden email]> wrote:

>
> You might try this, with some simple testing it seems to work...
> <RequireAll>
>         Require host usurf.usu.edu denied
>         Require host c01622.usurf.usu.edu
>     </RequireAll>
>
>     <RequireAll>
>         Require not host usurf.usu.edu
>         Require ip 0.0.0.0/1
>     </RequireAll>
>
>     <RequireAll>
>         Require not host usurf.usu.edu
>         Require ip 128.0.0.0/1
>     </RequireAll>
>
> On Thu, Nov 29, 2018 at 2:23 PM Bill Tantzen <[hidden email]> wrote:
>>
>> Sorry this is turning out to be so confusing!  What I'm hoping to do,
>> in pseudo-config would be something like this:
>>
>> Require not host bigdomain.com .     ## nobody from the entire domain gets in!
>> Require host buddy.bigdomain.com   ## except this single client
>> Require all granted                             ## and the rest of the world!
>>
>> I'm not sure this can even be done at the apache level, much less how to do it.
>> Thanks for looking!
>> Bill
>> On Thu, Nov 29, 2018 at 3:10 PM Jonathon Koyle <[hidden email]> wrote:
>> >
>> > So, you want to restrict access to the host to a single machine on a specific domain with a non-static IP, OR to any machine not on the domain?
>> >
>> > On Thu, Nov 29, 2018 at 12:34 PM Bill Tantzen <[hidden email]> wrote:
>> >>
>> >> No that's not exactly what I meant.  What I mean is something like
>> >> this -- although actually typing it seems like it can't possibly be
>> >> done:
>> >>
>> >> <RequireAny>
>> >>   Require not host xxx.com
>> >>   Require host ok.xxx.com
>> >> </ReqiureAny>
>> >>
>> >> I realize "not host" is not allowed here, but it maybe helps explain
>> >> what I want to do: Block an entire domain except for a single host.
>> >> --Bill
>> >> On Thu, Nov 29, 2018 at 1:24 PM Jonathon Koyle <[hidden email]> wrote:
>> >> >
>> >> > You want to only allow access to a server at a specific hostname, (that is how I understand you question).   One way, that would work, is something like
>> >> >
>> >> > Listen 80
>> >> > <VirtualHost *:80>
>> >> >     # This is the default host for this port (assuming it is the first declaration for a host on this port) all server names that do not match another will hit this location
>> >> >    <Location />
>> >> >        Require all denied
>> >> >     </Location>
>> >> > </VirtualHost>
>> >> >
>> >> > <VirtualHost *:80>
>> >> >     ServerName ok.yyy.zzz.com
>> >> >     # Put the rest of the host configuration here
>> >> > </VirtualHost>
>> >> >
>> >> > Assuming there are no other virtual hosts defined on this machine, this should return a forbidden for any attempt to access the host at port 80 through any method name but ok.yyy.zzz.com
>> >> >
>> >> > On Thu, Nov 29, 2018 at 11:18 AM Bill Tantzen <[hidden email]> wrote:
>> >> >>
>> >> >> Experts,
>> >> >>
>> >> >> My environment is RHEL7 and apache 2.4.6
>> >> >>
>> >> >> I am looking for the seemingly tricky combination of directives
>> >> >> (Require, RequireAll, RequireAny...) that will allow me to deny access
>> >> >> to an entire domain except for, say, one particular host.
>> >> >>
>> >> >> For instance, how do deny access to
>> >> >>    yyy.zzz.com
>> >> >>  except for
>> >> >>    ok.yyy.zzz.com
>> >> >>
>> >> >> Is this even possible?  I have tried every combination of
>> >> >> authorization containers that I can think of, each of which so far is
>> >> >> either too restrictive or too weak.
>> >> >>
>> >> >> Any ideas or suggestions for a good tutorial (believe me, I have searched)!!
>> >> >> Thanks in advance!
>> >> >> -- Bill
>> >> >> --
>> >> >> Human wheels spin round and round
>> >> >> While the clock keeps the pace... -- John Mellencamp
>> >> >> ________________________________________________________________
>> >> >> Bill Tantzen    University of Minnesota Libraries
>> >> >> 612-626-9949 (U of M)    612-325-1777 (cell)
>> >> >>
>> >> >> ---------------------------------------------------------------------
>> >> >> To unsubscribe, e-mail: [hidden email]
>> >> >> For additional commands, e-mail: [hidden email]
>> >> >>
>> >> >
>> >> >
>> >> > --
>> >> > Jonathon Koyle
>> >>
>> >>
>> >>
>> >> --
>> >> Human wheels spin round and round
>> >> While the clock keeps the pace... -- John Mellencamp
>> >> ________________________________________________________________
>> >> Bill Tantzen    University of Minnesota Libraries
>> >> 612-626-9949 (U of M)    612-325-1777 (cell)
>> >>
>> >> ---------------------------------------------------------------------
>> >> To unsubscribe, e-mail: [hidden email]
>> >> For additional commands, e-mail: [hidden email]
>> >>
>> >
>> >
>> > --
>> > Jonathon Koyle
>>
>>
>>
>> --
>> Human wheels spin round and round
>> While the clock keeps the pace... -- John Mellencamp
>> ________________________________________________________________
>> Bill Tantzen    University of Minnesota Libraries
>> 612-626-9949 (U of M)    612-325-1777 (cell)
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email]
>> For additional commands, e-mail: [hidden email]
>>
>
>
> --
> Jonathon Koyle



--
Human wheels spin round and round
While the clock keeps the pace... -- John Mellencamp
________________________________________________________________
Bill Tantzen    University of Minnesota Libraries
612-626-9949 (U of M)    612-325-1777 (cell)

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]