apache - Combine ip and user auth restriction for subfolder in apache 2.4

Question

I want to restrict access to a complete website (apache 2.4) to certain IPs. On top of that I want to restrict access to certain subfolders to with user authentication. User auth is not working. Here is what I got:

In the vhost config I have

<Location />
    # Localhost
    Require ip 127.0.0.1i
    # some other IP
    Require ip 1.2.3.4
<Location>

Now I want the subfolder /secure/ to require a valid user login

<webroot>/secure/.htaccess looks like

<RequireAll>
    Require all granted
    Require user user1 user2 user3
    AuthBasicProvider file
    AuthType Basic
    AuthName "Secure Folder Login"
    AuthUserFile /securePath/userAuth
</RequireAll>

I can still access /secure from the IP 1.2.3.4 without user authentication. It feels like apache matches the IP the Require ip 1.2.3.4 directive (inside implicid RequireAny) and doesn't care about possible extra restrictions furhter down the line.

Answer 1

如果您希望阻止任何 IP，但只阻止列表中的一个，并为允许的 IP 提供基本登录提示，您可以执行以下操作（在您的 .htaccess 中）：

Require all denied
<RequireAll>
    Require valid-user
    Require ip 100.04.04.04
    AuthBasicProvider file
    AuthType Basic
    AuthName "Secure Folder Login"
    AuthUserFile /htdocs/www/web_projects/.htpasswd
</RequireAll>

对于多个 IP，如下所示应该可以工作：

Require all denied    
<RequireAll>
    <RequireAny>
        Require ip 78.53.160.0/19
        Require ip 80.171.1.0/24
        Require ip 80.171.2.0/23
        Require ip 80.171.4.0/22
        Require ip 80.171.8.0/21
        Require ip 80.171.16.0/20
        Require ip 80.171.32.0/19
        Require ip 80.171.64.0/18
    </RequireAny>
    <RequireAll>
        Require valid-user
        AuthBasicProvider file
        AuthType Basic
        AuthName "Secure Folder Login"
        AuthUserFile /htdocs/www/web_projects/.htpasswd
    </RequireAll>
</RequireAll>

Answer 2

至少 Location（在 Location、Directory、File 和 .htaccess 指令之外）似乎是单独评估的，并且最后以出现的相反顺序进行评估。我没有完全检查，也找不到关于它的文档。

长话短说

我可以通过放置来实现我想要的

<Location /secure/>
    Require all denied
    <RequireAll>
        Require user user1 user2 user3
        AuthBasicProvider file
        AuthType Basic
        AuthName "Secure Folder Login"
        AuthUserFile /securePath/userAuth
    </RequireAll>
</Location>

在虚拟主机配置中的<Location />Require ip 1.2.3.4</Location>块下方（上面不起作用）。使用任一块或不起作用。<Directory>.htaccess