Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: Possible to use <Directory> and two different kinds of |
|
| Author |
|
AMG1978
Joined: 07 Feb 2017
Posts: 7
Location: San Diego, CA
|
 Posted: Tue 07 Feb '17 8:01 Post subject: Possible to use <Directory> and two different kinds of |
 |
|
Can someone help tell me how it would be possible to define a <Directory> section that has the ability to provide no authentication for 127.0.0.1 but require basic auth (user/group) for all other networks? I have for years done each of these separately successfully, but desire both to work simultaneously now.
I have an application which runs on the webserver which will pull down data, and connect through 127.0.0.1. But the data I want protected for everyone who accesses it via other interfaces.
Thanks. |
|
| Back to top |
|
glsmith
Moderator
Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA
|
| Posted: Tue 07 Feb '17 21:42 Post subject: |
|
|
Hi neighbor,
RequireAny is the default in 2.4 so it's as simple as
<Directory "/some/path">
Options ...whatever...
AllowOverride Authconfig ...whatever else...
... the various auth directives ...
Require ip 127.0.0.1
Require valid-user or Require group groupname
</Directory> |
|
| Back to top |
|
AMG1978
Joined: 07 Feb 2017
Posts: 7
Location: San Diego, CA
|
| Posted: Tue 07 Feb '17 22:46 Post subject: |
|
|
Ah, another San Diegan! Thanks for the reply. This is in 2.2.31 and it isnt working yet. I am going to hack at it more, but here's a snippit:
<Directory "/usr/local/pnp4nagios/share">
#AllowOverride None
AllowOverride Authconfig
SetEnv TZ "America/Los_Angeles"
Options None
AuthBasicProvider ldap file
AuthUserFile /usr/local/nagios/etc/htpasswd.users
AuthGroupFile /usr/local/nagios/etc/htpasswd.groups
AuthType Basic
AuthName "LDAP Authentication
AuthLDAPURL "ldap://hostname_removed:389/OU=ou_removed,DC=dc_removed?sAMAccountName?sub?(objectClass=user)" NONE
AuthLDAPBindDN "username_removed@fqdn_removed"
AuthLDAPBindPassword "password_removed"
AuthzLDAPAuthoritative off
require ip 127.0.0.1
require ldap-group CN=cn_removed,OU=ou_removed,OU=ou_removed,OU=ou_removed,DC=dc_removed,DC=dc_removed,DC=dc_removed,DC=dc_removed
require ldap-user username_removed
require group local-admins
require user username_removed
#
# Use the same value as defined in nagios.conf
#
<IfModule mod_rewrite.c>
# Turn on URL rewriting
RewriteEngine On
Options symLinksIfOwnerMatch
# Installation directory
RewriteBase /pnp4nagios/
# Protect application and system files from being viewed
RewriteRule "^(?:application|modules|system)/" - [F]
# Allow any files or directories that exist to be displayed directly
RewriteCond "%{REQUEST_FILENAME}" !-f
RewriteCond "%{REQUEST_FILENAME}" !-d
# Rewrite all other URLs to index.php/URL
RewriteRule "^.*$" "index.php/$0" [PT]
</IfModule>
</Directory> |
|
| Back to top |
|
AMG1978
Joined: 07 Feb 2017
Posts: 7
Location: San Diego, CA
|
| Posted: Tue 07 Feb '17 23:11 Post subject: |
|
|
I can get around this by creating a symlink from /usr/local/pnp4nagios/share to /usr/local/pnp4nagios/share_local
Then I define a second Alias, and a second <Directory> and in that second directory config, I Order allow,deny and Allow from 127.0.0.1 and then have my local script hit that ../share_local instead. Users never know that exists, and IF they did, they'd see Forbidden.
Not the cleanest, and I wish I had this properly implemented, but this seems sufficient. Thank you . |
|
| Back to top |
|
|
|
|
|
|
