httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rich Bowen <rbo...@rcbowen.com>
Subject RE: Authentification by password & IP
Date Tue, 16 Jul 2002 12:55:17 GMT
On Tue, 16 Jul 2002, Boyle Owen wrote:

> >From: Rich Bowen [mailto:rbowen@rcbowen.com]
> >
> >It seemed to me that you could probably do this somewhat more easily
> >with SetEnvIf. Set a variable for the GROUP 1 folks using
> >SetEnvIf, then
> >Allow From Env and Require User Foo, with a Satisfy Any.
>
> I don't think this works - remember you have two sets of users, one of which is a subset
of the other and only one directory. The trouble is that two sets of directives for the same
directory are merged so any rules for the subset get swallowed by the rules for the main set.
Using ENVs is just the same as saying "Allow from a.b.c"...
>
> Try it anyway but do remember you have:
>
> Group 1: ip range; a.b.c.XXX  (no password challenge)
> Group 2: ip range; a.b.XXX.XXX (password challenge)
> all other ips: (Forbidden access)

OK, here's what I came up with. I suppose it might be wrong, but it's an
interesting challenge. Tell me where I screwed up.

# Set env for everyone ...
SetEnvIf Remote_Addr "[0-9]" NotAllowed

# Unset it for those we like
SetEnvIf Remote_Addr "^1.2.3" NotAllowed=0
SetEnvIf Remote_Addr "^4.5.6" NotAllowed=0

# And give group1 special attributes
SetEnvIf Remote_Addr "^1.2.3" Group1

<Directory /something>
    Order Deny,Allow
    Deny From env=NotAllowed
    Allow From env=Group1
    Require User Foo
    Satisfy Any
</Directory>


So, unless I am confused (which happens a lot in the mornings before
coffee ...), here's what's happening.

For everyone, we set a NotAllowed environment variable. We then unset
this variable for folks in the allowed groups. Finally, we set an
additional var for the group1 people.

We then do a deny,allow, denying everyone in the NotAllowed group, and
then allowing either those folks in group1, or those folks with a
password.

I'm pretty sure that this does what is desired. The Venn diagrams seem
to work for me. It's a little simpler than the mod_rewrite example given
(I think), but I don't know whether it is any more efficient.

Anyways, if nothing else, it was an interesting exercise.

-- 
Oh I have slipped the surly bonds of earth
And danced the sky on laughter-silvered wings
 --High Flight (John Gillespie Magee)


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message