httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rich Bowen <>
Subject RE: Authentification by password & IP
Date Tue, 16 Jul 2002 13:44:28 GMT
On Tue, 16 Jul 2002, Mark Mentovai wrote:

> Rich Bowen wrote:
> > OK, here's what I came up with. I suppose it might be wrong, but it's an
> > interesting challenge. Tell me where I screwed up.
> [...]
> > <Directory /something>
> >     Order Deny,Allow
> >     Deny From env=NotAllowed
> >     Allow From env=Group1
> >     Require User Foo
> >     Satisfy Any
> > </Directory>
> [...]
> > We then do a deny,allow, denying everyone in the NotAllowed group, and
> > then allowing either those folks in group1, or those folks with a
> > password.
> That doesn't meet the requirements.  The goal is to allow access without a
> password to some clients, access with a password to other clients, and no
> access to everyone else.  Because of the "Satisfy Any", your solution allows
> access without a password to some clients, and access with a password to
> everyone else.  "Satisfy Any" means to use mod_access -or- authentication.

Um. You dropped my earlier SetEnvIf NotAllowed directives. That's the
part that disallows everyone outside of the allowed range.

> This is no different than using the equivalent, non-mod_setenvif typical
> solution:
> <Directory /something>
>   Order Allow,Deny
>   Allow from
>   Require user Foo
>   Satisfy Any
> </Directory>

It is indeed different. Rather than allowing a particular range, it
denies everyone outside of the two allowed ranges, as required. It then
requires that the users are either in group1, or provide a password:

deny from env=NotAllowed
Allow from env=Group1
require user foo
satisfy any

The deny from is disallowing people outside of the allowed IP blocks, as
desired. The satisfy any means that either we can be in group1 (defined
in the setenvif line that you left out) or they can provide a password,
but only one of the two is required.

I'm pretty certain that this does indeed do what you want.

Rich Bowen
Apache - mod_perl - Perl - CGI

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message