httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ara.t.how...@noaa.gov
Subject Re: [users@httpd] .htaccess mixed access based on client-ip/auth
Date Thu, 07 Dec 2006 20:31:01 GMT
On Thu, 7 Dec 2006, Joshua Slive wrote:

> On 12/7/06, Ara.T.Howard <ara.t.howard@noaa.gov> wrote:
>
>> does this make sense?  i'm sure that is based on a mis-understanding on my 
>> part
>> about Order/Allow/Deny, but i'm sure what i'm trying to do should be 
>> possible
>> solely from this .htaccess file.
>> 
>> thoughts?
>
> You should include an
> Order Allow,Deny
> Directive.

thanks.  this is what i've got now: seems to work

   SetEnvIfNoCase Client-Ip ^123\.456 INTRANET=123.456
   Order Deny,Allow
   Deny from all
   Allow from env=INTRANET
   Satisfy Any

   AuthType Digest
   AuthName "authname"
   AuthDigestFile htdigest.txt
   Require valid-user

make sense?


>> ps.  any thoughts on why 'Allow from x.x.x.x' uses REMOTE_ADDR and not
>> HTTP_CLIENT_IP?
>
> Because HTTP_CLIENT_IP is completely non-standard and could be
> trivially manipulated by the client in most circumstances?

hmmm.  in this case i'm behind a server iron, so i assume HTTP_CLIENT_IP is
actually set via the REMOTE_ADDR on __that__ machine.  but the point is well
taken.

still, i think even REMOTE_ADDR could be spoofed easily couldn't it?

> There used to be a module out there that takes the more-standard
> X-Forwarded-For and shoves it into the internal apache structure that
> sets REMOTE_ADDR.  You could write a module to do the same with
> Client-IP if you want.

hmmm.  unless someone see issues with above i'll avoid doing any work  ;-)  but
i'll file that away.


-a
-- 
if you want others to be happy, practice compassion.
if you want to be happy, practice compassion.  -- the dalai lama

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message