Apache 2.4 authenticate anonymous users but allow others by IP












3















I am trying to configure Apache to allow users from a selection of IPs access to a Flask application without authentication, but to challenge any other users for credentials.



As things stand I have the following configuration:



<directory /var/www/flaskapp>
WSGIProcessGroup flaskapp
WSGIApplicationGroup %{GLOBAL}
WSGIScriptReloading On
WSGIPassAuthorization On
Order deny,allow
AuthType Basic
AuthName "Restricted area - authorised users only"
AuthUserFile "/usr/local/apache/passwd"
<RequireAll>
<RequireAny>
Require ip 1.1.1.1
</RequireAny>
Require valid-user
</RequireAll>
</directory>


This isn't working, and is instead prompting all users for authentication.



I should mention that I have used htpasswd to create a user file at the location /usr/local/apache/passwd as indicated in the config.










share|improve this question



























    3















    I am trying to configure Apache to allow users from a selection of IPs access to a Flask application without authentication, but to challenge any other users for credentials.



    As things stand I have the following configuration:



    <directory /var/www/flaskapp>
    WSGIProcessGroup flaskapp
    WSGIApplicationGroup %{GLOBAL}
    WSGIScriptReloading On
    WSGIPassAuthorization On
    Order deny,allow
    AuthType Basic
    AuthName "Restricted area - authorised users only"
    AuthUserFile "/usr/local/apache/passwd"
    <RequireAll>
    <RequireAny>
    Require ip 1.1.1.1
    </RequireAny>
    Require valid-user
    </RequireAll>
    </directory>


    This isn't working, and is instead prompting all users for authentication.



    I should mention that I have used htpasswd to create a user file at the location /usr/local/apache/passwd as indicated in the config.










    share|improve this question

























      3












      3








      3


      2






      I am trying to configure Apache to allow users from a selection of IPs access to a Flask application without authentication, but to challenge any other users for credentials.



      As things stand I have the following configuration:



      <directory /var/www/flaskapp>
      WSGIProcessGroup flaskapp
      WSGIApplicationGroup %{GLOBAL}
      WSGIScriptReloading On
      WSGIPassAuthorization On
      Order deny,allow
      AuthType Basic
      AuthName "Restricted area - authorised users only"
      AuthUserFile "/usr/local/apache/passwd"
      <RequireAll>
      <RequireAny>
      Require ip 1.1.1.1
      </RequireAny>
      Require valid-user
      </RequireAll>
      </directory>


      This isn't working, and is instead prompting all users for authentication.



      I should mention that I have used htpasswd to create a user file at the location /usr/local/apache/passwd as indicated in the config.










      share|improve this question














      I am trying to configure Apache to allow users from a selection of IPs access to a Flask application without authentication, but to challenge any other users for credentials.



      As things stand I have the following configuration:



      <directory /var/www/flaskapp>
      WSGIProcessGroup flaskapp
      WSGIApplicationGroup %{GLOBAL}
      WSGIScriptReloading On
      WSGIPassAuthorization On
      Order deny,allow
      AuthType Basic
      AuthName "Restricted area - authorised users only"
      AuthUserFile "/usr/local/apache/passwd"
      <RequireAll>
      <RequireAny>
      Require ip 1.1.1.1
      </RequireAny>
      Require valid-user
      </RequireAll>
      </directory>


      This isn't working, and is instead prompting all users for authentication.



      I should mention that I have used htpasswd to create a user file at the location /usr/local/apache/passwd as indicated in the config.







      apache-2.4 .htaccess flask






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked 2 days ago









      btongeorgebtongeorge

      516




      516






















          2 Answers
          2






          active

          oldest

          votes


















          8














          You only need the RequireAny condition:




          <RequireAny> and </RequireAny> are used to enclose a group of authorization directives of which one must succeed in order for the <RequireAny> directive to succeed.




          <RequireAny>
          Require ip 1.1.1.1
          Require valid-user
          </RequireAny>





          share|improve this answer
























          • Oh yeah, I missed that..."Cleaner" solution.

            – Lenniey
            2 days ago



















          2














          As you are running Apache 2.4 you can use expressions. In your case that would be:



          <If "%{REMOTE_ADDR} != '127.0.0.1'">
          AuthType Basic
          AuthName "Restricted area - authorised users only"
          AuthUserFile usr/local/apache/passwd
          require valid-user
          </If>


          CIDR notation is supported, too. E.g.:



          <If "%{REMOTE_ADDR} != '192.168.0.0/24'">
          AuthType Basic
          AuthName "Restricted area - authorised users only"
          AuthUserFile usr/local/apache/passwd
          require valid-user
          </If>





          share|improve this answer























            Your Answer








            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "2"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: true,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });














            draft saved

            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f948262%2fapache-2-4-authenticate-anonymous-users-but-allow-others-by-ip%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            2 Answers
            2






            active

            oldest

            votes








            2 Answers
            2






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            8














            You only need the RequireAny condition:




            <RequireAny> and </RequireAny> are used to enclose a group of authorization directives of which one must succeed in order for the <RequireAny> directive to succeed.




            <RequireAny>
            Require ip 1.1.1.1
            Require valid-user
            </RequireAny>





            share|improve this answer
























            • Oh yeah, I missed that..."Cleaner" solution.

              – Lenniey
              2 days ago
















            8














            You only need the RequireAny condition:




            <RequireAny> and </RequireAny> are used to enclose a group of authorization directives of which one must succeed in order for the <RequireAny> directive to succeed.




            <RequireAny>
            Require ip 1.1.1.1
            Require valid-user
            </RequireAny>





            share|improve this answer
























            • Oh yeah, I missed that..."Cleaner" solution.

              – Lenniey
              2 days ago














            8












            8








            8







            You only need the RequireAny condition:




            <RequireAny> and </RequireAny> are used to enclose a group of authorization directives of which one must succeed in order for the <RequireAny> directive to succeed.




            <RequireAny>
            Require ip 1.1.1.1
            Require valid-user
            </RequireAny>





            share|improve this answer













            You only need the RequireAny condition:




            <RequireAny> and </RequireAny> are used to enclose a group of authorization directives of which one must succeed in order for the <RequireAny> directive to succeed.




            <RequireAny>
            Require ip 1.1.1.1
            Require valid-user
            </RequireAny>






            share|improve this answer












            share|improve this answer



            share|improve this answer










            answered 2 days ago









            Gerald SchneiderGerald Schneider

            6,01412345




            6,01412345













            • Oh yeah, I missed that..."Cleaner" solution.

              – Lenniey
              2 days ago



















            • Oh yeah, I missed that..."Cleaner" solution.

              – Lenniey
              2 days ago

















            Oh yeah, I missed that..."Cleaner" solution.

            – Lenniey
            2 days ago





            Oh yeah, I missed that..."Cleaner" solution.

            – Lenniey
            2 days ago













            2














            As you are running Apache 2.4 you can use expressions. In your case that would be:



            <If "%{REMOTE_ADDR} != '127.0.0.1'">
            AuthType Basic
            AuthName "Restricted area - authorised users only"
            AuthUserFile usr/local/apache/passwd
            require valid-user
            </If>


            CIDR notation is supported, too. E.g.:



            <If "%{REMOTE_ADDR} != '192.168.0.0/24'">
            AuthType Basic
            AuthName "Restricted area - authorised users only"
            AuthUserFile usr/local/apache/passwd
            require valid-user
            </If>





            share|improve this answer




























              2














              As you are running Apache 2.4 you can use expressions. In your case that would be:



              <If "%{REMOTE_ADDR} != '127.0.0.1'">
              AuthType Basic
              AuthName "Restricted area - authorised users only"
              AuthUserFile usr/local/apache/passwd
              require valid-user
              </If>


              CIDR notation is supported, too. E.g.:



              <If "%{REMOTE_ADDR} != '192.168.0.0/24'">
              AuthType Basic
              AuthName "Restricted area - authorised users only"
              AuthUserFile usr/local/apache/passwd
              require valid-user
              </If>





              share|improve this answer


























                2












                2








                2







                As you are running Apache 2.4 you can use expressions. In your case that would be:



                <If "%{REMOTE_ADDR} != '127.0.0.1'">
                AuthType Basic
                AuthName "Restricted area - authorised users only"
                AuthUserFile usr/local/apache/passwd
                require valid-user
                </If>


                CIDR notation is supported, too. E.g.:



                <If "%{REMOTE_ADDR} != '192.168.0.0/24'">
                AuthType Basic
                AuthName "Restricted area - authorised users only"
                AuthUserFile usr/local/apache/passwd
                require valid-user
                </If>





                share|improve this answer













                As you are running Apache 2.4 you can use expressions. In your case that would be:



                <If "%{REMOTE_ADDR} != '127.0.0.1'">
                AuthType Basic
                AuthName "Restricted area - authorised users only"
                AuthUserFile usr/local/apache/passwd
                require valid-user
                </If>


                CIDR notation is supported, too. E.g.:



                <If "%{REMOTE_ADDR} != '192.168.0.0/24'">
                AuthType Basic
                AuthName "Restricted area - authorised users only"
                AuthUserFile usr/local/apache/passwd
                require valid-user
                </If>






                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered 2 days ago









                LennieyLenniey

                2,50121022




                2,50121022






























                    draft saved

                    draft discarded




















































                    Thanks for contributing an answer to Server Fault!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f948262%2fapache-2-4-authenticate-anonymous-users-but-allow-others-by-ip%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    Popular posts from this blog

                    1300-talet

                    1300-talet

                    Has there ever been an instance of an active nuclear power plant within or near a war zone?