1

I want to use 'Limit' to allow GETs and POSTs, to a page requiring authentication, from only certain sites. I want authentication for GETs and POSTs from a certain IP, who should be able to access without authenticating.

<Limit GET POST>
allow from allowableSite.com
</Limit>

This doesn't work. Everything is unauthorized

<Limit GET POST>
allow from all
</Limit>

This doesn't work either. Everything is still unauthorized (401)

The only thing that gets past the authentication is this

<Limit GET POST>
satisfy any
</Limit>

Then, any GET or POST will be successful... But this is not what I want since I only want access to be available from a certain site. And 'allow' is not working as expected. Could something be configured somewhere else that is causing this behaviour? Any help is much appreciated.

MF86
  • 73
  • 1
  • 3
  • 7

1 Answers1

3

This is a little tough without seeing more of your config.. Since the Satisfy fixed it, I'm guessing there's a Require applying to this location. The Satisfy any directive makes it so that matching either the Allow (with your source host) or the Require (with your user) will allow access.

Using a hostname with Allow is an initial suspect; it depends on forward and reverse DNS being flawless for the client. I'm a little unclear on what you mean by "from only certain sites"; you need for the Allow directive to be inclusive of all allowed client systems. If all of their forward and reverse DNS doesn't match exactly to what you've specified, then that'd break it.

Also, your use of <Limit> depends on there being a Deny from all outside the block to restrict other methods.. so if the Order is set to Allow,Deny, that'll break it. <LimitExcept> is better when possible, since you can be more explicit about blocking unwanted methods; <Limit> risks unintended access from higher up.

I'm gonna define stuff explicitly that you probably have elsewhere, but I want to make sure that something from elsewhere can't break it (except a Deny; make sure there's no extra of those higher up..):

Order Allow,Deny
# allowed subnet
Allow from 10.5.1.0/24
# allowed host
Allow from 86.12.76.12

AuthType Basic
AuthName "blah"
AuthUserFile /path/to/htpasswd
Require valid-user

Satisfy all

<LimitExcept GET POST>
    Deny from all
</LimitExcept>
Shane Madden
  • 114,520
  • 13
  • 181
  • 251
  • Thanks for the help! In my sites-enabled folder, for the site in question, there is a "Order allow, deny". So from what I understand, this means I can't use 'Limit'. I changed the directive to LimitExcept, with Deny from all, but that doesn't work either. I may not have been clear with what I want to accomplish. I want authentication for everyone except the domain in question, which should be able to access the site without using authentication. – MF86 Apr 05 '11 at 17:17
  • I seem to have gotten it working by doing Order allow,deny Allow from [ip addresses] Satisfy any – MF86 Apr 05 '11 at 17:54
  • @MF86 Yup - `Satisfy any` is for either enforcing host identity or user authentication, and not both. – Shane Madden Apr 05 '11 at 18:27