Apache how to make a directory only accessible from local and also use autheticate with valid-user

Question

I try to do this with require local and require valid-user but look like the require local override the valid-user. make the local acess don't need to authenticate

AuthName "Authenticate"
AuthType Basic
AuthUserFile "/home/tmp/.htpassword"
Require local
Require valid-user

When I remove the require local the authenticate is working. but it allow access from outside. So how to configure this so I can only allow local access with valid-user

Answer 1

From Apache 2.4 you have the option to use the RequireAll grouping Directive:

<Directory /some/path>
    AuthName "Authenticate"
    AuthType Basic
    AuthUserFile "/home/tmp/.htpassword"
    <RequireAll>
       Require valid-user
       Require ip 192.168.1       
    </RequireAll>               
</Directory>

Without that explicit RequireAll directive Apache uses an implicit RequireAny where successfully matching only one of requirements is sufficient to be granted access.

In Apache 2.2 you had less granular control but could have used the Satisfy directive to instruct Apache on how the Allow and Require directives should be combined.

<Directory /some/path>
    AuthName "Authenticate"
    AuthType Basic
    AuthUserFile "/home/tmp/.htpassword"
    Require valid-user
    Order allow,deny
    Allow from 192.168.1       
    Satisfy All                
</Directory>

This requires both an authenticated user and the client IP-address from your local range: in this example192.168.1.0/24.