1

I have the following folder structure

domain.com (/public_html/)
sub.domain.com (/public_html/sub/)
sub.domain.com/dir1/ (/public_html/sub/dir1/)
sub.domain.com/dir1/dir2/ (/public_html/sub/dir1/dir2/)

if I put the following in my .htaccess file at any of these directories

DirectoryIndex index.php

require valid-user
<RequireAny>
    Require ip x.x.x.x
</RequireAny>

It has no effect when loading any files in these directories.

Additionally if i want multiple require rules to have and/or then it gets a little more complicated for example

# Allowing Access via Password or one of the following IP Addresses

AuthName "Authorized Only"
AuthType Basic
AuthUserFile /home/.htpasswds/.htpasswd

<RequireAll>
require valid-user
<RequireAny>
    Require ip x.x.x.x
    Require ip y.y.y.y
</RequireAny>
</RequireAll>

Apache did follow these rules set, but switching to litespeed enterprise web server has meant that IP restrictions have been ignored

What am I missing here?

Henry Aspden
  • 1,863
  • 3
  • 23
  • 45
  • Do you have any other directives in this `.htaccess` file? Any other `.htaccess` files along the filesystem path? On LiteSpeed the modules execute in a different order, so you can find that mod_rewrite (for instance) ends up overriding mod_authz_core (and related auth mods) - whereas on Apache it's the other way round. – MrWhite Jan 02 '22 at 18:26
  • there are .htaccess files at every level to allow custom access to each directory to a range of IP Addresses. For example I may want only the accounts office to be able to access /organisation/accounts/ whilst them and head office could access /organisation/ – Henry Aspden Jan 02 '22 at 20:21
  • would Satisfy any and Satisfy all be the solution to this? – Henry Aspden Jan 03 '22 at 11:49

1 Answers1

2
require valid-user
<RequireAny>
    Require ip x.x.x.x
</RequireAny>

This would seem to be overkill for Apache 2.4. <RequireAny> is the default container. The above 4 lines is the same as the one-line Require ip x.x.x.x.

However, my experience with LiteSpeed is that it behaves more like an Apache 2.2 server and (annoyingly) silently fails on directives it does not understand (although there might be something logged in the server's error log).

Try the following (Apache 2.2 style) directives instead:

Order Allow,Deny
Allow from x.x.x.x
MrWhite
  • 43,179
  • 8
  • 60
  • 84
  • I've added some more code above explaining why I used because I actually had multiple IPs listed there. The and functions allows me to do a combination of password and/or IP address restrictions however Order Allow,Deny Allow from x.x.x.x wouldn't give me this functionality would it ? – Henry Aspden Jan 02 '22 at 20:23