1

I want to use 'Limit' to allow GETs and POSTs, to a page requiring authentication, from only certain sites. I want authentication for GETs and POSTs from a certain IP, who should be able to access without authenticating.

<Limit GET POST> allow from allowableSite.com </Limit>

This doesn't work. Everything is unauthorized

<Limit GET POST> allow from all </Limit>

This doesn't work either. Everything is still unauthorized (401)

The only thing that gets past the authentication is this

<Limit GET POST> satisfy any </Limit>

Then, any GET or POST will be successful... But this is not what I want since I only want access to be available from a certain site. And 'allow' is not working as expected. Could something be configured somewhere else that is causing this behaviour? Any help is much appreciated.

Improve this question

1 Answer 1

Reset to default
3

This is a little tough without seeing more of your config.. Since the Satisfy fixed it, I'm guessing there's a Require applying to this location. The Satisfy any directive makes it so that matching either the Allow (with your source host) or the Require (with your user) will allow access.

Using a hostname with Allow is an initial suspect; it depends on forward and reverse DNS being flawless for the client. I'm a little unclear on what you mean by "from only certain sites"; you need for the Allow directive to be inclusive of all allowed client systems. If all of their forward and reverse DNS doesn't match exactly to what you've specified, then that'd break it.

Also, your use of <Limit> depends on there being a Deny from all outside the block to restrict other methods.. so if the Order is set to Allow,Deny, that'll break it. <LimitExcept> is better when possible, since you can be more explicit about blocking unwanted methods; <Limit> risks unintended access from higher up.

I'm gonna define stuff explicitly that you probably have elsewhere, but I want to make sure that something from elsewhere can't break it (except a Deny; make sure there's no extra of those higher up..):

Order Allow,Deny # allowed subnet Allow from 10.5.1.0/24 # allowed host Allow from 86.12.76.12 AuthType Basic AuthName "blah" AuthUserFile /path/to/htpasswd Require valid-user Satisfy all <LimitExcept GET POST> Deny from all </LimitExcept>
Improve this answer
3
  • Thanks for the help! In my sites-enabled folder, for the site in question, there is a "Order allow, deny". So from what I understand, this means I can't use 'Limit'. I changed the directive to LimitExcept, with Deny from all, but that doesn't work either. I may not have been clear with what I want to accomplish. I want authentication for everyone except the domain in question, which should be able to access the site without using authentication. Commented Apr 5, 2011 at 17:17
  • I seem to have gotten it working by doing <Limit GET POST> Order allow,deny Allow from [ip addresses] Satisfy any </Limit> Commented Apr 5, 2011 at 17:54
  • @MF86 Yup - Satisfy any is for either enforcing host identity or user authentication, and not both. Commented Apr 5, 2011 at 18:27

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.