Allow IPs to Bypass Apache Authentication

Comments

When using Apache’s user authentication there is often a need to have a whitelist of IPs that can bypass it. This is a pretty straight-forward process but it can appear unintuitive as first.

Here is an example configuration snippet:

<Location>
AuthName "Protected Site"
AuthType Basic
AuthUserFile /path/to/the/htpassword/file
Require valid-user
Deny from all
Allow from 192.168.0. 172.16.1.1
Satisfy Any
Order deny,allow
</Location>

The first four lines are pretty standard - they force everyone to enter a valid username and password to proceed. The lines after these deal with IP access control.

The next line, Deny from all, denies access to all IPs. The Allow from directive specifies the space-separated list of IPs to allow through. Note that incomplete IPs are used to specify ranges. In this case, 192.168.0. means the whole of the 192.168.0.0/24 range, ie 192.168.0.1-192.168.0.254.

The next direction, Satisfy, is very important. By using Require and Deny/Allow you’ve restricted access to valid credentials and a valid IP address. We want it to be an either/or situation which Satisfy Any specifies. Thus, users on those ranges will not have to type in a username and password.

Finally, we need to specify the order in which the IP restrictions are processed. While the order is fairly obvious just by looking at the line, what is important to note is that if the Allow directive is processed first, any requests that don’t meet the criteria are denied. If Deny is processed first, a request is only denied if it also doesn’t match any Allows.

Next Post
Auto-fixing Passive FTP on AWS Instances

Previous Post
Caching Proxies - the Cheap Way to Handle Lots of Traffic


comments powered by Disqus