When using Apache’s user authentication there is often a need to have a whitelist of IPs that can bypass it. This is a pretty straight-forward process but it can appear unintuitive as first.
Here is an example configuration snippet:
<Location> AuthName "Protected Site" AuthType Basic AuthUserFile /path/to/the/htpassword/file Require valid-user Deny from all Allow from 192.168.0. 172.16.1.1 Satisfy Any Order deny,allow </Location>
The first four lines are pretty standard - they force everyone to enter a valid username and password to proceed. The lines after these deal with IP access control.
The next line,
Deny from all, denies access to all IPs. The
from directive specifies the space-separated list of IPs to allow
through. Note that incomplete IPs are used to specify ranges. In this
192.168.0. means the whole of the
192.168.0.0/24 range, ie
The next direction,
Satisfy, is very important. By using
Deny/Allow you’ve restricted access to valid credentials and a valid
IP address. We want it to be an either/or situation which
specifies. Thus, users on those ranges will not have to type in a
username and password.
Finally, we need to specify the order in which the IP restrictions are
processed. While the order is fairly obvious just by looking at the
line, what is important to note is that if the
Allow directive is
processed first, any requests that don’t meet the criteria are
Deny is processed first, a request is only denied if it
also doesn’t match any
Auto-fixing Passive FTP on AWS Instances