Posts

Showing posts from July, 2017

Apache 2.4 authentication and whitelisting scenarios

I have these examples scattered among many Apache installations, so I wanted to gather my notes here for my benefit, and hopefully for others as well. The following scenarios depict various requirements for Apache 2.4 authentication and whitelisting. They are all for Apache 2.4.x running on Ubuntu 14.04/16.04.

Scenario 1: block all access to Apache except to a list of whitelisted IP addresses and networks

Apache configuration snippet:

  <Directory /var/www/html/>
     IncludeOptional /etc/apache2/whitelist.conf
     Order allow,deny
     Allow from all
  </Directory>

Contents of whitelist.conf file:

# local server IPs
Require ip 127.0.0.1
Require ip 172.31.2.2

# Office network
Require ip 1.2.3.0/24

# Other IP addresses
Require ip 4.5.6.7/32
Require ip 5.6.7.8/32
etc.

Scenario 2: enable basic HTTP authentication but allow specific IP addresses through with no authentication

Apache configuration snippet:

  <Directory /var/www/html/>
     AuthType basic
     AuthBasicProvider file
     Aut…