3

We're using Apache as a reverse proxy, so some of our internal development/testing servers are accessible on the open Internet for UAT/CAT purposes.

We have basic authentication setup through LDAP servers, but we have some sites were we need to whitelist some specific IPs so that they can access the server without going through authentication.

I'm not sure if adding another section like this, above the current one, would work:

<proxy *>
 Require all granted
 Require ip x.x.x.x y.y.y.y
</proxy>

Here's what the .conf file currently looks like:

<VirtualHost *:80>
  ServerName some.server.url

  ## Vhost docroot
  DocumentRoot "/var/www"

  ## Directories, there should at least be a declaration for /var/www

  <Directory "/var/www">
    Options Indexes FollowSymLinks MultiViews
    AllowOverride None
    Require all granted
  </Directory>

  ## Logging
  ErrorLog "/var/log/httpd/some.server.url_error.log"
  ServerSignature Off
  CustomLog "/var/log/httpd/some.server.url_access.log" combined

  ## Proxy rules
  ProxyRequests Off
  ProxyPreserveHost Off
  ProxyPass /robots.txt !
  ProxyPassReverse /robots.txt !
  ProxyPass / https://some.server.url/ acquire=3000 keepalive=On retry=0 timeout=1800
  ProxyPassReverse / https://some.server.url/

  ## Custom fragment
  <proxy *>
    AuthBasicProvider ldap-client-websites ldap-sidlee-dig
    AuthType Basic
    AuthName "GRM CRHA UAT"
    Require valid-user
  </proxy>

</VirtualHost>
Improve this question

2 Answers 2

Reset to default
2

No, don't add a second <proxy *> block, as it will conflict with the first one.

Instead, change your existing <proxy *> block to this:

## Custom fragment
<proxy *>
    AuthBasicProvider ldap-client-websites ldap-sidlee-dig
    AuthType Basic
    AuthName "GRM CRHA UAT"
    <RequireAny>
        Require ip x.x.x.x y.y.y.y
        Require valid-user
    </RequireAny>
</proxy>

</VirtualHost>

This way, satisfying just one of the Require directives within the <RequireAny> group is enough to allow access. So, either having a matching IP address or successful authentication will be required to allow access.

Improve this answer
0

I've never been able to accomplish anything like this using proxy's within Apache.

I would be tempted to setup an additional proxy that's dedicated to another TCP port and then define this second port in a similar manner. You could then disable the authentication for the second port.

This second port could then have a IPTables rule created, that would restrict access to the IP that you want to allow into the system.

I'll caution you that this is a somewhat involved process and would consider carefully if you in fact want to go this route.

Improve this answer
1
  • 1
    Thanks for the answer. Not really what I was hoping for, but at least I know what to expect. Thanks! Commented Jul 25, 2018 at 18:08

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.