Apache2 - authorize users against a Location using BasicAuth but ONLY for users outside local subnet

Bo Jeanes picture Bo Jeanes · Feb 24, 2009 · Viewed 12.2k times · Source

In my Apache 2 config I have a VirtualHost which looks something like this:

<VirtualHost *:80>
  ServerName sub.domain.com

  # username:password sent on to endpoint
  RequestHeader set Authorization "Basic dXNlcm5hbWU6cGFzc3dvcmQ=="

  ProxyPass        /xyz http://192.168.1.253:8080/endpoint
  ProxyPassReverse /xyz http://192.168.1.253:8080/endpoint

  <Location /xyz>
    # This needs to let users through under the following circumstances
    #   * They are in 192.168.1.0/24
    #   * They have a valid user in a htpasswd file

    # So what goes here?
  </Location>
</VirtualHost>

I am using the virtual host as reverse proxy to another server (which I will call the endpoint) on the network.

I am trying to figure out a configuration that would allow users inside the network browsing to sub.domain.com to automatically be served the endpoint. However, users outside the network should be prompted for credentials

The endpoint requires a password which I have hidden by using RequestHeader (which I want). The password external users should be prompted by is DIFFERENT and will need to be BasicAuth, getting it's user list from a htpasswd file.

Answer

David Z picture David Z · Feb 24, 2009
<Location /xyz>
  # This needs to let users through under the following circumstances
  #   * They are in 192.168.1.0/24
  #   * They have a valid user in a htpasswd file

Right out of http://httpd.apache.org/docs/2.2/mod/core.html#satisfy:

  Require valid-user
  Order allow,deny
  Allow from 192.168.1
  Satisfy any

Of course, you also need to include your AuthUserFile or whatever directives

  AuthType basic
  AuthName "yadayadayada"
  AuthUserFile /foo/bar/blah/.htpasswd
</Location>