how can set the basic auth of apache 2.2 to bypass IP? I have follow this wiki http://wiki.apache.org/httpd/BypassAuthenticationOrAuthorizationRequirements , but ask always a password, also to IP listed:
<Directory /var/www/html/mydir>
AuthName "Private"
AuthType Basic
AuthUserFile "/etc/httpd/htpasswd"
Require valid-user
Order allow,deny
Allow from 111.111.111.111 222.222.222.222
Satisfy any
</Directory>
I am under haproxy but i set the IP forward, i have set LogFormat in this way:
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
access_log is:
111.111.111.111 - - [25/Oct/2016:12:35:41 +0200] "GET /index.html HTTP/1.1" 401 487 "-" "Mozilla/5.0 (X11; Linux armv7l; rv:38.0) Gecko/20100101 Firefox/38.0 Iceweasel/38.7.0"
You configuration is fine and is very standard. If you are using
haproxythen the source IP address of all requests is thehaproxyitself and it is this IP address that theallow fromdirective is checked against, not the contents of theX-Forwarded-Forheader.There are several ways to fix this. With Apache v2.2 you can use a 3rd party module such as mod_custom_headers (http://support.en.ctx.org.cn/ctx109555.citrix sorry the original citrix page seems to have moved or been removed) or possibly
mod_rpaf(I've not used it before and so can't be sure if it causesallow fromto work correctly).These modules modify the data Apache holds about the request so that the source IP becomes the value from a named header set by your proxy (such as
X-Forwarded-For).Alternatively you can upgrade to Apache v2.4 and use mod_remoteip, which does the same thing.
Note there is also an Apache configuration solution by which you set your own header on the
haproxy(or you can use theX-Forwarded-Forone if you trust it). Something like:But I'll admit it's a little clunky for multiple IP addresses.