I want to use 'Limit' to allow GETs and POSTs, to a page requiring authentication, from only certain sites. I want authentication for GETs and POSTs from a certain IP, who should be able to access without authenticating.
<Limit GET POST>
allow from allowableSite.com
</Limit>
This doesn't work. Everything is unauthorized
<Limit GET POST>
allow from all
</Limit>
This doesn't work either. Everything is still unauthorized (401)
The only thing that gets past the authentication is this
<Limit GET POST>
satisfy any
</Limit>
Then, any GET or POST will be successful… But this is not what I want since I only want access to be available from a certain site. And 'allow' is not working as expected.
Could something be configured somewhere else that is causing this behaviour? Any help is much appreciated.
Best Answer
This is a little tough without seeing more of your config.. Since the
Satisfyfixed it, I'm guessing there's aRequireapplying to this location. TheSatisfy anydirective makes it so that matching either theAllow(with your source host) or theRequire(with your user) will allow access.Using a hostname with
Allowis an initial suspect; it depends on forward and reverse DNS being flawless for the client. I'm a little unclear on what you mean by "from only certain sites"; you need for theAllowdirective to be inclusive of all allowed client systems. If all of their forward and reverse DNS doesn't match exactly to what you've specified, then that'd break it.Also, your use of
<Limit>depends on there being aDeny from alloutside the block to restrict other methods.. so if theOrderis set toAllow,Deny, that'll break it.<LimitExcept>is better when possible, since you can be more explicit about blocking unwanted methods;<Limit>risks unintended access from higher up.I'm gonna define stuff explicitly that you probably have elsewhere, but I want to make sure that something from elsewhere can't break it (except a
Deny; make sure there's no extra of those higher up..):