I want to use 'Limit' to allow GETs and POSTs, to a page requiring authentication, from only certain sites. I want authentication for GETs and POSTs from a certain IP, who should be able to access without authenticating.
<Limit GET POST>
allow from allowableSite.com
</Limit>
This doesn't work. Everything is unauthorized
<Limit GET POST>
allow from all
</Limit>
This doesn't work either. Everything is still unauthorized (401)
The only thing that gets past the authentication is this
<Limit GET POST>
satisfy any
</Limit>
Then, any GET or POST will be successful… But this is not what I want since I only want access to be available from a certain site. And 'allow' is not working as expected.
Could something be configured somewhere else that is causing this behaviour? Any help is much appreciated.
Best Answer
This is a little tough without seeing more of your config.. Since the
Satisfy
fixed it, I'm guessing there's aRequire
applying to this location. TheSatisfy any
directive makes it so that matching either theAllow
(with your source host) or theRequire
(with your user) will allow access.Using a hostname with
Allow
is an initial suspect; it depends on forward and reverse DNS being flawless for the client. I'm a little unclear on what you mean by "from only certain sites"; you need for theAllow
directive to be inclusive of all allowed client systems. If all of their forward and reverse DNS doesn't match exactly to what you've specified, then that'd break it.Also, your use of
<Limit>
depends on there being aDeny from all
outside the block to restrict other methods.. so if theOrder
is set toAllow,Deny
, that'll break it.<LimitExcept>
is better when possible, since you can be more explicit about blocking unwanted methods;<Limit>
risks unintended access from higher up.I'm gonna define stuff explicitly that you probably have elsewhere, but I want to make sure that something from elsewhere can't break it (except a
Deny
; make sure there's no extra of those higher up..):