Basic Auth apache 2.2 bypass IP


how can set the basic auth of apache 2.2 to bypass IP? I have follow this wiki , but ask always a password, also to IP listed:

<Directory /var/www/html/mydir>
    AuthName "Private"
    AuthType Basic
    AuthUserFile "/etc/httpd/htpasswd"
    Require valid-user
    Order allow,deny
    Allow from
    Satisfy any

I am under haproxy but i set the IP forward, i have set LogFormat in this way:

LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined

access_log is: - - [25/Oct/2016:12:35:41 +0200] "GET /index.html HTTP/1.1" 401 487 "-" "Mozilla/5.0 (X11; Linux armv7l; rv:38.0) Gecko/20100101 Firefox/38.0 Iceweasel/38.7.0"

Best Answer

You configuration is fine and is very standard. If you are using haproxy then the source IP address of all requests is the haproxy itself and it is this IP address that the allow from directive is checked against, not the contents of the X-Forwarded-For header.

There are several ways to fix this. With Apache v2.2 you can use a 3rd party module such as mod_custom_headers ( sorry the original citrix page seems to have moved or been removed) or possibly mod_rpaf (I've not used it before and so can't be sure if it causes allow from to work correctly).

These modules modify the data Apache holds about the request so that the source IP becomes the value from a named header set by your proxy (such as X-Forwarded-For).

Alternatively you can upgrade to Apache v2.4 and use mod_remoteip, which does the same thing.

Note there is also an Apache configuration solution by which you set your own header on the haproxy (or you can use the X-Forwarded-For one if you trust it). Something like:

SetEnvIf X-Forwarded-For ^ access_granted_by_ip
SetEnvIf X-Forwarded-For ^ access_granted_by_ip
Order allow,deny
Allow from env=access_granted_by_ip

But I'll admit it's a little clunky for multiple IP addresses.

Related Topic