6

I am trying to configure Apache to allow users from a selection of IPs access to a Flask application without authentication, but to challenge any other users for credentials.

As things stand I have the following configuration:

<directory /var/www/flaskapp>
    WSGIProcessGroup flaskapp
    WSGIApplicationGroup %{GLOBAL}
    WSGIScriptReloading On
    WSGIPassAuthorization On
    Order deny,allow
    AuthType Basic
    AuthName "Restricted area - authorised users only"
    AuthUserFile "/usr/local/apache/passwd"
    <RequireAll>
        <RequireAny>
            Require ip 1.1.1.1
         </RequireAny>
        Require valid-user
    </RequireAll>
</directory>

This isn't working, and is instead prompting all users for authentication.

I should mention that I have used htpasswd to create a user file at the location /usr/local/apache/passwd as indicated in the config.

btongeorge
  • 237
  • 1
  • 7

2 Answers2

11

You only need the RequireAny condition:

<RequireAny> and </RequireAny> are used to enclose a group of authorization directives of which one must succeed in order for the <RequireAny> directive to succeed.

<RequireAny>
    Require ip 1.1.1.1
    Require valid-user
</RequireAny>
Gerald Schneider
  • 19,757
  • 8
  • 52
  • 79
3

As you are running Apache 2.4 you can use expressions. In your case that would be:

<If "%{REMOTE_ADDR} != '127.0.0.1'">
  AuthType Basic
  AuthName "Restricted area - authorised users only"
  AuthUserFile usr/local/apache/passwd
  require valid-user
</If>

CIDR notation is supported, too. E.g.:

<If "%{REMOTE_ADDR} != '192.168.0.0/24'">
  AuthType Basic
  AuthName "Restricted area - authorised users only"
  AuthUserFile usr/local/apache/passwd
  require valid-user
</If>
Lenniey
  • 5,090
  • 2
  • 17
  • 28