Authenticate http requests EXCEPT for from this IP
"satisfy any" is indeed what you need to use. There is a good example on the Apache wiki. To quote directly from that source:
<Directory /home/www/site1/private>
AuthUserFile /home/www/site1-passwd
AuthType Basic
AuthName MySite
Require valid-user
Order allow,deny
Allow from 172.17.10
Satisfy any
</Directory>
Related videos on Youtube
Bill Weiss
Part time sysadmin, part time security person. Sometimes I herd them, sometimes they herd me.
Updated on September 17, 2022Comments
-
Bill Weiss almost 2 years
I've got Nagios running on a server here (CentOS 5.3 w/ Apache 2.2.3-22.el5.centos) authenticating to my LDAP server, and all works well. However, I'd like to have some IP able to see the Nagios status page without authenticating. Nagios has this option to assign a user to someone who doesn't auth:
authorized_for_read_only=guest default_user_name=guest
Which sounds right, but that doesn't take care of the Apache authentication. My current apache config looks like:
<Directory "/usr/lib64/nagios/cgi"> AllowOverride None Order allow,deny Allow from all AuthName "Nagios Access" AuthType Basic AuthUserFile /etc/nagios/misc/htpasswd.users Require valid-user AuthBasicProvider file ldap AuthzLDAPAuthoritative off AuthBasicAuthoritative On AuthLDAPGroupAttribute LDAPmember AuthLDAPURL (my server stuff) Require ldap-group CN=nagios,ou=groups,DC=local </Directory>
That's working, but I'd like some way to say "this IP over here, he can skip that auth stuff". The Apache Satisfy directive looks like it would work, so I tried this:
<Directory "/usr/lib64/nagios/cgi"> AllowOverride None Order allow,deny Allow from (IP) <---- changed Deny from all <---- changed Satisfy any <---- changed AuthName "Nagios Access" AuthType Basic AuthUserFile /etc/nagios/misc/htpasswd.users Require valid-user AuthBasicProvider file ldap AuthzLDAPAuthoritative off AuthBasicAuthoritative On AuthLDAPGroupAttribute LDAPmember AuthLDAPURL (my server stuff) Require ldap-group CN=nagios,ou=groups,DC=local </Directory>
But it didn't change the behavior of the site. Thoughts? "Works for me"s? Pointers to appropriate upgrade notes saying that I'd get around this problem if I got around to upgrading my server? :)
---- update w/ answer ----
I took out the file-or-LDAP stuff, and satisfy worked for me. I was probably doing something wrong in there, but whatever, it works now. Here's what my final config looks like:
<Directory "/usr/lib64/nagios/cgi"> Options ExecCGI AllowOverride None Order allow,deny Allow from 192.168.42.213 Satisfy any AuthName "Nagios Access" AuthType Basic AuthBasicProvider ldap AuthzLDAPAuthoritative off AuthBasicAuthoritative On AuthLDAPGroupAttribute LDAPmember AuthLDAPURL (my server stuff) Require ldap-group CN=nagios,ou=groups,DC=local </Directory>
-
Bill Weiss almost 14 yearsI decided to start paring my config down, and it worked! Thanks.