Topic: <RequireAll> deny all with local got 403

[Okami]

I have a question in apache 2.4. This is my setting in /etc/httpd/conf.d/vhost-www0.conf

[James Blond]

Require local

The local provider allows access to the server if any of the following conditions is true:

* the client address matches 127.0.0.0/8
* the client address is ::1
* both the client and the server address of the connection are the same

consult your error log and the access log for the IP you access the server with.


Maybe you need to add

Require ip x

see https://httpd.apache.org/docs/2.4/mod/mod_authz_host.html
and https://httpd.apache.org/docs/2.4/mod/mod_authz_core.html#require

if you still have a question please ask again.

[glsmith]

It's strange behavior for sure but the way <RequireAll> works I think your basically confusing Apache. After all, local is a part of "All" and your forcing Apache to deny All.

Really, <RequireAny> is what you want, It will give local access but reject all others trying to gain access.

Try it.

Note, because <RequireAny> is Apache's default behavior, all you should need is

[Okami]

Hi James

Thank's for your suggest, but is't not work too after I add any this three set:

(my environment no have ipv6 setting)

1. Require ip 127.0.0.0/8
2. Require ip 127.0.0.1/8
3. Require ip 172.25.0.11

the error log still is
[authz_core:error] [pid 66919] [client 172.25.0.11:39927] AH01630: client denied by server configuration: /var/www/virtual/private/index.html

[Okami]

Hi glsmith

Thank's for your suggest, change to <RequireAny> is run.
But my doubt is why in <RequireAll> will be error?

Some information say

<RequireAll> can't have fail, at least one match than success, fail is priority

<RequireAny> can have fail, if have one match than success, success is priority

if at least one match than success, my first set is Require local, why error too?

[Otomatic]

Hi,

The documentation on apache.org is very explicit on the subject
http://httpd.apache.org/docs/2.4/en/mod/mod_authz_core.html#requireall

Require all denied fails even if Require local succeeds and for <Require all> none of the authorization directives must fail.

[Okami]

Hi Otomatic,

Thank's for your suggest!

But I'm very sorry that I can't understand ...

Require all denied fails >> why this is fails?

My Web show 403, isn't that this rule is success?

I had read the document which you post

I think that mean if there have at least one success then success? Or is I have somewhere misunderstanding ?

[Otomatic]

Hi,

These are directives for requesting access authorisation, which means that when access authorisation is refused, the directive fails.

Require all denied is always fail because access authorisation is not given.

<Require All> asks that none of the present directives be "failed". In other words, <Require All> requires that all directives be validated, and in a <Require All> structure, Require all denied and Require local are antinomic, both cannot be successful at the same time.

Sorry if my explanations seem confusing to you, but English is not my native language.

Edit : 403 means "access denied" and this is the case with your structure <Require All> since not all directives are OK, at least one is "failed".
This works with the same directives in <Require Any> because in this case, it is enough if only one directive is OK.

[Okami]

Hi Otomatic,

Thank's for your explanation

I think I probably got something that you mean about my doubt.

This description is very helpful for me

English is not my native language, too
So is really hard for me when read Official documents.

Very grateful! Wish you have a nice day