I have a pre-existing PHP-based web application that is secured by an IP whitelist, and I am attempting to roll out a tool that will need to bypass that list, but I want to continue to secure it so that it only has access to a specific URL, over a specific method, and via a specific browser agent; I wrote the following configuration for my Apache 2.4 configuration file thinking it would do this:
<Location "/index.php/api/specific-end-point">
SetEnvIf User-Agent "MyCustomBrowser" Approved
<RequireAll>
Require method POST
Require env Approved
</RequireAll>
</Location>
However all of my requests are returned with a 403 Forbidden error code. This code block appears to do very little, and having experimented with it, it will not even allow me to expose that path with just a single simple Require ip xxxx directive.
The IP address whitelist consists of a directory directive on the webroot similar to this:
<Directory "/var/www">
AllowOverride None
Require all granted
Deny from all
Allow from 192.168.1.1
Allow from 192.168.1.2
...
</Directory>
The applications file index.php exists within the /var/www/html directory which has the following configuration:
<Directory "/var/www/html">
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
I assume that one of those other configuration blocks is causing my 403 response but I don't know what I can do to the configuration to apply all of my security requirements, block everyone not in the whitelist generally, but allow my tool access to POST to my specific endpoint?
I built a lab environment to simulate the third-party application mentioned and have come to the conclusion that the IP whitelist functionality was put together in the HTTPD 2.2 syntax which is enabled by mod_access_compat .
I was able to resolve this by stripping that IP whitelisting from the <Directory "/var/www">
section and converting into the following HTTPD 2.4 syntax block:
<Location "/">
AllowOverride None
<RequireAny>
Require ip 192.168.1.1
Require ip 192.168.1.2
...
</RequireAny>
</Location>
With that in place, the code I originally posted in the question, the <Location "/index.php/api/specific-end-point">
block, looked to work successfully.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.