Apache ip制限とユーザー認証

Apache

Posted at 2024-11-04

Aapacheの認証機能とIP制限の動作確認をする

以下機能を試す
・htpasswdを使ったベーシック認証
・IP制限の設定

１．ユーザー認証用のユーザーを作成

htpasswd -c /etc/httpd/.htpasswd username
New password:
Re-type new password:

２．htaccessファイルを作成する
ドキュメントルート配下に.htaccessを作成し、以下の設定を記述します。

vi /var/www/html/.htaccess

# ベーシック認証の設定
AuthType Basic
AuthName "Restricted Area"
AuthUserFile /etc/httpd/.htpasswd

<RequireAll>
    Require ip 許可するIP
    Require valid-user
</RequireAll>

３．Apacheの設定を確認
httpd.confで以下が有効であることを確認する

<Directory "/var/www/html">
    AllowOverride All
</Directory>

４．設定の文法チェック
Syntax OKが出力されることを確認する

apachectl configtest
Syntax OK

５．Apacheを再起動する
設定を適用する

systemctl restart httpd

６．動作確認

curl -u username:password http://<hostname or ip>/

７．ログを確認する
動作確認で、拒否されることを確認

[Mon Nov 04 18:04:57.017559 2024] [authz_core:debug] [pid 23964:tid 24118] mod_authz_core.c(815): [client xxx.xxx.xxx.xxx:52362] AH01626: authorization result of Require ip 10.0.0.31: denied
[Mon Nov 04 18:04:57.017597 2024] [authz_core:debug] [pid 23964:tid 24118] mod_authz_core.c(815): [client xxx.xxx.xxx.xxx:52362] AH01626: authorization result of <RequireAll>: denied
[Mon Nov 04 18:04:57.017601 2024] [authz_core:debug] [pid 23964:tid 24118] mod_authz_core.c(815): [client xxx.xxx.xxx.xxx:52362] AH01626: authorization result of <RequireAny>: denied
[Mon Nov 04 18:04:57.017604 2024] [authz_core:error] [pid 23964:tid 24118] [client xxx.xxx.xxx.xxx:52362] AH01630: client denied by server configuration: /var/www/html/
[Mon Nov 04 18:04:57.017623 2024] [authz_core:debug] [pid 23964:tid 24118] mod_authz_core.c(815): [client xxx.xxx.xxx.xxx:52362] AH01626: authorization result of Require all granted: granted
[Mon Nov 04 18:04:57.017626 2024] [authz_core:debug] [pid 23964:tid 24118] mod_authz_core.c(815): [client xxx.xxx.xxx.xxx:52362] AH01626: authorization result of <RequireAny>: granted

許可されることを確認

[Mon Nov 04 18:12:57.345083 2024] [authz_core:debug] [pid 24333:tid 24491] mod_authz_core.c(815): [client xxx.xxx.xxx.xxx:36432] AH01626: authorization result of Require ip xxx.xxx.xxx.xxx: granted
[Mon Nov 04 18:12:57.345250 2024] [authz_core:debug] [pid 24333:tid 24491] mod_authz_core.c(815): [client xxx.xxx.xxx.xxx:36432] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Mon Nov 04 18:12:57.345339 2024] [authz_core:debug] [pid 24333:tid 24491] mod_authz_core.c(815): [client xxx.xxx.xxx.xxx:36432] AH01626: authorization result of <RequireAll>: denied (no authenticated user yet)
[Mon Nov 04 18:12:57.345411 2024] [authz_core:debug] [pid 24333:tid 24491] mod_authz_core.c(815): [client xxx.xxx.xxx.xxx:36432] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Mon Nov 04 18:12:57.345626 2024] [authz_core:debug] [pid 24333:tid 24491] mod_authz_core.c(815): [client xxx.xxx.xxx.xxx:36432] AH01626: authorization result of Require ip xxx.xxx.xxx.xxx: granted
[Mon Nov 04 18:12:57.345693 2024] [authz_core:debug] [pid 24333:tid 24491] mod_authz_core.c(815): [client xxx.xxx.xxx.xxx:36432] AH01626: authorization result of Require valid-user : granted
[Mon Nov 04 18:12:57.345741 2024] [authz_core:debug] [pid 24333:tid 24491] mod_authz_core.c(815): [client xxx.xxx.xxx.xxx:36432] AH01626: authorization result of <RequireAll>: granted
[Mon Nov 04 18:12:57.345779 2024] [authz_core:debug] [pid 24333:tid 24491] mod_authz_core.c(815): [client xxx.xxx.xxx.xxx:36432] AH01626: authorization result of <RequireAny>: granted
[Mon Nov 04 18:12:57.345836 2024] [authz_core:debug] [pid 24333:tid 24491] mod_authz_core.c(815): [client xxx.xxx.xxx.xxx:36432] AH01626: authorization result of Require ip xxx.xxx.xxx.xxx: granted
[Mon Nov 04 18:12:57.345874 2024] [authz_core:debug] [pid 24333:tid 24491] mod_authz_core.c(815): [client xxx.xxx.xxx.xxx:36432] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Mon Nov 04 18:12:57.345909 2024] [authz_core:debug] [pid 24333:tid 24491] mod_authz_core.c(815): [client xxx.xxx.xxx.xxx:36432] AH01626: authorization result of <RequireAll>: denied (no authenticated user yet)
[Mon Nov 04 18:12:57.345945 2024] [authz_core:debug] [pid 24333:tid 24491] mod_authz_core.c(815): [client xxx.xxx.xxx.xxx:36432] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Mon Nov 04 18:12:57.346199 2024] [authz_core:debug] [pid 24333:tid 24491] mod_authz_core.c(815): [client xxx.xxx.xxx.xxx:36432] AH01626: authorization result of Require ip xxx.xxx.xxx.xxx: granted
[Mon Nov 04 18:12:57.346256 2024] [authz_core:debug] [pid 24333:tid 24491] mod_authz_core.c(815): [client xxx.xxx.xxx.xxx:36432] AH01626: authorization result of Require valid-user : granted
[Mon Nov 04 18:12:57.346318 2024] [authz_core:debug] [pid 24333:tid 24491] mod_authz_core.c(815): [client xxx.xxx.xxx.xxx:36432] AH01626: authorization result of <RequireAll>: granted
[Mon Nov 04 18:12:57.346384 2024] [authz_core:debug] [pid 24333:tid 24491] mod_authz_core.c(815): [client xxx.xxx.xxx.xxx:36432] AH01626: authorization result of <RequireAny>: granted

curl
許可されていないIPから

curl -vvv -u username:password http://<hostname or ip>
~
HTTP/1.1 403 Forbidden
~

許可されているIPから

curl -vvv -u username:password http://<hostname or ip>
~
HTTP/1.1 200 OK
~

メモ

authorization result of <RequireAll>: denied: <RequireAll> ブロック全体での認証が拒否されている

client denied by server configuration: サーバーの設定によってアクセスが拒否されている

You get articles that match your needs
You can efficiently read back useful information
You can use dark theme

What you can do with signing up