IP blocking disables basic authentication

  • Resolved m-tias

    (@m-tias)


    10 years, 4 months ago

    Hello!

    I’m trying to protect an URL with basic authentication, but it’s not working at all when IP-blocks like these is in the htaccess:

    # Quick ban IP. Will be updated on next formal rules save.
SetEnvIF REMOTE_ADDR "^###\.###\.###\.###$" DenyAccess
SetEnvIF X-FORWARDED-FOR "^###\.###\.###\.###$" DenyAccess
SetEnvIF X-CLUSTER-CLIENT-IP "^###\.###\.###\.###$" DenyAccess
<IfModule mod_authz_core.c>
	<RequireAll>
		Require all granted
		Require not env DenyAccess
		Require not ip ###.###.###.###
	</RequireAll>
</IfModule>
<IfModule !mod_authz_core.c>
	Order allow,deny
	Deny from env=DenyAccess
	Deny from ###.###.###.###
	Allow from all
</IfModule>
# END iThemes Security - Do not modify or remove this line

    Without them the script below works:

    SetEnvIfNoCase Request_URI "^/protected/url" SECURED
AuthType Basic
AuthName "Login"
AuthUserFile /path/to/.htpasswd
Require valid-user
Order allow,deny
Allow from env=!SECURED
Satisfy any

    Any idea on how to get the basic authentication to work along with the IP bans?

    https://wordpress.org/plugins/better-wp-security/

Viewing 11 replies - 1 through 11 (of 11 total)
  • dwinden

    (@dwinden)

    10 years, 4 months ago

    @m-tias

    What Apache version are you using ?

    dwinden

    Thread Starter m-tias

    (@m-tias)

    10 years, 4 months ago

    It says Apache/2. So I guess 2.0?

    m-tias

    dwinden

    (@dwinden)

    10 years, 4 months ago

    @m-tias

    It’s the second digit in the Apache version that is relevant …
    So contact your hosting provider and find out.
    It’s probably 2.2.x or 2.4.x
    Really need to know this before we can proceed.

    (The reason why you are only seeing Apache/2 is because your hosting provider configured the webserver in such a way that not all Apache version info is made public … It’s common security practice to not make this type of info public to visitors of a site).

    Oh one other thing. I think this is more of an Apache Webserver issue than an iTSec plugin issue …
    But an interesting one … hope to learn something new πŸ˜‰

    The banned ip address is not yours is it ?

    dwinden

    Thread Starter m-tias

    (@m-tias)

    10 years, 4 months ago

    Ok, so I asked my host about the Apache version and found out it’s 2.4.17.
    And no, the banned ip isn’t mine. πŸ™‚

    Thanks for helping out!
    m-tias

    dwinden

    (@dwinden)

    10 years, 4 months ago

    @m-tias,

    Ok, great.

    Since we now know you are using Apache 2.4.x we can start removing the correct redundant lines.
    So manually remove the following (Apache 2.2.x specific) lines from the .htaccess:

    <IfModule !mod_authz_core.c>
    Order allow,deny
    Deny from env=DenyAccess
    Deny from ###.###.###.###
    Allow from all
    </IfModule>

    Now test the basic authentication.

    Still not working ?
    Remove the following lines as well:

    SetEnvIF REMOTE_ADDR “^###\.###\.###\.###$” DenyAccess
    SetEnvIF X-FORWARDED-FOR “^###\.###\.###\.###$” DenyAccess
    SetEnvIF X-CLUSTER-CLIENT-IP “^###\.###\.###\.###$” DenyAccess

    Require not env DenyAccess

    After removing the above lines you end up with testing only these (iTSec plugin) lines:

    # Quick ban IP. Will be updated on next formal rules save.
    <IfModule mod_authz_core.c>
    <RequireAll>
    Require all granted
    Require not ip ###.###.###.###
    </RequireAll>
    </IfModule>
    # END iThemes Security – Do not modify or remove this line

    Hopefully using this methodology will help in pinpointing what exactly in the IP-block lines is causing problems with basic authentication.
    There are another 2 variations but lets try the above first.

    dwinden

    Thread Starter m-tias

    (@m-tias)

    10 years, 4 months ago

    Removing the two first blocks you suggested doesn’t make any difference. But if I only remove the last block, the basic authentication works as expected.
    So, to be clear, it’s this block that’s causing the problem:

    # Quick ban IP. Will be updated on next formal rules save.
<IfModule mod_authz_core.c>
<RequireAll>
Require all granted
Require not ip ###.###.###.###
</RequireAll>
</IfModule>
# END iThemes Security - Do not modify or remove this line

    m-tias

    dwinden

    (@dwinden)

    10 years, 4 months ago

    @m-tias

    Happy new year !
    Ok, that makes sense. It might be this single line which is causing trouble:

    Require all granted

    Put the entire IP-block back in and then only remove the following line:

    Require all granted

    Now test the basic authentication.

    dwinden

    dwinden

    (@dwinden)

    10 years, 4 months ago

    In addition you could try and change your basic authentication block so it makes use of the new Apache 2.4.x access control directives:

    AuthType Basic
    AuthName “Login”
    AuthUserFile /path/to/.htpasswd

    SetEnvIfNoCase Request_URI “^/protected/url” SECURED

    <RequireAll>
    Require not env SECURED
    </RequireAll>
    Require valid-user

    It’s easier to change your basic authentication block than getting the iTSec plugin to change its IP-block lines.
    Untested so not sure whether this will make any difference.

    dwinden

    Thread Starter m-tias

    (@m-tias)

    10 years, 4 months ago

    Happy new year to you too!

    Removing the line “Require all granted” makes all the difference.
    Sadly, using the suggested access control directives doesn’t solve the problem.
    Any other possible way to get around this?

    m-tias

    dwinden

    (@dwinden)

    10 years, 4 months ago

    @m-tias

    (I’ve updated this post after submitting it … Still tweaking so I may update it again.)

    Ok, try and replace your basic authentication lines with the lines below. Tested so it should work this time:

    AuthType Basic
    AuthName “Login”
    AuthUserFile /path/to/.htpasswd

    SetEnvIfNoCase REQUEST_URI “^/protected/url” DenyAccess

    <RequireAll>
    Require valid-user
    Require expr %{REQUEST_URI} = “/protected/url/”
    </RequireAll>

    However there is a complication.
    The complication is that /protected/url/ requests from blocked IPs will also trigger the basic authentication login screen.
    Have not been able to find a workaround for this without adding an extra line to the IP-Block lines generated by the iTSec plugin.

    dwinden

    Thread Starter m-tias

    (@m-tias)

    10 years, 4 months ago

    Wonderful, dwinden!

    I can’t see any big problem with blocked IPs facing with the authentication screen.
    This pretty much solves my issue, but man, I have a hard time identifying the logic in the htaccess! I need to learn more about it, let’s hope google serves me well. πŸ™‚

    Thanks a lot for your time and help!

    m-tias

Viewing 11 replies - 1 through 11 (of 11 total)

The topic ‘IP blocking disables basic authentication’ is closed to new replies.