Monday, July 31, 2017

Apache 2.4 authentication and whitelisting scenarios

I have these examples scattered among many Apache installations, so I wanted to gather my notes here for my benefit, and hopefully for others as well. The following scenarios depict various requirements for Apache 2.4 authentication and whitelisting. They are all for Apache 2.4.x running on Ubuntu 14.04/16.04.

Scenario 1: block all access to Apache except to a list of whitelisted IP addresses and networks

Apache configuration snippet:

  <Directory /var/www/html/>
     IncludeOptional /etc/apache2/whitelist.conf
     Order allow,deny
     Allow from all
  </Directory>

Contents of whitelist.conf file:

# local server IPs
Require ip 127.0.0.1
Require ip 172.31.2.2

# Office network
Require ip 1.2.3.0/24

# Other IP addresses
Require ip 4.5.6.7/32
Require ip 5.6.7.8/32
etc.

Scenario 2: enable basic HTTP authentication but allow specific IP addresses through with no authentication

Apache configuration snippet:

  <Directory /var/www/html/>
     AuthType basic
     AuthBasicProvider file
     AuthName "Restricted Content"
     AuthUserFile /etc/apache2/.htpasswd

     Require valid-user
     IncludeOptional /etc/apache2/whitelist.conf
     Satisfy Any
  </Directory>

The contents of whitelist.conf are similar to the ones in Scenario 1.

Scenario 3: enable basic HTTP authentication but allow access to specific URLs with no authentication

Apache configuration snippet:

  <Directory /var/www/html/>
     Order allow,deny
     Allow from all

     AuthType Basic
     AuthName "Restricted Content"
     AuthUserFile /etc/apache2/.htpasswd

     SetEnvIf Request_URI /.well-known/acme-challenge/*  noauth=1
     <RequireAny>
       Require env noauth
       Require valid-user
     </RequireAny>
  </Directory>

This is useful when you install SSL certificates from Let's Encrypt and you need to allow the Let's Encrypt servers access to the HTTP challenge directory.

Modifying EC2 security groups via AWS Lambda functions

One task that comes up again and again is adding, removing or updating source CIDR blocks in various security groups in an EC2 infrastructur...