Combine ip and user auth restriction for subfolder in apache 2.4

Question

I want to restrict access to a complete website (apache 2.4) to certain IPs. On top of that I want to restrict access to certain subfolders to with user authentication. User auth is not working. Here is what I got:

In the vhost config I have

<Location />
    # Localhost
    Require ip 127.0.0.1i
    # some other IP
    Require ip 1.2.3.4
<Location>

Now I want the subfolder /secure/ to require a valid user login

<webroot>/secure/.htaccess looks like

<RequireAll>
    Require all granted
    Require user user1 user2 user3
    AuthBasicProvider file
    AuthType Basic
    AuthName "Secure Folder Login"
    AuthUserFile /securePath/userAuth
</RequireAll>

I can still access /secure from the IP 1.2.3.4 without user authentication. It feels like apache matches the IP the Require ip 1.2.3.4 directive (inside implicid RequireAny) and doesn't care about possible extra restrictions furhter down the line.

Answer 1

At least Location (out of Location, Directory, File and .htaccess directives) seem to be evaluated seperatly and last and in reverse order of appearance. I didn't check completely and I couldn't find docs on it.

Well long story short

I could achieve what I wanted by placing

<Location /secure/>
    Require all denied
    <RequireAll>
        Require user user1 user2 user3
        AuthBasicProvider file
        AuthType Basic
        AuthName "Secure Folder Login"
        AuthUserFile /securePath/userAuth
    </RequireAll>
</Location>

below the <Location />Require ip 1.2.3.4</Location> block in the vhost config (above did not work). Using either <Directory> block or .htaccess did not work.

Answer 2

Put only Require directives inside RequireAll or RequireAny blocks. Also don't use Location blocks for file system objects (actual directories), use Directory instead.

<Directory /opt/secure>
    Require all denied
    AuthBasicProvider file
    AuthType Basic
    AuthName "Secure Folder Login"
    AuthUserFile /opt/.htaccess
    <RequireAll>
        Require user1 user2 # or Require valid user
        <RequireAny>
            Require ip 78.53.160.0/19
            Require ip 80.171.1.0/24
            Require ip 80.171.2.0/23
            Require ip 80.171.4.0/22
            Require ip 80.171.8.0/21
            Require ip 80.171.16.0/20
            Require ip 80.171.32.0/19
            Require ip 80.171.64.0/18
        </RequireAny>
    </RequireAll>
</Directory>

Answer 3

If you wish to block any IP but only the one in your list and provide a basic login promped for the allowed IPs you can do something like (inside your .htaccess):

Require all denied
<RequireAll>
    Require valid-user
    Require ip 100.04.04.04
    AuthBasicProvider file
    AuthType Basic
    AuthName "Secure Folder Login"
    AuthUserFile /htdocs/www/web_projects/.htpasswd
</RequireAll>

and for multiple IPs something like the following should work:

Require all denied    
<RequireAll>
    <RequireAny>
        Require ip 78.53.160.0/19
        Require ip 80.171.1.0/24
        Require ip 80.171.2.0/23
        Require ip 80.171.4.0/22
        Require ip 80.171.8.0/21
        Require ip 80.171.16.0/20
        Require ip 80.171.32.0/19
        Require ip 80.171.64.0/18
    </RequireAny>
    <RequireAll>
        Require valid-user
        AuthBasicProvider file
        AuthType Basic
        AuthName "Secure Folder Login"
        AuthUserFile /htdocs/www/web_projects/.htpasswd
    </RequireAll>
</RequireAll>