Apache 2.4 mod_authz - RequireAny/All and Require valid-user

Question

I have problem figuring out how create right configuration for apache 2.4 with mod_authz_core specifically with combination of RequireAny/All and Require valid-user.

I need this configuration: web has blocked access from specified countries, but I have list of specific ip address, that have to be whitelisted and have access to web (even from blocked country) And there is a part of website which require AuthBasic authentication from .htaccess file

First of all, I am trying to migrate old apache configuration from 2.2 to apache 2.4.

Old configuration:

 #blocation for specified countries
 SetEnvIf GEOIP_COUNTRY_CODE AB BlockCountry
 SetEnvIf GEOIP_COUNTRY_CODE AC BlockCountry
 SetEnvIf GEOIP_COUNTRY_CODE AD BlockCountry
 SetEnvIf GEOIP_COUNTRY_CODE AE BlockCountry
 <LocationMatch "/*">
     Order deny,allow
     deny from .zx
     deny from env=BlockCountry
     allow from  127.0.0.1
     Include "/etc/httpd/conf/permited-xx-ip.include.old"
 </LocationMatch>

This work absolutely fine on apache 2.2. I changed it to this to match new apache 2.4

<LocationMatch "/.*">         
            <RequireAny>
                    <RequireAll>
                            Require all granted
                            Require not host .xx
                            Require not env BlockCountry
                    </RequireAll>
                    <RequireAny>
                            Require local
                            Include "/etc/httpd/conf/permited-xx-ip.include"
                    </RequireAny>
            </RequireAny>
</LocationMatch> 

file /etc/httpd/conf/permited-xx-ip.include contains lines:

Require ip x.x.x.x

And this works fine, but problem is when I have directory which has .htaccess with AuthBasic directive, it will not prompt for username/password. I was checking logs and it seems that the RequireAny/All allow acces without prompting for password.

.htacces file:

    AuthName "members"
    AuthType Basic
    AuthUserFile ./data/.htpasswd
    AuthBasicProvider file
    Require valid-user

If i comment Require section in apache conf file, it will prompt for user/password.

I also tried old configuration with mod_compat, but the configuration does not work as intended(it will not consider whitelisted ips).

Thanks for reading long post. Any suggestion ?

Answer 1

I think i figured it out,

The right configuration should look like this:

     <Directory  /var/www/www-root>
            <RequireAny>
                    <RequireAll>
                            Require all granted
                            Require not host .xx
                            Require not env BlockCountry
                    </RequireAll>
                    <RequireAny>
                            Require local
                            Include "/etc/httpd/conf/permited-ip.include"
                    </RequireAny>
            </RequireAny>
     </Directory>

Plus the configuration for the directory with AuthBasic .htaccess:

<Directory /var/www/www-root/dirwithauthbasic>
    <RequireAll>
          <RequireAny>
                    <RequireAll>
                        Require all granted
                        Require not host .xx
                        Require not env BlockCountry
                    </RequireAll>
                    <RequireAny>
                        Require local
                        Include "/etc/httpd/conf/permited-ip.include"
                    </RequireAny>
          </RequireAny>
          Require valid-user
    </RequireAll>
</Directory>

sorry for messed format