Before I expose anything to the outside world I want the access controls to
work as I expect, but things have changed a lot in Apache 2.4.
Standard for a site that's normally available is now in 2.4:
Require all granted
(and any other needed options). But for development systems I want a
username/password request to access them. This part took a bit of work to
get right. First I found Upgrading to 2.4 from 2.2 - Apache HTTP Server Version 2.4
has a repeating typo in the authorization samples:
isn't going to work, giving
Unknown Authn provider: File
error messages. The right bit is:
The difference one letter makes.
That also did not give me a working configuration, leading to interesting
errors in the log of type:
AH00027: No authentication done but request not allowed without authentication for /. Authentication not configured?
Which turned out to be a missing bit in the samples in the same document:
is needed too.
The full now working access rule is:
AuthName "Koos z'n Doos beheer"
The use of RequireAny allows me to add trusted IP ranges so that the site
is reachable from a trusted IP address or
after using http basic
The good news is that the samples in
Authentication and Authorization - Apache HTTP Server Version 2.4