I would do the check for special locations (or IPs) in the part of the configuration that defines the authorization rules in the first place -- for example, check out the Apache docs for the auth module: [httpd.apache.org ] which describe a solution to you problem well, if I understand it.

Tom

I think I figured out a good solution. I'm going to test it further in the morning when I'm back in the office.

I never realized what "Satisfy any" actually did... so I looked at the documentation for that command... do'h RTFM :)

So, what I did is I have my Location directive, and just have a few require group statements to protect against external people/users, and I have a order deny,allow deny from all, allow from IP.Of.Monitor.Server.

So far... from testing at home, it seems like it's accomplishing exactly what I want it to.

Thanks for responding! :)

I realized a fatal flaw in my "genius"... these requests are coming in from a load balancer... so EVERY access to apache is one of 2 IPs... and not the real source IP. So I can't just allow IP.Of.Monitor.Server. I also can't connect to the actual apache server outside of the load balancer because the application is configured to write all of it's urls as the load balancer domain name so the application breaks if hitting it via the server name.

What I think I could do, is use the load balancer to say something like if IP = special IP then set cookie = letMeIn.

What I don't know how to do is get apache to say if cookie = letMeIn then allow from cookie letMeIn (or essentially if cookie exist, then do not require ldap auth).

Is this something that is possible?

I came up with a solution. I learned how to use SetEnvIf :)

I also learned that I can override my User-Agent in firefox(the browser that I need to use to run my user experience tests) using general.useragent.override property. So, I overrode it to a very long, impossible to remember string that I set in apache. I'm ok with this solution because my monitoring machines are in a protected network, with limited access. The chances of someone on the outside guessing the string is probably.... pretty unlikely. The content behind the auth is not super private... so even if someone does guess... my world wouldn't be over :)

So, for any other apache users out there finding themselves in a similar situation... here's what I did.

In httpd.conf with these modules loaded..
LoadModule env_module modules/mod_env.so
LoadModule setenvif_module modules/mod_setenvif.so

Then outside of my location directives...
SetEnvIf User-Agent SomeStringThatIsReallyHardToGuess internalLabelforEnv

and inside of each location directive..
<Location /some/uri>
Satisfy any <----This is important. This allows one or the other for auth.
Order deny,allow
Deny from all
Allow from env=internalLabelforEnv

------Ldap Authentication stuff------

Require group SomeLdapGroupPath
</Location>

Hopefully this helps someone!

infiniteguy -- if your requests are going through a load balancer, you can use the X-Forwarded-For http header to get the original request IP.

Tom

How would I use that with an Allow from? I'm not sure how I would be able to tell the Location directive to allow from these 3 IP's and then do a check that says if x-forwarded-for = one of these IP's then pass through.

As I reread the thread, it looks like you have the problem solved. If so, then never mind :-)

If not solved: you can get the "real" (original) IP into a variable from the X-Forwarded-For header using SetEnvIf. In the Allow directive test if the variable is equal to the known IP address you want to allow.

Tom

yep. The problem is solved, but using a different method then x-forwarded-for :)

So to test for the known IP would I say something like
SetEnvIf X-Forwarded-For ^1.2.3.4 letmein
SetEnvIf X-Forwarded-For ^5.6.7.8 letmein
Allow from env=letmein

If the intention was to allow access from IP 1.2.3.4 and 5.6.7.8?

To be fair to sublime1, you used an "extended" method using X-Forwarded-For... :)

Jim