Document IP-based access restriction
https://espace.cern.ch/webservices-help/websitemanagement/ConfiguringAFSSites/Pages/AccesscontrolonAFSsites.aspx has a section about "How to add domain, network and host restrictions"
In the new infra, we cannot use domains (see https://gitlab.cern.ch/webservices/webeos/webeos-tests/-/blob/master/webeos-intranet-test/allow/.htaccess)
Also allow from
is deprecated in favor of require
In the new infra the proper way to limit a site to CERN intranet only will be:
# The list of all CERN networks. See https://landb.cern.ch/landb/portal/cernNetwork
require ip 2001:1458::/32 2001:1459::/32 FD01:1458::/32 FD01:1459::/32 10.0.0.0/8 100.64.0.0/10 128.141.0.0/16 128.142.0.0/16 137.138.0.0/16 172.16.0.0/12 188.184.0.0/15 192.16.155.0/24 192.16.165.0/24 192.91.242.0/24 192.168.0.0/16 194.12.128.0/18
The old doc explained how to combine this with OIDC authorization, but in the new doc I think it's enough to provide a link to the Apache 2.4 upstream doc (the part explaining <RequireAll>
/<RequireAny>
, which replace Satisfy
directives) which already explains this.
CC @awardzin