Apache 2.4 authenticate anonymous users but allow others by IP

Question

I am trying to configure Apache to allow users from a selection of IPs access to a Flask application without authentication, but to challenge any other users for credentials.

As things stand I have the following configuration:

<directory /var/www/flaskapp>
    WSGIProcessGroup flaskapp
    WSGIApplicationGroup %{GLOBAL}
    WSGIScriptReloading On
    WSGIPassAuthorization On
    Order deny,allow
    AuthType Basic
    AuthName "Restricted area - authorised users only"
    AuthUserFile "/usr/local/apache/passwd"
    <RequireAll>
        <RequireAny>
            Require ip 1.1.1.1
         </RequireAny>
        Require valid-user
    </RequireAll>
</directory>

This isn't working, and is instead prompting all users for authentication.

I should mention that I have used htpasswd to create a user file at the location /usr/local/apache/passwd as indicated in the config.

Answer 1

You only need the RequireAny condition:

<RequireAny> and </RequireAny> are used to enclose a group of authorization directives of which one must succeed in order for the <RequireAny> directive to succeed.

<RequireAny>
    Require ip 1.1.1.1
    Require valid-user
</RequireAny>

Answer 2

As you are running Apache 2.4 you can use expressions. In your case that would be:

<If "%{REMOTE_ADDR} != '127.0.0.1'">
  AuthType Basic
  AuthName "Restricted area - authorised users only"
  AuthUserFile usr/local/apache/passwd
  require valid-user
</If>

CIDR notation is supported, too. E.g.:

<If "%{REMOTE_ADDR} != '192.168.0.0/24'">
  AuthType Basic
  AuthName "Restricted area - authorised users only"
  AuthUserFile usr/local/apache/passwd
  require valid-user
</If>