httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joshua Slive <jos...@slive.ca>
Subject Re: FileSystem v.s. Other Resources [was configurable Location?]
Date Thu, 05 Feb 2004 16:44:40 GMT

I just want to add a couple notes here on what I see as user-expectations.

> > The problem is that you want to add layers of additional directives, which
> > would change the behavior of <Directory > or <Location >,
>
> only <Location >, in a way that IMO is consistent with the existing
> documentation, but not the existing code of course.
[...]
> A complication to treating <Location > as if it's outside the filesystem
> is the doc that states <Location /> is a quick way to apply a config to
> the whole server.  It will indeed do that today, unfortunately.  I
> believe another quick way to get the same result is to put your config
> directives outside of any container.  If that's true, I would prefer to
> see that doc for <Location /> removed.  If the change to the behavior of
> <Location > is configurable, this is not an issue.  If it's not
> configurable, then we probably should treat <Location /> as if it's in
> the filesystem - a special case for backwards compatibility.

I wrote the particular doc you quoted earlier, and I meant it more as a
recommendation (for security reasons) than a documentation of how apache
works.  The true description of how apache is supposed to function is
here:

http://httpd.apache.org/docs-2.0/sections.html

(But it is a little vauge, because my knowledge of the internals of
configuration merging was not sufficient to clarify it the last time I
went through.)

Many people do, in fact, use <Location> for filesystem-related things.
See the examples in the mod_dav docs for one:
http://httpd.apache.org/docs-2.0/mod/mod_dav.html

Although I don't think this is esthetically correct, it is not
particularly dangerous.  Using <Location> to provide *extra* access is
okay, because if you circumvent the <Location> using filesystem tricks,
you just lose the access.  Using <Location> to *restrict* access is not
safe, because the restrictions may be circumvented.

The other important thing to note is that <Location> is often used for a
reason that is particular to apache configuration merging:
those sections are evaluated last.  That means that
<Location />
Order deny,allow
Deny from all
Allow from local.net
</Location>
has a very different effect than the same directives placed in <Directory
/> because it will be evaluated after all <Directory> and <Files>
sections which could potentially override directives.

I'm not saying that this is a strictly correct use of <Location>, but it
is very useful and there is no other easy way to accomplish this "apply
this directive after everything else" effect.

I do, however, agree that doing a directory-walk on virtual resources is
not nice.  But my opinion is that "virtualness" is a property of the
resource, and hence should be designated when selecting the resource.
That is why I suggested changing SetHandler rather than <Location>.

Joshua.

Mime
View raw message