httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tim Bannister <>
Subject Re: "Forbid" directive in core?
Date Mon, 10 Jun 2013 13:59:12 GMT
On 10 Jun 2013, at 14:35, Eric Covener <> wrote:

> I'd like to add an immutable Forbid directive to the core and use it in some places in
the default configuration instead of "require all denied".
> This protects from a broad <Location or <If being added that supercedes Directory/Files.
> I thought someone might object to the duplication w/ AAA or the presence in the core,
so opting for RTC.

Just a comment: other places that do broadly similar things often have a “deny by default”
philosophy. I like this approach.
Obviously this isn't going to please admins with existing configurations, so is there a way
to design the mechanism so it's still possible to get something more strict than we have at
the moment?

In terms of directives, this could look like:

<Directory />
  # For example, insiset that exemptions must be defined in the same place as the Forbid is
  ForbidExemption /srv/web /nfs/foo/bar

# Require HTTPS except from IPv4 localhost
<If "%{REQUEST_SCHEME} != HTTPS && (! -R ) ">
  # Expression evaluation doesn't need exemptions

Tim Bannister –

View raw message