httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tim Bannister <is...@jellybaby.net>
Subject Re: "Forbid" directive in core?
Date Mon, 10 Jun 2013 13:59:12 GMT
On 10 Jun 2013, at 14:35, Eric Covener <covener@gmail.com> wrote:

> I'd like to add an immutable Forbid directive to the core and use it in some places in
the default configuration instead of "require all denied".
> 
> http://people.apache.org/~covener/forbid.diff
> 
> This protects from a broad <Location or <If being added that supercedes Directory/Files.
> 
> I thought someone might object to the duplication w/ AAA or the presence in the core,
so opting for RTC.


Just a comment: other places that do broadly similar things often have a “deny by default”
philosophy. I like this approach.
Obviously this isn't going to please admins with existing configurations, so is there a way
to design the mechanism so it's still possible to get something more strict than we have at
the moment?

In terms of directives, this could look like:

<Directory />
  # For example, insiset that exemptions must be defined in the same place as the Forbid is
set.
  Forbid
  ForbidExemption /srv/web /nfs/foo/bar
</Directory>

# Require HTTPS except from IPv4 localhost
<If "%{REQUEST_SCHEME} != HTTPS && (! -R 127.0.0.0/8 ) ">
  # Expression evaluation doesn't need exemptions
  Forbid
</Directory>


-- 
Tim Bannister – isoma@jellybaby.net


Mime
View raw message