httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rich Bowen <rbo...@rcbowen.com>
Subject Re: [users@httpd] .htaccess file
Date Sun, 29 Dec 2002 14:59:53 GMT
On Sat, 28 Dec 2002, Arun kumar R wrote:

> Hi,
> I want to block some of the ip's to access my website,
> so i have created a .htaccess file as
> <Limit GET>
> order deny, allow
> deny from xx.xx.xx.xxx
> allow from all
> </Limit>
>
> in the root directory, but still those ip's are
> accessing my web site. When i checked the httpd.conf
> my settings for
>
> AllowOverride is "None". If i change it to "All" then
> even i am not able to access the site.
>
> I am not very clear with the AllowOverride options,
> can anyone help me to define the correct settings to
> block those ip's.

Several things here.

First of all, .htaccess files are primarily for people that don't have
access to the main configuration file. Since you clearly do have access
to the main config file, you should put your configuration there, rather
than in a .htaccess file. Putting a .htaccess file in a directory
/www/docs/something is exactly equivalent (so far as the resultant
configuration) as putting the contents of that .htaccess file into a
<Directory> section thus:

<Directory /www/docs/something>
 # Contents of .htaccess file go here
</Directory>

(This goes in your httpd.conf)

However, .htaccess files cause a substantial performance degradation,
and may be a security concern, depending on how your site is managed.

Second, the contents of your .htaccess file, listed above, contain a
common typo.

That should be

order deny,allow

rather than

order deny, allow

Notice the space in your version, which is missing from the correct
version. You are probably being denied access because the .htaccess file
was causing a server error, rather than because of your IP address.

Third, note that you are only blocking GET accesses, but other accesses,
such as POST, HEAD, DELETE, CONNECT, and so on, are still permitted.
Drop the <Limit> and </Limit> lines, if you really want to lock out
those addresses.

And, finally, a note about AllowOverride. AllowOverride None means
"please ignore all of my .htaccess files." If you want to use .htaccess
files, you should use an AllowOverride setting that is correct, rather
than giving a blanket AllowOverride All. AllowOverride All allows things
that you probably don't want to allow - in particular, it allows
Options, which lets people do stuff like "Options +FollowSymlinks" and
"Options ExecCGI" in places where you would rather they did not do those
things. In your case, if you really decide you want this to be in a
.htaccess file, you would only need "AllowOverride Limit".

Hope this helped.

-- 
Pilgrim, how you journey on the road you chose
To find out where the winds die and where the stories go
 --Pilgrim (Enya - A Day Without Rain)


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message