httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Michael" <x...@xshellr8.com>
Subject RE: [users@httpd] nested htaccess files in conjuction with allow/deny
Date Mon, 21 Jun 2004 09:10:08 GMT
Generally, doesn't the .htaccess file dictate the behaviour down the
directory tree?  This is probably the root of the problem.  In other words,
the .htaccess is controlling all the directories from /test/ on down if
that's where it's located. At least that's my understanding of how the
.htaccess files work.  If you have indeed placed it /test/ and then add
another directory /test/test2 the .htaccess file located at /test/ is also
controlling the access to any directories underneath this location.  You can
probably structure it in a way (as you are requesting now) so that you can
work around this, but I've found that there always seems to be holes or
Apache just doesn't behave as you would expect.

You are much better off in this case, by creating a completely different
directory structure and allowing the access as you did in the first example.
It's much simpler to control in this manner and there are less issues with
holes being found such as the one you're trying to work around now.

My 2 cents,  

Michael

-----Original Message-----
From: Matthijs van der Klip [mailto:matthijs@spill.nl] 
Sent: Monday, June 21, 2004 1:11 AM
To: Apache User Mailing List
Cc: lists@spill.nl
Subject: [users@httpd] nested htaccess files in conjuction with allow/deny

Hi,

I've been trying to do the following:

1) Consider a virtualhost which has a document root configured as follows:

        # Access Control
        <Directory /mnt/docs/PHP/test>
                # Deny access by default
                # Grant access to specific adresses thru a htaccess file
                Options FollowSymLinks
                AllowOverride Limit
                Order deny,allow
                Deny from all
        </Directory>

        # Document Root
        DocumentRoot /mnt/docs/PHP/test


2) Access to specific addresses granted by /mnt/docs/PHP/test/.htaccess:

        Order deny,allow
        Deny from all

        # Grant access
        Allow from 1.2.3.4


This works like expected, i.e. access is granted to 1.2.3.4 only.


3) Now consider a subdirectory /mnt/docs/PHP/test/test2/. I've been trying 
   to _additionaly_ grant access to a second ip-address using a htaccess 
   file /mnt/docs/PHP/test/test2/.htaccess:

        # Grant additional access
        Allow from 4.3.2.1


At first sight this seemed to work like expected. The test2 subdir is
accessible by both 1.2.3.4 and 4.3.2.1. Closer inspection however reveals
the test2 subdir is not only accessible by the mentioned ip-addresses, but 
by anyone! This ofcourse is not the desired behaviour.

I've tried about a zillion variations of Order, Allow and Deny but cannot 
get the desired behaviour. Does anyone have experience in a likewise 
situation?


Note1: IP-addresses, paths etc. have been forged.

Note2: I do ofcourse now this can be solved by not trying to nest the 
       htaccess files and giving them each a seperate 'Deny from All' 
       line, but this is not the purpose, as in practice the first 
       htaccess is a symlink to a common htaccess containing a large 
       amount of ip-addresses. I do not want to make a copy of this file 
       as this increases administrative effort.


Best regards,

-- 
Matthijs van der Klip
System Administrator
Spill E-Projects
The Netherlands




---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message