httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Boyle Owen" <Owen.Bo...@swx.com>
Subject RE: [users@httpd] nested htaccess files in conjuction with allow/deny
Date Mon, 21 Jun 2004 09:14:34 GMT
> -----Original Message-----
> From: Matthijs van der Klip [mailto:matthijs@spill.nl]
> Sent: Montag, 21. Juni 2004 10:11
> To: Apache User Mailing List
> Cc: lists@spill.nl
> Subject: [users@httpd] nested htaccess files in conjuction with
> allow/deny

Just to be clear: You are controlling access *only* with mod_access
(Allow,Deny) and not with Basic Authentication (password protection). I
mention this because, as you probably know, you can't nest
Authentication realms.

> 
> 
> Hi,
> 
> I've been trying to do the following:
> 
> 1) Consider a virtualhost which has a document root 
> configured as follows:
> 
>         # Access Control
>         <Directory /mnt/docs/PHP/test>
>                 # Deny access by default
>                 # Grant access to specific adresses thru a 
> htaccess file
>                 Options FollowSymLinks
>                 AllowOverride Limit

OK. This allows directives like Allow,Deny in the .htaccess file to
override those in the config.

>                 Order deny,allow
>                 Deny from all

Hmmm. So you block everything in the config, then (presumably) allow
only certain IPs in the .htaccess. This is fine, if a little paranoid -
most people would just put all the directives in the .htaccess. However,
your method provides fail-safe protection if the .htaccess is missing.

>         </Directory>
> 
>         # Document Root
>         DocumentRoot /mnt/docs/PHP/test
> 
> 
> 2) Access to specific addresses granted by 
> /mnt/docs/PHP/test/.htaccess:
> 

This config below is OK, but over-determined. 

>         Order deny,allow

This means "allow by default - deny if on the Deny list". So requires:

>         Deny from all

And then:

> 
>         # Grant access
>         Allow from 1.2.3.4

Simpler is:

	Order Allow,Deny 	# Deny all by default
	Allow 1.2.3.4

> 
> 
> This works like expected, i.e. access is granted to 1.2.3.4 only.
> 
> 
> 3) Now consider a subdirectory /mnt/docs/PHP/test/test2/. 
> I've been trying 
>    to _additionaly_ grant access to a second ip-address using 
> a htaccess 
>    file /mnt/docs/PHP/test/test2/.htaccess:
> 
>         # Grant additional access
>         Allow from 4.3.2.1
> 
> 
> At first sight this seemed to work like expected. The test2 subdir is
> accessible by both 1.2.3.4 and 4.3.2.1. Closer inspection 
> however reveals
> the test2 subdir is not only accessible by the mentioned 
> ip-addresses, but 
> by anyone! 

	This is a consequence of the "Order Deny,Allow" directive which
allows by default and which is inherited by the subd-r but not overriden
in the subdir .htaccess.

>This ofcourse is not the desired behaviour.
> 
> I've tried about a zillion variations of Order, Allow and 
> Deny but cannot 
> get the desired behaviour. Does anyone have experience in a likewise 
> situation?

I think the root cause is your original "Order" directive is the wrong
way round. Read the docs for this directive carefully then try:

	main dir:

	Order Allow,Deny
	Allow 1.2.3.4

	subdir:
	Allow 4.3.2.1

Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored. 


> 
> 
> Note1: IP-addresses, paths etc. have been forged.
> 
> Note2: I do ofcourse now this can be solved by not trying to nest the 
>        htaccess files and giving them each a seperate 'Deny from All' 
>        line, but this is not the purpose, as in practice the first 
>        htaccess is a symlink to a common htaccess containing a large 
>        amount of ip-addresses. I do not want to make a copy 
> of this file 
>        as this increases administrative effort.
> 
> 
> Best regards,
> 
> -- 
> Matthijs van der Klip
> System Administrator
> Spill E-Projects
> The Netherlands
> 
> 
> 
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP 
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 
> 
Diese E-mail ist eine private und persönliche Kommunikation. Sie hat
keinen Bezug zur Börsen- bzw. Geschäftstätigkeit der SWX Gruppe. This
e-mail is of a private and personal nature. It is not related to the
exchange or business activities of the SWX Group. Le présent e-mail est
un message privé et personnel, sans rapport avec l'activité boursière du
Groupe SWX.

This message is for the named person's use only. It may contain
confidential, proprietary or legally privileged information. No
confidentiality or privilege is waived or lost by any mistransmission.
If you receive this message in error, please notify the sender urgently
and then immediately delete the message and any copies of it from your
system. Please also immediately destroy any hardcopies of the message.
You must not, directly or indirectly, use, disclose, distribute, print,
or copy any part of this message if you are not the intended recipient.
The sender's company reserves the right to monitor all e-mail
communications through their networks. Any views expressed in this
message are those of the individual sender, except where the message
states otherwise and the sender is authorised to state them to be the
views of the sender's company. 



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message