httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nigel Gilbert <n.gilb...@soc.surrey.ac.uk>
Subject [users@httpd] RE: .htaccess 'allow from' and directories - not quite there yet
Date Thu, 22 Jul 2004 14:54:32 GMT
> Date: Wed, 21 Jul 2004 17:25:53 +0200
> To: "Apache list" <users@httpd.apache.org>
> From: "Boyle Owen" <Owen.Boyle@swx.com>
> Subject: RE: .htaccess 'allow from' and directories - not quite there 
> yet
> Message-ID: 
> <FAB6A3A2CC5BDB448DADFA1C8C0752965F7536@SOMEXEVS001.ex.ordersx.org>
>
> Do you know that you are posting directly to me and not via the lilst?

Yes; I thought that the list might not be too interested, but I have 
made sure that this time I am posting to both  (and if you reply, could 
you cc: to me, as I am only getting the digest version of the list and 
that only arrives once every 24 hours or so).  Thanks.

>
>> -----Original Message-----
>> From: Nigel Gilbert [mailto:n.gilbert@soc.surrey.ac.uk]
>> Sent: Mittwoch, 21. Juli 2004 16:15
>> To: Boyle Owen
>> Subject: .htaccess 'allow from' and directories - not quite there yet
>>
>>
>> I'm obviously stupid, but despite your very clear
>> explanations, I still
>> cannot get it working.
>>
>> I'll demonstrate with a cut down example, running on a test server.
>> The httpd.conf file includes the following directives:
>>
>> <IfModule mod_userdir.c>
>>      UserDir Sites
>> </IfModule>
>
> You never mentioned userdir before... I never use the mechanism so I'm
> not too familiar with it. I think it's basically just an internal
> re-mapping so it probably doesn't make any difference. All the same, it
> would've been nice to know...

The original server where I encountered this problem doesn't use 
UserDir, but I have now transferred to a test server (actually, Apache 
1.39 on MacOSX) so that I can experiment without upsetting users.  The 
out-of-the-box httpd.conf for MacOS X gives each user a Sites directory 
and a personal URL.

>
>>
>> <Directory "/Users/scs1ng/Sites/">
>>      Options Indexes MultiViews
>>      AllowOverride  Limit FileInfo
>
> You said the main config had "AllowOverride All" - it doesn't. However,
> the "Limit" does permit the .htaccess file to control access via Allow,
> Deny etc. But note that it does not allow other directives to work in
> .htaccess which might be important (more later).

Also a consequence of moving to a Mac test server, but as you say, it 
shouldn't make a difference.

>
>>      Order allow,deny
>>      Allow from all
>> </Directory>
>>
>>
>> The .htaccess file in /Users/scs1ng/Sites/ consists of the following
>> (I've added the annotations):
>>
>> # deny access to files to all except subscribers (here represented by
>> the single partial IP 206.40; in reality, a long
>> # list of 'Allow from' directives for all subscribers)
>> <Files *>
>>        Order Allow,Deny
>>        Allow from 206.40
>> </Files>
>> # Allow everyone access to the 'front' page
>> <Files index.html>
>>        Allow from all
>> </Files>
>> # Allow everyone access to the front page through redirection from a
>> directory only URL
>> Allow from all
>
> This directive now lays the whole directory open to all users from
> anywhere. This should work.
>
> The only thing I can think of is that you've overriden the default
> DirectoryIndex somewhere so that it is no longer index.html. Then the
> server will try for a directory listing but that might be disallowed 
> too
> - so you get a 403.

I don't think so, and I have tested this by adding my client IP to 
those allowed, thus:

>> # list of 'Allow from' directives for all subscribers)
>> <Files *>
>>        Order Allow,Deny
>>        Allow from 206.40
              Allow from 127.0              ## added!
>> </Files>

With this addition, accessing http://127.0.0.1/~scs1ng/  delivers my 
index.html page - in other words, the server is correctly redirecting 
to index.html when it is allowed to.  [For clarity, removing or 
commenting out the line noted as 'added!' above results in the 
not-auth.html page being served]


>
> Unfortunately, you can't define DirectoryIndex in .htaccess since the
> AllowOverride in the main config does not include "Indexes". If you can
> read the main config, look for a DirectoryIndex and copy your 
> index.html
> to whatever is defined there (eg, welcome.html).
>
> When you get the 403, have a look at the tail of the error_log - what
> does it say?

Here is, first, the error log obtained from http://127.0.0.1/~scs1ng/   
[with the 'added!' line removed from the .htaccess file]:

[Thu Jul 22 15:45:09 2004] [error] [client 127.0.0.1] client denied by 
server configuration: /Users/scs1ng/Sites

and here is a transcript of the HTTP interaction:

Jul 22 15:45:09  OWHTTPSession: Connected to 127.0.0.1 (127.0.0.1:80)
Jul 22 15:45:09  http Tx: GET /~scs1ng/ HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-US) 
AppleWebKit/85 (KHTML, like Gecko) OmniWeb/v558.26
Host: 127.0.0.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, 
image/tiff, multipart/x-mixed-replace, */*;q=0.1
Accept-Encoding: bzip2, gzip, deflate, identity
Accept-Charset: iso-8859-1, utf-8, iso-10646-ucs-2, macintosh, 
windows-1252, *


Jul 22 15:45:09  http Rx: HTTP/1.1 403 Forbidden
Jul 22 15:45:09  Rx: http://127.0.0.1/~scs1ng/
Jul 22 15:45:09  Error loading <http://127.0.0.1/~scs1ng/>: Server 
returns "Forbidden" (403)
Jul 22 15:45:09  Date: Thu, 22 Jul 2004 14:45:09 GMT
Jul 22 15:45:09  Server: Apache/1.3.29 (Darwin) PHP/4.3.6
Jul 22 15:45:09  Last-Modified: Sun, 11 Apr 2004 10:33:20 GMT
Jul 22 15:45:09  ETag: "73c2a-1e0-40791ef0"
Jul 22 15:45:09  Accept-Ranges: bytes
Jul 22 15:45:09  Content-Length: 480
Jul 22 15:45:09  Keep-Alive: timeout=15, max=100
Jul 22 15:45:09  Connection: Keep-Alive
Jul 22 15:45:09  Content-Type: text/html


For comparison, if the 'added!' line is included again, there is no 
error and the server log file has:

127.0.0.1 - - [22/Jul/2004:15:50:58 +0100] "GET /~scs1ng/ HTTP/1.1" 200 
6186


It's a puzzle!


best,

Nigel Gilbert



>
> Rgds,
> Owen Boyle
> Disclaimer: Any disclaimer attached to this message may be ignored.
>
>> # Redirect users if they don't have access to an error page
>> ErrorDocument 403 /~scs1ng/demo-pub/not_auth.html
>> # Ensure that everyone has access to the error page
>> <Files not_auth.html>
>>        Allow from all
>> </Files>
>>
>>
>> With this set up:
>>
>> accessing http://localhost/~scs1ng/index.html  retrieves the expected
>> index page
>>
>> accessing http://localhost/~scs1ng/ results in the 'not authorised'
>> message from not_auth.html
>>
>> I have tried moving the position of the 'Allow from all'
>> directive, but
>> to no avail.  I must be misunderstanding your advice.
>
>>
>> I'd really appreciate your help here - I think I must be almost there!
>>
>> Nigel Gilbert
>>
>>
>>
>
_______________________________________________________________________
Professor Nigel Gilbert,  Editor, Journal of Artificial Societies and
      Social Simulation, <http://www.soc.surrey.ac.uk/JASSS/>
         Centre for Research on Social Simulation (CRESS)
    Department of Sociology, University of Surrey, Guildford, UK.
        Tel:+44 1483 689173   N.Gilbert@soc.surrey.ac.uk
                        <http://cress.soc.surrey.ac.uk/>


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message