httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joshua Slive <jsl...@gmail.com>
Subject Re: [users@httpd] Securing Apache at the top, can htaccess override that?
Date Fri, 05 Nov 2004 15:42:03 GMT
On Fri, 5 Nov 2004 07:20:45 -0800, Vicki Brown <vlb@cfcl.com> wrote:
> htaccess files AllowOverride.  Is it possible to make a sub area of a site
> _less_ secure than Apache authentication makes the "entire" site?  Is it
> possible to prevent this?

> The Sys Admin says the Company is using a .htaccess file at the DocumentRoot
> to secure the site. In theory, any portion of the site could be opened for
> lower security if someone with access to the server added another .htaccess
> file further down the tree. Yipes!
> 
> What is desirable is a server that shows itself outside the firewall with
> password access and where no lower directories in the tree can possibly have
> more open security than the tree as a whole (the main page).
> 
> Can we do this in Apache? Or would we need to run the site out of CGI or
> something else that handles all page authentications for us??

Yes, this is a little risky.  It is crucial to understand the order of
processing of configuration files.

One good thing to know: <Location> sections are evaluated after all
<Directory>/.htaccess/etc.  So a quite reliable way to assure that
your site is password protected is to list something like

<Location />
Satisfy All
Require valid-user
</Location>

and put it at the end of httpd.conf.  I can't think of any way to get
around that.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message