httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joshua Slive <>
Subject Re: [users@httpd] Securing Apache at the top, can htaccess override that?
Date Fri, 05 Nov 2004 15:42:03 GMT
On Fri, 5 Nov 2004 07:20:45 -0800, Vicki Brown <> wrote:
> htaccess files AllowOverride.  Is it possible to make a sub area of a site
> _less_ secure than Apache authentication makes the "entire" site?  Is it
> possible to prevent this?

> The Sys Admin says the Company is using a .htaccess file at the DocumentRoot
> to secure the site. In theory, any portion of the site could be opened for
> lower security if someone with access to the server added another .htaccess
> file further down the tree. Yipes!
> What is desirable is a server that shows itself outside the firewall with
> password access and where no lower directories in the tree can possibly have
> more open security than the tree as a whole (the main page).
> Can we do this in Apache? Or would we need to run the site out of CGI or
> something else that handles all page authentications for us??

Yes, this is a little risky.  It is crucial to understand the order of
processing of configuration files.

One good thing to know: <Location> sections are evaluated after all
<Directory>/.htaccess/etc.  So a quite reliable way to assure that
your site is password protected is to list something like

<Location />
Satisfy All
Require valid-user

and put it at the end of httpd.conf.  I can't think of any way to get
around that.


The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message