Return-Path: 
 <users-return-65079-apmail-httpd-users-archive=httpd.apache.org@httpd.apache.org>
Delivered-To: apmail-httpd-users-archive@www.apache.org
Received: (qmail 63091 invoked from network); 25 Jul 2006 12:02:39 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199)
  by minotaur.apache.org with SMTP; 25 Jul 2006 12:02:39 -0000
Received: (qmail 90335 invoked by uid 500); 25 Jul 2006 12:02:27 -0000
Delivered-To: apmail-httpd-users-archive@httpd.apache.org
Received: (qmail 90315 invoked by uid 500); 25 Jul 2006 12:02:27 -0000
Mailing-List: contact users-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: users@httpd.apache.org
list-help: <mailto:users-help@httpd.apache.org>
list-unsubscribe: <mailto:users-unsubscribe@httpd.apache.org>
List-Post: <mailto:users@httpd.apache.org>
List-Id: <users.httpd.apache.org>
Delivered-To: mailing list users@httpd.apache.org
Received: (qmail 90303 invoked by uid 99); 25 Jul 2006 12:02:27 -0000
Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 25 Jul 2006 05:02:27 -0700
X-ASF-Spam-Status: No, hits=0.0 required=10.0
	tests=
X-Spam-Check-By: apache.org
Received-SPF: pass (asf.osuosl.org: local policy)
Received: from [132.183.202.9] (HELO mail.nmr.mgh.harvard.edu) (132.183.202.9)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 25 Jul 2006 05:02:25 -0700
Received: from maequeses.nmr.mgh.harvard.edu (maequeses.nmr.mgh.harvard.edu
 [132.183.202.83])
	(authenticated bits=0)
	by mail.nmr.mgh.harvard.edu (8.13.1/8.13.1) with ESMTP id k6PC20WS017410
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT);
	Tue, 25 Jul 2006 08:02:00 -0400
Date: Tue, 25 Jul 2006 08:02:00 -0400 (EDT)
From: Chris Johnson <johnson@nmr.mgh.harvard.edu>
To: users@httpd.apache.org
cc: Chris Johnson <johnson@nmr.mgh.harvard.edu>
In-Reply-To: <e498c1660607241058s55893c5fg4498a6d2544b4055@mail.gmail.com>
Message-ID: <Pine.LNX.4.62.0607250759190.10015@maequeses.nmr.mgh.harvard.edu>
References: <Pine.LNX.4.62.0607241259120.32497@maequeses.nmr.mgh.harvard.edu>
 <e498c1660607241058s55893c5fg4498a6d2544b4055@mail.gmail.com>
X-Annoucement-1: Don't blame me I didn't vote for him.
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
X-NMR-MGH-MailScanner-Information: Please contact the ISP for more information
X-NMR-MGH-MailScanner: Found to be clean
X-NMR-MGH-MailScanner-SpamCheck: not spam, SpamAssassin (score=-2.82,
	required 5, autolearn=disabled, ALL_TRUSTED -2.82)
X-NMR-MGH-MailScanner-From: johnson@nmr.mgh.harvard.edu
X-Virus-Checked: Checked by ClamAV on apache.org
Subject: Re: [users@httpd] Directory/Virtualhost & ACLs.
X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N

On Mon, 24 Jul 2006, Joshua Slive wrote:

> On 7/24/06, Chris Johnson <johnson@nmr.mgh.harvard.edu> wrote:
>>       Hey all,
>> 
>>       Have a messy config question here.
>> 
>>       Directory and Virtualhost seem to fire up what amounts to their
>> own ACLs, i.e. order, allow and deny.  We just got hit last week by an
>> autamate that probed the server, found some  forms and then submited a
>> bunch of them.  Obviously we would very much like to block this
>> sillyness whenever possible.
>> 
>>       I can set up an order/allow/deny set easily enough.  The problem
>> comes when you're running a few Directory blocks as well as
>> virtualhosts.  It gets really messy chasing down every ACL to update
>> them.
>> 
>>       The first obvious solution is a common include file included in
>> each directory or virtualhost block where needed.  That way everything
>> is in one file and it's easy to main the ACL.
>> 
>>       But this sort of thing must be pretty common these days.
>> 
>>       So, first question.  Do Directory and Virtualhost blocks have
>> their own ACLs?  Seem to from where I'm sitting.
>
> They do, but they will inherit from the parent context when nothing is
> specified.
> See:
> http://httpd.apache.org/docs/2.2/sections.html#mergin
>
>> 
>>       Second.  Is there any other/better way to deal with this
>> annoyance?  What do ohers do?
>
> Use Order/Allow/Deny directives only where you need to change the
> permissions applied to a parent context.  Otherwise, leave them out.
>
>

      Excuse me, I shave asked the following.  Should this be true for 
Apache 1.3 as well?  Because I'm not seeing it.

--------------------------------------------------------------------------------
Chris Johnson               |Internet: johnson@nmr.mgh.harvard.edu
Systems Administrator       |Web:      http://www.nmr.mgh.harvard.edu/~johnson
NMR Center                  |Voice:    617.726.0949
Mass. General Hospital      |FAX:      617.726.7422
149 (2301) 13th Street      |God must love stupid people.  She keeps making 
Charlestown, MA., 02129 USA |them in such horrifyingly large numbers.  Me
--------------------------------------------------------------------------------

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org