httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: [users@httpd] Deny/Allow directives within <Directory> have no effect [Workaround]
Date Mon, 29 Sep 2008 20:28:48 GMT
Hi.

On the face of it, I do not understand it either.
I have re-read the doc, and I believe your Order, Allow and Deny 
directives are correct for what you want to do.

The first thing maybe to check is if you don't by any chance have some 
<Location> sections that override your <Directory> section.

Also, I encountered lately a couple of cases where AAA-control 
directives seemed to be "inherited" from a wider context to a more 
narrow one, unless specifically overriden in the narrower context.
For example, if you have something like

<Directory /var/www/dir>
   AAA-control directive type 1
</Directory>
<Directory /var/www/dir1/subdir>
   (no AAA-control directive type 1)
   AAA-control directive type 2
</Directory>

then the subdirectory subdir seems to inherit the AAA-control directive 
type 1 from the parent, despite having another AAA-control directive of 
its own. I cannot remember specifics, but I'm quite sure that I've seen 
cases like that.

Now, in your Directory, you specify "AllowOverride All".
That seems to allow *any* kind of directive to be used in the .htaccess 
file of your /protected location, including access-control directives.
Might it be that the absence of access-control directives in the 
htaccess file overrides the earlier Directory-level specs ?

Or am I telling utter nonsense ?
Gurus, please ?

I propose a couple of experiments :
- what if you add Order, Allow and Deny directives in your htaccess file ?
- alternatively, leave the htaccess file as it is, but in your Directory 
section, change the "AllowOverride All" into "AllowOverride FileInfo"



Steffen Neumann wrote:
> Hi,
> 
> Just for the record, I worked around the problem 
> using a rewrite to a 404 page for the clients not allowed.
> 
> I'm still curious about the actual problem.
> Anyone ? Do I need to provide some more details ?
> 
> Yours, 
> Steffen
> 
> 
> On Tue, 2008-09-23 at 13:48 +0200, Steffen Neumann wrote:
>> Hi,
>>
>> Securing a directory with Allow/Deny is supposedly 
>> something very simple, yet I have tried for quote a while now,
>> and seek help on the list. This is the setup:
>>
>> I have an apache 2.2.8 on ubuntu 8.04.1 64bit, 
>> which is serving (and reverse proxying)
>> a number of pages/applications.
>>
>> One of them is http://www/protected/, which is supposed 
>> to be accessible only from our site and a small number 
>> of collaborators. The <Directory> directives are below.
>> Despite Deny from all / Allow 192.168 it will still deliver content 
>> happily to outsiders, as the log shows:
>>
>> 141.x.x.x - - [23/Sep/2008:13:28:34 +0200] "GET /protected/index.html HTTP/1.0" 200
7675 "-" "Wget/1.11"
>>
>> I thought from http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html
>> that the Allow/Deny can only be overridden in .htaccess, 
>> and I can't find any reference what other directives in the 
>> other configuration files could interfere with these.
>>
>> The /usr/lib/apache2/modules/mod_authz_host.so
>> is loaded on startup.
>>
>> Any ideas ?
>>
>> Thanks in advance, 
>> Steffen
>>
>>
>> <Directory "/path/to/protected">
>>         Order deny,allow
>>         Allow from 192.168
>>         Deny from all
>>         AllowOverride All
>>         Options -Indexes
>> </Directory>
>> JkMount /protected/jsp/* tomcat_worker
>>
>> ScriptAlias /protected/cgi-bin/ /path/to/protected/cgi-bin/"
>> <Directory "/path/to/protected/cgi-bin">
>>         Order deny,allow
>>         Allow from 192.168
>>         Deny from all
>>         AddHandler cgi-script .cgi
>>         Options +ExecCGI
>> </Directory>
>>
>> In addition I have a file protected/.htaccess which does the rewriting 
>> for the pages which moved to tomcat, handled by the JkMount (see below) 
>>
>> cat .htaccess
>> RewriteEngine on
>> RewriteRule ^Search.html$ jsp/Search.jsp
>>
>> Although I can't see how this would interfere with allow/deny,
>> since the index.html is not covered by the rewriting.
>>
>>
>>
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message