httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jason Vas Dias <>
Subject Re: [users@httpd] Re: denying access to SSI fragments
Date Wed, 06 Apr 2011 18:24:52 GMT
And, in briefly re-examing my reason for developing this module,  here's 
what happens when, on a stock freshly installed httpd-2.2.17-1.fc14.x86_64 
FC-14 setup, I try to do :

 in /etc/httpd/conf/httpd.conf :
  @line 320:
<Directory "/var/www/html">

# Possible values for the Options directive are "None", "All",
# or any combination of:
#   Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
# Note that "MultiViews" must be named *explicitly* --- "Options All"
# doesn't give it to you.
# The Options directive is both complicated and important.  Please see
# for more information.
    XBitHack on
    Options Indexes FollowSymLinks Includes

And then create /var/www/html/test_inc.html :

$ echo '<!--#include file="/var/www/include/"-->
' > /var/www/html/test_inc.html
$ chown apache:apache /var/www/html/test_inc.html; chmod 0755 /var/www/html/test_inc.html
and then create /var/www/include/ :
$ echo 'html>
<title> It worked!</title>
' > /var/www/include/
$ chown apache:apache /var/www/include/; chmod 0644  /var/www/include/
$ curl
[Wed Apr 06 18:13:43 2011] [error] [client] unable to include file "/var/www/include/"
in parsed file /var/www/html/test_inc.html
[an error occurred while processing this directive]

Gee, what an informative error message ! (I was doing 'tail -f /var/log/http/error_log &')

This is because there is no "<Directory> ... </Directory>" entry for "/var/www/include"
So standard apache SSI  can't work even if my scripts use absolute URLs  - my
include directory MUST be in some  '<Directory>...</Directory>' - but I don't
want to provide any HTTP/S access to SSI fragments - so how can I put them 
in a non-'<Directory>...</Directory>' location ?

So to me it is just easier to develop the 'ssi-fragment' mime-type handler module ,
which enables SSI to be used freely ,  safely and efficiently by scripts without 
letting all-and-sundry access SSI fragments which may be security sensitive
outside their containing documents.

My ssi-fragment module has been working OK for some months now on my client's web-server -

I'll check with my client to see if it's OK to make it open-source , and if so,
will post it here or to 'apache-contrib' - I can't find anything else that does the job .

All the best,

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message