httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Noel Butler <>
Subject Re: [users@httpd] Preferred way of limiting direct access
Date Tue, 28 Feb 2012 05:57:41 GMT
On Mon, 2012-02-27 at 10:32 +0000, Lester Caine wrote:

> Spring cleaning time ...
> I have a number of older dynamically built sites that are still using .htaccess 
> to limit access to areas that only PHP needs to read. This is the simply way of 
> doing things, but I am looking to current practice, and the performance hit may 
> well be something I need to be concerned about?

Best practice is using permissions in your main httpd.conf file, if you
have thousands of hosts it will be resource nicer.

> What is the tidiest way to limit access via the <Directory> entry ( or do I need

> multiple entries? ) so that people can download content in the storage area, but 
> only access the functions (PHP pages) in the various packages?
> Each package has it's own directory under root, and some packages are only using 
> 'internally', but despite having some directories specifically blocked in the 
> robots.txt file, they are still being trawled by search engines and I think I 
> need to restore the .htaccess set-up in each?
> Basically should I just 'deny all' on route and then open holes to the bits that 
> need to be visible? The storage directory is easy, and .php in the accessible 
> packages, but it's the .js, .css, icons and style elements that seem confusing. 
> In practice, the basic structure of the project may be wrong for the way Apache 
> now expects to work, but keeping everything related to a bundle like 'wiki' in 
> one directory allows a modular approach which IS working well otherwise.

Always deny everything by default then open up what you want accessed on
a global scale, something like wikis, forums and webmail scripts often
are not very nice for things like that, because they want to allow
access to top directories but deny sub dirs, so a .htaccess file would
be easier to manage, but if there's only a few dirs, I'd opt for
httpd.conf to be cleaner.

<Directory />
    AllowOverride None
    Require all denied

allow to access the web server root holding virtual hosts:
<Directory "/var/www/hosts">
    AllowOverride None
    Require all granted

to protect each hosts admin section ,  a deny entry per domain

<Directory /var/www/hosts/>
      Require ip 10.10.0
      Auth* stuff
      Require valid-user
<Directory /var/www/hosts/>
     Require ip 10.10.0
     Autrh* stuff
     Require valid-user

Simple, but when you have stuff that has 20 subdirs and  wants to stop
you accessing inc css lib foo bar etc..., your httpd.conf becomes rather
large and maybe messy, so its easier to then use .htaccess to stop them
in those dirs

many bots also don't care about robots.txt files, even if you have 
User-agent: *
Disallow: /

That says dont traverse me, but it will always hit the root dir of the
URL to check i

Note: If using 2.0/2.2 replace require ip with order deny, allow ,
satisfy any..... you know the drill

View raw message