httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Adam <adam.v...@vestfarms.com.INVALID>
Subject Re: [users@httpd] "Define" directive is ALWAYS parsed
Date Sun, 18 Sep 2016 19:25:53 GMT
Ah yes, the monkey wrench. So the reason why going that route isn't an
option is because this is being done in a shared environment, with
.htaccess enabled for users. In an environment like that, anyone can
just drop SetHandler server-info into any .htaccess they want and get
all of that (sometimes sensitive) info. Due to the nature of all this,
it was looking like the only way to truly limit who could gain access
to that info would be to only load the module itself under specific
circumstances, which is what led me to where I'm at now.
Is there a way I've not yet found that allows me to disable using SetHa
ndler in an .htaccess context (while still allowing other things), or
to not allow defining server-info there?
Thanks for your help thus far, also!
On Sun, 2016-09-18 at 15:09 -0400, Eric Covener wrote:
> On Sun, Sep 18, 2016 at 1:11 PM, Adam 
> d> wrote:
> > 
> > Specifically, I'm trying to limit accessibility to the mod_info
> > page to only
> > specific users/IP's. I thought I would be able to get away with
> > that by
> > doing something like:
> > 
> > <If "-R 'ip.add.re.ss''">
> > 
> >         Define me
> > 
> > </If>
> > 
> > 
> > Then do something like:
> > 
> > <IfDefine me>
> > 
> >         LoadModule info_module modules/mod_info.so
> > 
> >         <Location "/server-info">
> > 
> >                 SetHandler server-info
> > 
> >         </Location>
> > 
> > </IfDefine>
> 
> This mixes a lot of per-request things with non-per-request things --
> like loading modules (and Define).
> 
> Why not just use Require ip ... inside of the Location block w/
> SetHandler?
> 
> 
Mime
View raw message