httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Timothy D Legg" <>
Subject Re: [users@httpd] Best practice for restricting access to exact IP addresses
Date Fri, 01 Dec 2017 15:36:23 GMT
That is almost identical to what I discovered independently.  I read every
active .conf file in entirety to realize this.

I was on the assumption that from a web client perspective, a2dissite on
all sites had the same effect as stopping apache, essentially forcing it
idle.  It appears that a2dissite doesn't really truly take all sites
offline, but instead defaults to a precompiled string for the document

That seems to invite a hazardous situation, say for example a user is
virtual hosting n sites and uses a directory structure inside /var/www/
such as:


and then believes that running a2dissite on all these, perhaps to make a
backup of a php-encrusted website (such as mine) that the document root
will default to the top level of all these sites and perhaps reveal SQL
passwords in the process.

I hope this is not true...

> On 01/12/17 15:39, Timothy D Legg wrote:
>> To be much more explicit, this is a conf file located in
>> /etc/apache2/sites-available and is the only file symlinked into
>> /etc/apache2/sites-enabled
> It is most likely included into /etc/apache2/apache2.conf or
> /etc/apache2/httpd.conf . Which most likely contains `Include
> ports.conf` which contains line `Listen 80`. Since no virtual host or
> DocumentRoot is defined for this port, most likely server uses compiled
> in value of DocumentRoot, which is most likely /var/www/html . Also,
> main conf most likely contains several `Require all ...` lines which
> affect all virtual hosts.
> --
> With Best Regards,
> Marat Khalili
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message