You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Steffen Neumann <sn...@ipb-halle.de> on 2008/09/29 20:42:04 UTC
Re: [users@httpd] Deny/Allow directives within have no
effect [Workaround]
Hi,
Just for the record, I worked around the problem
using a rewrite to a 404 page for the clients not allowed.
I'm still curious about the actual problem.
Anyone ? Do I need to provide some more details ?
Yours,
Steffen
On Tue, 2008-09-23 at 13:48 +0200, Steffen Neumann wrote:
> Hi,
>
> Securing a directory with Allow/Deny is supposedly
> something very simple, yet I have tried for quote a while now,
> and seek help on the list. This is the setup:
>
> I have an apache 2.2.8 on ubuntu 8.04.1 64bit,
> which is serving (and reverse proxying)
> a number of pages/applications.
>
> One of them is http://www/protected/, which is supposed
> to be accessible only from our site and a small number
> of collaborators. The <Directory> directives are below.
> Despite Deny from all / Allow 192.168 it will still deliver content
> happily to outsiders, as the log shows:
>
> 141.x.x.x - - [23/Sep/2008:13:28:34 +0200] "GET /protected/index.html HTTP/1.0" 200 7675 "-" "Wget/1.11"
>
> I thought from http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html
> that the Allow/Deny can only be overridden in .htaccess,
> and I can't find any reference what other directives in the
> other configuration files could interfere with these.
>
> The /usr/lib/apache2/modules/mod_authz_host.so
> is loaded on startup.
>
> Any ideas ?
>
> Thanks in advance,
> Steffen
>
>
> <Directory "/path/to/protected">
> Order deny,allow
> Allow from 192.168
> Deny from all
> AllowOverride All
> Options -Indexes
> </Directory>
> JkMount /protected/jsp/* tomcat_worker
>
> ScriptAlias /protected/cgi-bin/ /path/to/protected/cgi-bin/"
> <Directory "/path/to/protected/cgi-bin">
> Order deny,allow
> Allow from 192.168
> Deny from all
> AddHandler cgi-script .cgi
> Options +ExecCGI
> </Directory>
>
> In addition I have a file protected/.htaccess which does the rewriting
> for the pages which moved to tomcat, handled by the JkMount (see below)
>
> cat .htaccess
> RewriteEngine on
> RewriteRule ^Search.html$ jsp/Search.jsp
>
> Although I can't see how this would interfere with allow/deny,
> since the index.html is not covered by the rewriting.
>
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Deny/Allow directives within have no effect [Workaround]
Posted by Eric Covener <co...@gmail.com>.
On Mon, Sep 29, 2008 at 5:20 PM, André Warnier <aw...@ice-sa.com> wrote:
> Eric Covener wrote:
>>>>
>>>> <Directory "/path/to/protected">
>>>> Order deny,allow
>>>> Allow from 192.168
>>>> Deny from all
>>>> AllowOverride All
>>>> Options -Indexes
>>>> </Directory>
>>
>>>> JkMount /protected/jsp/* tomcat_worker
>>
>>>> 141.x.x.x - - [23/Sep/2008:13:28:34 +0200] "GET /protected/index.html
>>>> HTTP/1.0" 200 7675 "-" "Wget/1.11"
>>
>> You need to use <Location>, not <Directory>.
>>
>> This content isn't served out of /path/to/protected, so the
>> configuration for that directory isn't applicable.
>>
> Hi Eric.
> What makes you say that the content for "GET /protected/index.html" is not
> served out of /path/to/protected ?
> (I'm not saying you're wrong, it's just that I don't see that from the
> available information. Did I miss something ?)
You're right, I misread the argument JKMount.
Since the rewrite occurs in .htaccess, access control should be
running twice -- before the rewriting where those rules would apply
and after where they'd no longer apply (for external users, they'd hit
the 403 the first time).
If the rules were in vhost context, only the second check would apply
and external users would be allowed in (because a proxied request
doesn't match any Directory container)
The report still seems to be "off" by one detail.
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Deny/Allow directives within have no
effect [Workaround]
Posted by André Warnier <aw...@ice-sa.com>.
Eric Covener wrote:
>>> <Directory "/path/to/protected">
>>> Order deny,allow
>>> Allow from 192.168
>>> Deny from all
>>> AllowOverride All
>>> Options -Indexes
>>> </Directory>
>
>>> JkMount /protected/jsp/* tomcat_worker
>
>>> 141.x.x.x - - [23/Sep/2008:13:28:34 +0200] "GET /protected/index.html HTTP/1.0" 200 7675 "-" "Wget/1.11"
>
> You need to use <Location>, not <Directory>.
>
> This content isn't served out of /path/to/protected, so the
> configuration for that directory isn't applicable.
>
Hi Eric.
What makes you say that the content for "GET /protected/index.html" is
not served out of /path/to/protected ?
(I'm not saying you're wrong, it's just that I don't see that from the
available information. Did I miss something ?)
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Deny/Allow directives within have no effect [Workaround]
Posted by Eric Covener <co...@gmail.com>.
>> <Directory "/path/to/protected">
>> Order deny,allow
>> Allow from 192.168
>> Deny from all
>> AllowOverride All
>> Options -Indexes
>> </Directory>
>> JkMount /protected/jsp/* tomcat_worker
>> 141.x.x.x - - [23/Sep/2008:13:28:34 +0200] "GET /protected/index.html HTTP/1.0" 200 7675 "-" "Wget/1.11"
You need to use <Location>, not <Directory>.
This content isn't served out of /path/to/protected, so the
configuration for that directory isn't applicable.
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Deny/Allow directives within have no
effect [Workaround]
Posted by Steffen Neumann <sn...@ipb-halle.de>.
On Mon, 2008-09-29 at 22:28 +0200, André Warnier wrote:
> The first thing maybe to check is if you don't by any chance have some
> <Location> sections that override your <Directory> section.
Yup, that got me on the right track.
I had a spurious <Location /> I copied
from a httpd.conf that was used for an application
on a dedicated server.
Thanks André,
Yours,
Steffen
--
IPB Halle AG Massenspektrometrie & Bioinformatik
Dr. Steffen Neumann http://www.IPB-Halle.DE
Weinberg 3 http://msbi.bic-gh.de
06120 Halle Tel. +49 (0) 345 5582 - 1470
+49 (0) 345 5582 - 0
sneumann(at)IPB-Halle.DE Fax. +49 (0) 345 5582 - 1409
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Deny/Allow directives within have no
effect [Workaround]
Posted by André Warnier <aw...@ice-sa.com>.
Hi.
On the face of it, I do not understand it either.
I have re-read the doc, and I believe your Order, Allow and Deny
directives are correct for what you want to do.
The first thing maybe to check is if you don't by any chance have some
<Location> sections that override your <Directory> section.
Also, I encountered lately a couple of cases where AAA-control
directives seemed to be "inherited" from a wider context to a more
narrow one, unless specifically overriden in the narrower context.
For example, if you have something like
<Directory /var/www/dir>
AAA-control directive type 1
</Directory>
<Directory /var/www/dir1/subdir>
(no AAA-control directive type 1)
AAA-control directive type 2
</Directory>
then the subdirectory subdir seems to inherit the AAA-control directive
type 1 from the parent, despite having another AAA-control directive of
its own. I cannot remember specifics, but I'm quite sure that I've seen
cases like that.
Now, in your Directory, you specify "AllowOverride All".
That seems to allow *any* kind of directive to be used in the .htaccess
file of your /protected location, including access-control directives.
Might it be that the absence of access-control directives in the
htaccess file overrides the earlier Directory-level specs ?
Or am I telling utter nonsense ?
Gurus, please ?
I propose a couple of experiments :
- what if you add Order, Allow and Deny directives in your htaccess file ?
- alternatively, leave the htaccess file as it is, but in your Directory
section, change the "AllowOverride All" into "AllowOverride FileInfo"
Steffen Neumann wrote:
> Hi,
>
> Just for the record, I worked around the problem
> using a rewrite to a 404 page for the clients not allowed.
>
> I'm still curious about the actual problem.
> Anyone ? Do I need to provide some more details ?
>
> Yours,
> Steffen
>
>
> On Tue, 2008-09-23 at 13:48 +0200, Steffen Neumann wrote:
>> Hi,
>>
>> Securing a directory with Allow/Deny is supposedly
>> something very simple, yet I have tried for quote a while now,
>> and seek help on the list. This is the setup:
>>
>> I have an apache 2.2.8 on ubuntu 8.04.1 64bit,
>> which is serving (and reverse proxying)
>> a number of pages/applications.
>>
>> One of them is http://www/protected/, which is supposed
>> to be accessible only from our site and a small number
>> of collaborators. The <Directory> directives are below.
>> Despite Deny from all / Allow 192.168 it will still deliver content
>> happily to outsiders, as the log shows:
>>
>> 141.x.x.x - - [23/Sep/2008:13:28:34 +0200] "GET /protected/index.html HTTP/1.0" 200 7675 "-" "Wget/1.11"
>>
>> I thought from http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html
>> that the Allow/Deny can only be overridden in .htaccess,
>> and I can't find any reference what other directives in the
>> other configuration files could interfere with these.
>>
>> The /usr/lib/apache2/modules/mod_authz_host.so
>> is loaded on startup.
>>
>> Any ideas ?
>>
>> Thanks in advance,
>> Steffen
>>
>>
>> <Directory "/path/to/protected">
>> Order deny,allow
>> Allow from 192.168
>> Deny from all
>> AllowOverride All
>> Options -Indexes
>> </Directory>
>> JkMount /protected/jsp/* tomcat_worker
>>
>> ScriptAlias /protected/cgi-bin/ /path/to/protected/cgi-bin/"
>> <Directory "/path/to/protected/cgi-bin">
>> Order deny,allow
>> Allow from 192.168
>> Deny from all
>> AddHandler cgi-script .cgi
>> Options +ExecCGI
>> </Directory>
>>
>> In addition I have a file protected/.htaccess which does the rewriting
>> for the pages which moved to tomcat, handled by the JkMount (see below)
>>
>> cat .htaccess
>> RewriteEngine on
>> RewriteRule ^Search.html$ jsp/Search.jsp
>>
>> Although I can't see how this would interfere with allow/deny,
>> since the index.html is not covered by the rewriting.
>>
>>
>>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org