You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Markus Mayer <my...@gmx.at> on 2006/09/14 12:27:50 UTC
[users@httpd] Limiting users possibilities in .htaccess files
Hi all,
I have some users on my server who insist on writing .htaccess files and
defining proxies in them. This is something I don't like or want, they also
run against our firewall which causes some security related messages to be
generated. I have tried different restrictions with AllowOverride however
all I did was kill off other important functionality. Is there some way I
can restrict users so that when they define a proxy in a .htaccess file the
server returns some kind of error to the user? In otherwords, when a user
does something like
RewriteRule ^something/(.*)$ http://someserver.com/something/$1 [L,P]
I want an error message to be returned, something like the standard "Internal
Server Error" message is perfectly ok.
I will appreciate all help!
Markus
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Limiting users possibilities in .htaccess files
Posted by Joshua Slive <jo...@slive.ca>.
On 9/14/06, Markus Mayer <my...@gmx.at> wrote:
> Hi all,
>
> I have some users on my server who insist on writing .htaccess files and
> defining proxies in them. This is something I don't like or want, they also
> run against our firewall which causes some security related messages to be
> generated. I have tried different restrictions with AllowOverride however
> all I did was kill off other important functionality. Is there some way I
> can restrict users so that when they define a proxy in a .htaccess file the
> server returns some kind of error to the user? In otherwords, when a user
> does something like
> RewriteRule ^something/(.*)$ http://someserver.com/something/$1 [L,P]
> I want an error message to be returned, something like the standard "Internal
> Server Error" message is perfectly ok.
You need to remove FileInfo from your AllowOverrides or remove
mod_proxy or mod_rewrite from your loaded modules. There is no other
way in apache. (The social solution is to do automated monitoring of
.htaccess files with a script and kill accounts that misuse them.)
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org