You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Tim Watts <tw...@dionic.net> on 2010/06/01 12:47:51 UTC
[users@httpd] Combining deny and allow conditions
Hi,
Could do with some guru guidance :)
I'd like to only allow certain file extensions to be served without
messing up my other host based allow/deny rules.
Right now I have this in my config:
(included into both :80 and :443 virtualhost sections)
# We will explicitly allow only certain file types being served
...
<FilesMatch "^.*$">
Deny from all
</FilesMatch>
<FilesMatch "^([^\.]+\.(html|css|js|crt|jpg|png|php|cgi))?$">
Include /etc/apache2/sites-available/common/allowfromhosts
Deny from all
</FilesMatch>
...
<Directory />
Order Allow,Deny
Deny from all
AllowOverride None
</Directory>
...
<Directory /vol/www/html>
Include /etc/apache2/sites-available/common/allowfromhosts
Deny from All
AllowOverride None
...
</Directory>
#########
And common/allowfromhosts contains:
Allow from 10.0.0.0/16 128.30.52.0/24
################
That works, but seems a little inelegant having to relegate the "allow
from IP" to an include file.
I could do it better if there was a "FilesNotMatch" directive or equivalent.
The actual logic I want is:
1) Unless the URL ends "/" OR "/*.ext" where ext is one of html, css, js
etc, THEN categorically DENY access at all times IRRESPECTIVE of any
other rules.
2) If that passes, then respect further allow/deny rules, eg the "allow
from 10.0.0.0/16 128.30.52.0/24" BUT DENY from everyone else
Is there a better way?
Many thanks in advance :)
Cheers
Tim
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Combining deny and allow conditions
Posted by Tim Watts <tw...@dionic.net>.
On 01/06/10 14:24, Eric Covener wrote:
> On Tue, Jun 1, 2010 at 8:34 AM, Tim Watts<tw...@dionic.net> wrote:
>> On 01/06/10 13:29, Eric Covener wrote:
>>>>
>>>> I could do it better if there was a "FilesNotMatch" directive or
>>>> equivalent.
>>>
>>> You can use the zero-width assertions like negative lookahead in PCRE
>>> to create *Match directives that are conceptually negated.
>>>
>>>
>>
>> Ah. Any chance of an example to get me going, he says cheekily ;->
>>
>> I can test them with pcretest first.
>
> something like this?
>
> ^.+\.(?!(html|css|js)$)
>
>
I see that starting to work in pcretest. I'll work on that a bit and see
if I can understand what ?! is doing (I'm au fait with perl REs but I've
not used that construct before...
Thanks very much for the pointer Eric.
Cheers
Tim
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Combining deny and allow conditions
Posted by Eric Covener <co...@gmail.com>.
On Tue, Jun 1, 2010 at 8:34 AM, Tim Watts <tw...@dionic.net> wrote:
> On 01/06/10 13:29, Eric Covener wrote:
>>>
>>> I could do it better if there was a "FilesNotMatch" directive or
>>> equivalent.
>>
>> You can use the zero-width assertions like negative lookahead in PCRE
>> to create *Match directives that are conceptually negated.
>>
>>
>
> Ah. Any chance of an example to get me going, he says cheekily ;->
>
> I can test them with pcretest first.
something like this?
^.+\.(?!(html|css|js)$)
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Combining deny and allow conditions
Posted by Tim Watts <tw...@dionic.net>.
On 01/06/10 13:29, Eric Covener wrote:
>> I could do it better if there was a "FilesNotMatch" directive or equivalent.
>
> You can use the zero-width assertions like negative lookahead in PCRE
> to create *Match directives that are conceptually negated.
>
>
Ah. Any chance of an example to get me going, he says cheekily ;->
I can test them with pcretest first.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Combining deny and allow conditions
Posted by Eric Covener <co...@gmail.com>.
> I could do it better if there was a "FilesNotMatch" directive or equivalent.
You can use the zero-width assertions like negative lookahead in PCRE
to create *Match directives that are conceptually negated.
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org