You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by André Warnier <aw...@ice-sa.com> on 2008/09/29 22:28:48 UTC
Re: [users@httpd] Deny/Allow directives within have no
effect [Workaround]
Hi.
On the face of it, I do not understand it either.
I have re-read the doc, and I believe your Order, Allow and Deny
directives are correct for what you want to do.
The first thing maybe to check is if you don't by any chance have some
<Location> sections that override your <Directory> section.
Also, I encountered lately a couple of cases where AAA-control
directives seemed to be "inherited" from a wider context to a more
narrow one, unless specifically overriden in the narrower context.
For example, if you have something like
<Directory /var/www/dir>
AAA-control directive type 1
</Directory>
<Directory /var/www/dir1/subdir>
(no AAA-control directive type 1)
AAA-control directive type 2
</Directory>
then the subdirectory subdir seems to inherit the AAA-control directive
type 1 from the parent, despite having another AAA-control directive of
its own. I cannot remember specifics, but I'm quite sure that I've seen
cases like that.
Now, in your Directory, you specify "AllowOverride All".
That seems to allow *any* kind of directive to be used in the .htaccess
file of your /protected location, including access-control directives.
Might it be that the absence of access-control directives in the
htaccess file overrides the earlier Directory-level specs ?
Or am I telling utter nonsense ?
Gurus, please ?
I propose a couple of experiments :
- what if you add Order, Allow and Deny directives in your htaccess file ?
- alternatively, leave the htaccess file as it is, but in your Directory
section, change the "AllowOverride All" into "AllowOverride FileInfo"
Steffen Neumann wrote:
> Hi,
>
> Just for the record, I worked around the problem
> using a rewrite to a 404 page for the clients not allowed.
>
> I'm still curious about the actual problem.
> Anyone ? Do I need to provide some more details ?
>
> Yours,
> Steffen
>
>
> On Tue, 2008-09-23 at 13:48 +0200, Steffen Neumann wrote:
>> Hi,
>>
>> Securing a directory with Allow/Deny is supposedly
>> something very simple, yet I have tried for quote a while now,
>> and seek help on the list. This is the setup:
>>
>> I have an apache 2.2.8 on ubuntu 8.04.1 64bit,
>> which is serving (and reverse proxying)
>> a number of pages/applications.
>>
>> One of them is http://www/protected/, which is supposed
>> to be accessible only from our site and a small number
>> of collaborators. The <Directory> directives are below.
>> Despite Deny from all / Allow 192.168 it will still deliver content
>> happily to outsiders, as the log shows:
>>
>> 141.x.x.x - - [23/Sep/2008:13:28:34 +0200] "GET /protected/index.html HTTP/1.0" 200 7675 "-" "Wget/1.11"
>>
>> I thought from http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html
>> that the Allow/Deny can only be overridden in .htaccess,
>> and I can't find any reference what other directives in the
>> other configuration files could interfere with these.
>>
>> The /usr/lib/apache2/modules/mod_authz_host.so
>> is loaded on startup.
>>
>> Any ideas ?
>>
>> Thanks in advance,
>> Steffen
>>
>>
>> <Directory "/path/to/protected">
>> Order deny,allow
>> Allow from 192.168
>> Deny from all
>> AllowOverride All
>> Options -Indexes
>> </Directory>
>> JkMount /protected/jsp/* tomcat_worker
>>
>> ScriptAlias /protected/cgi-bin/ /path/to/protected/cgi-bin/"
>> <Directory "/path/to/protected/cgi-bin">
>> Order deny,allow
>> Allow from 192.168
>> Deny from all
>> AddHandler cgi-script .cgi
>> Options +ExecCGI
>> </Directory>
>>
>> In addition I have a file protected/.htaccess which does the rewriting
>> for the pages which moved to tomcat, handled by the JkMount (see below)
>>
>> cat .htaccess
>> RewriteEngine on
>> RewriteRule ^Search.html$ jsp/Search.jsp
>>
>> Although I can't see how this would interfere with allow/deny,
>> since the index.html is not covered by the rewriting.
>>
>>
>>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Deny/Allow directives within have no
effect [Workaround]
Posted by Steffen Neumann <sn...@ipb-halle.de>.
On Mon, 2008-09-29 at 22:28 +0200, André Warnier wrote:
> The first thing maybe to check is if you don't by any chance have some
> <Location> sections that override your <Directory> section.
Yup, that got me on the right track.
I had a spurious <Location /> I copied
from a httpd.conf that was used for an application
on a dedicated server.
Thanks André,
Yours,
Steffen
--
IPB Halle AG Massenspektrometrie & Bioinformatik
Dr. Steffen Neumann http://www.IPB-Halle.DE
Weinberg 3 http://msbi.bic-gh.de
06120 Halle Tel. +49 (0) 345 5582 - 1470
+49 (0) 345 5582 - 0
sneumann(at)IPB-Halle.DE Fax. +49 (0) 345 5582 - 1409
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org