You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by "James R. Marcus" <jm...@mvalent.com> on 2003/01/24 21:15:42 UTC
[users@httpd] FAQ & .htaccess allow from internal domain, prompt for auth from everywhere else
I read the FAQ at
http://httpd.apache.org/docs/misc/FAQ.html#remote-auth-only to get
Apache2 to prompt users from outside of our local domain for a password.
I am using SSL. I get the following error in the logs: [Fri Jan 24
14:21:35 2003] [alert] [client 10.0.0.114]
/usr/local/apache2/htdocs/.htaccess: deny not allowed here
This is set in the httpd.conf AllowOverride AuthConfig
Here is the .htaccess file
Deny from all
Allow from .mvalent.local
AuthType Basic
AuthUserFile /usr/local/apache2/passwd/passwd
AuthName "Restricted Files"
Require valid-user
Satisfy any
Thanks,
James
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] The "Limit" Directive and TRACE
Posted by Sander Holthaus - Orange XL <in...@orangexl.com>.
I use this on all my vhosts
<LimitExcept GET HEAD POST>
Order deny,allow
Deny from all
</LimitExcept>
Don't know if it'll help you out.
----- Original Message -----
From: "Ben Ricker" <br...@wellinx.com>
To: <us...@httpd.apache.org>
Sent: Friday, January 24, 2003 9:46 PM
Subject: [users@httpd] The "Limit" Directive and TRACE
> I am trying to fortify a web server running Apache 1.3.27 against
> cross-site scripting (see
> http://www.extremetech.com/article2/0,3973,841047,00.asp for more
> information).
>
> The problem is that I am trying to disallow the use of TRACE using the
> LIMIT directive. Here is a 'Limit' directives snippet from the Apache
> docs (http://httpd.apache.org/docs/mod/core.html#limit).
>
> When I put the following in the httpd.conf:
>
> <Limit TRACE>
> Deny from All
> </Limit>
>
> I get the following error:
>
> ../bin/apachectl configtest
> Syntax error on line 395 of /usr/local/apache/conf/httpd.conf:
> TRACE cannot be controlled by <Limit>
>
> Am I missing something here?
>
> Ben Ricker
> Wellinx.com
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] The "Limit" Directive and TRACE
Posted by Richard Pyne <rp...@kinfolk.org>.
Before you spend too much time on it, read:
http://online.securityfocus.com/archive/1/307778
--Richard
On Friday 24 January 2003 01:46 pm, Ben Ricker wrote:
> I am trying to fortify a web server running Apache 1.3.27 against
> cross-site scripting (see
> http://www.extremetech.com/article2/0,3973,841047,00.asp for more
> information).
>
> The problem is that I am trying to disallow the use of TRACE using
> the LIMIT directive. Here is a 'Limit' directives snippet from the
> Apache docs (http://httpd.apache.org/docs/mod/core.html#limit).
>
> When I put the following in the httpd.conf:
>
> <Limit TRACE>
> Deny from All
> </Limit>
>
> I get the following error:
>
> ../bin/apachectl configtest
> Syntax error on line 395 of /usr/local/apache/conf/httpd.conf:
> TRACE cannot be controlled by <Limit>
>
> Am I missing something here?
>
> Ben Ricker
> Wellinx.com
>
>
> -------------------------------------------------------------------
>-- The official User-To-User support forum of the Apache HTTP Server
> Project. See <URL:http://httpd.apache.org/userslist.html> for more
> info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org "
> from the digest: users-digest-unsubscribe@httpd.apache.org For
> additional commands, e-mail: users-help@httpd.apache.org
--
Richard B. Pyne
rpyne@kinfolk.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] The "Limit" Directive and TRACE
Posted by Joshua Slive <jo...@slive.ca>.
On Fri, 24 Jan 2003, Ben Ricker wrote:
> > I suspect (though I haven't tested) you could also use
> > SetEnvIf Request_Method TRACE trace_request
> > Order allow,deny
> > allow from all
> > deny from env=trace_request
>
> Hmmm....Apache does not like the Order directive scoped under SetEnvIf.
> It does not work in 1.3.27. I looked over the docs but could not find
> anything that shows an example if using the Order directives under SetEnvIf.
It isn't the SetEnvIf that is the problem. It is the context of Order.
It can't be placed in the main server context, it must be inside a
container, as in
SetEnvIf ....
<Location />
Order allow,deny
allow from all
deny from env="trace_request
</Location>
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] The "Limit" Directive and TRACE
Posted by Ben Ricker <br...@wellinx.com>.
Joshua Slive wrote:
> On Fri, 24 Jan 2003, Ben Ricker wrote:
>
>
>>I am trying to fortify a web server running Apache 1.3.27 against
>>cross-site scripting (see
>>http://www.extremetech.com/article2/0,3973,841047,00.asp for more
>>information).
>>
>>The problem is that I am trying to disallow the use of TRACE using the
>>LIMIT directive.
>
>
> See:
> http://www.apacheweek.com/issues/03-01-24#news
That was a helpful article and it makes sense that the vulnerability is
not SO huge as Whitehatsec makes it out to be, in the sense that it is
not necessarily Apache's issue.
> I suspect (though I haven't tested) you could also use
> SetEnvIf Request_Method TRACE trace_request
> Order allow,deny
> allow from all
> deny from env=trace_request
Hmmm....Apache does not like the Order directive scoped under SetEnvIf.
It does not work in 1.3.27. I looked over the docs but could not find
anything that shows an example if using the Order directives under SetEnvIf.
I guess I can stick with the mod_rewrite trick on the ApacheWeek
article, although I am not sure I have mod_rewrite setup....
Thanks,
Ben Ricker
Wellinx.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] The "Limit" Directive and TRACE
Posted by Joshua Slive <jo...@slive.ca>.
On Fri, 24 Jan 2003, Ben Ricker wrote:
> I am trying to fortify a web server running Apache 1.3.27 against
> cross-site scripting (see
> http://www.extremetech.com/article2/0,3973,841047,00.asp for more
> information).
>
> The problem is that I am trying to disallow the use of TRACE using the
> LIMIT directive.
See:
http://www.apacheweek.com/issues/03-01-24#news
I suspect (though I haven't tested) you could also use
SetEnvIf Request_Method TRACE trace_request
Order allow,deny
allow from all
deny from env=trace_request
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] The "Limit" Directive and TRACE
Posted by Ben Ricker <br...@wellinx.com>.
I am trying to fortify a web server running Apache 1.3.27 against
cross-site scripting (see
http://www.extremetech.com/article2/0,3973,841047,00.asp for more
information).
The problem is that I am trying to disallow the use of TRACE using the
LIMIT directive. Here is a 'Limit' directives snippet from the Apache
docs (http://httpd.apache.org/docs/mod/core.html#limit).
When I put the following in the httpd.conf:
<Limit TRACE>
Deny from All
</Limit>
I get the following error:
../bin/apachectl configtest
Syntax error on line 395 of /usr/local/apache/conf/httpd.conf:
TRACE cannot be controlled by <Limit>
Am I missing something here?
Ben Ricker
Wellinx.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] FAQ & .htaccess allow from internal domain, prompt for auth from everywhere else
Posted by "James R. Marcus" <jm...@mvalent.com>.
Thanks so much. That did it.
James
-----Original Message-----
From: Joshua Slive [mailto:joshua@slive.ca]
Sent: Friday, January 24, 2003 3:18 PM
To: users@httpd.apache.org
Subject: Re: [users@httpd] FAQ & .htaccess allow from internal domain,
prompt for auth from everywhere else
On Fri, 24 Jan 2003, James R. Marcus wrote:
> I am using SSL. I get the following error in the logs: [Fri Jan 24
> 14:21:35 2003] [alert] [client 10.0.0.114]
> /usr/local/apache2/htdocs/.htaccess: deny not allowed here
> This is set in the httpd.conf AllowOverride AuthConfig
If you look here:
http://httpd.apache.org/docs-2.0/mod/mod_access.html#deny
you'll see that the correct "override" for Deny is "Limit", so you need
at
least
AllowOverride AuthConfig Limit
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] FAQ & .htaccess allow from internal domain, prompt
for auth from everywhere else
Posted by Joshua Slive <jo...@slive.ca>.
On Fri, 24 Jan 2003, James R. Marcus wrote:
> I am using SSL. I get the following error in the logs: [Fri Jan 24
> 14:21:35 2003] [alert] [client 10.0.0.114]
> /usr/local/apache2/htdocs/.htaccess: deny not allowed here
> This is set in the httpd.conf AllowOverride AuthConfig
If you look here:
http://httpd.apache.org/docs-2.0/mod/mod_access.html#deny
you'll see that the correct "override" for Deny is "Limit", so you need at
least
AllowOverride AuthConfig Limit
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org