You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Alan Chandler <al...@chandlerfamily.org.uk> on 2004/08/17 10:02:52 UTC
[users@httpd] Access Control Question
I am a bit puzzled about the whether there is a security hole if I do the
following
# Lockdown most everything
<Directory />
Order deny,allow
Deny from all
</Directory>
#Provide the basic access control to the whole site(s)
# - I believe this should control virtual hosts as well
<Location />
AllowOverride None
#
# Controls who can get stuff from this server.
#
AuthType Basic
AuthName "Chandler Intranet"
AuthUserFile /etc/apache2/users
AuthGroupFile /etc/apache2/groups
Require group family
Order allow,deny
Allow from 192.168.0.0/24
Satisfy any
</Location>
I think this should lock down my filesystem, but require every URL access via
basic authentication if not local - otherwise they get it.
However, I have two questions
a) Is it possible for someone to subvert things so that they get access
outside of the document root and other directories I designate elsewhere in
my config with <Directory> blocks if I turn of .htaccess files (as I have
done)
b) Will this protection carry over inside a <VirtualHost>
--
Alan Chandler
alan@chandlerfamily.org.uk
First they ignore you, then they laugh at you,
then they fight you, then you win. --Gandhi
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org