You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Boyle Owen <Ow...@swx.com> on 2004/07/21 11:59:12 UTC

[users@httpd] RE: .htaccess 'allow from' and directories

Please keep messages on list...

> -----Original Message-----
> From: Nigel Gilbert [mailto:n.gilbert@soc.surrey.ac.uk]
> Sent: Montag, 19. Juli 2004 14:58
> To: Boyle Owen
> Cc: users@httpd.apache.org
> Subject: .htaccess 'allow from' and directories
> 
> 
> >
> 
> I sorry that I didn't make my question clearer.  In reply to your  
> answer, the httpd.conf file already includes
> AllowOverride All
> 
> The problem I have is that while it is possible using the <Files>  
> directive to allow access to named files, it seems that it is not  
> possible to specify that I wish to grant access to the index 
> page which  
> is implicitly referenced when the user accesses the top level  
> directory.  Is that correct?

The "implicit reference" is only an illusion. In fact, what happens is:

- client requests "http://server/dir"
- server realises there is no file called SERVER_ROOT/dir but that there
is a directory there so it responds with a redirect to
http://server/dir/ (ie, adds a trailing slash)
- client requests "http://server/dir/"
- server checks SERVER_ROOT/dir/ for a file called "index.html" (or
other defined by DirectoryIndex), if found; redirects to
http://server/dir/index.html (if not, responds with directory listing,
if allowed).
- client requests "http://server/dir/index.html"
- server finally gets a precise request so responds with
SERVER_ROOT/dir/index.html

So you see that the <Files> container only gets checked at the last step
(when an actual file is requested - <Files> only works with files :-).
The authentication failure occurs much earlier when the server receives
the intermediate request for http://server/dir/.

However, the solution is pretty simple. Remember that a .htaccess file
is just a replacement for a <Directory> container in the main config. So
you can simply put "Allow from all" directly into the .htaccess and it
will apply to the directory containing the .htaccess and all subdirs
(ie, don't bother with the <Files> container). 

Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored. 

> 
> For example,
> >> <Files index.html>
> >> Allow from all
> >> </Files>
> 
> will give access to http://my.domain.com/index.html
> 
> but if the user enters the URL http://my.domain.com/
> I would expect the user to get access to index.html, but actually  
> access is denied.
> 
> I hope this is clearer - if not my original question is appended.
> 
> thanks
> 
> Nigel
> 
> 
> 
> 
> > Date: Mon, 19 Jul 2004 10:00:24 +0200
> > To: <us...@httpd.apache.org>
> > From: "Boyle Owen" <Ow...@swx.com>
> > Subject: RE: [users@httpd] .htaccess 'allow from' and directories
> > Message-ID:  
> > <FA...@SOMEXEVS001.ex.ordersx.org>
> >
> >
> > .htaccess files can only be used to override main config 
> directives if
> > the config allows it (via the AllowOverride directive). Apache is
> > "friendly" so the default for this directive is 
> "AllowOverride All". So
> > if the apache-admin doesn't care, you can simply override the access
> > directives by putting:
> >
> > <Files *>
> >   Allow from all
> > </Files>
> >
> > in .htaccess.
> >
> > However, if the apache admin doesn't want you to do this, 
> he will have
> > disabled overrridng in the config (eg, AllowOverride None). Then you
> > can't do it all - neither should you be able to - it's a security
> > feature and if you don't have the right to edit the config, 
> you don't
> > have control of the server.
> >
> > Rgds,
> > Owen Boyle
> > Disclaimer: Any disclaimer attached to this message may be 
> ignored.=20
> >
> > Diese E-mail ist eine private und pers=F6nliche 
> Kommunikation. Sie hat
> > keinen Bezug zur B=F6rsen- bzw. Gesch=E4ftst=E4tigkeit der 
> SWX Gruppe.  
> > =
> > This
> > e-mail is of a private and personal nature. It is not related to the
> > exchange or business activities of the SWX Group. Le 
> pr=E9sent e-mail =
> > est
> > un message priv=E9 et personnel, sans rapport avec l'activit=E9 =
> > boursi=E8re du
> > Groupe SWX.
> >
> >> -----Original Message-----
> >> From: Nigel Gilbert [mailto:n.gilbert@soc.surrey.ac.uk]
> >> Sent: Sonntag, 18. Juli 2004 13:01
> >> To: users@httpd.apache.org
> >> Subject: [users@httpd] .htaccess 'allow from' and directories
> >> =20
> >> =20
> >> I have an .htaccess file at the top level which allows users in  
> >> from=20
> >> specified IP addresses.  The allow commands are within a <Files>=20
> >> directive in the .htaccess file.  There is also a <Files> 
> directive=20
> >> which allows all users access to index.html.   e.g.:
> >> =20
> >> <Files *>
> >> Order Allow,Deny
> >> Allow from 206.40
> >> ....
> >> </Files>
> >> <Files index.html>
> >> Allow from all
> >> </Files>
> >> =20
> >> The result is that, as expected, all users are allowed to access  
> >> the=20
> >> location http://my.domain.com/index.html if they specify this  
> >> address=20
> >> explicitly.  However, if they try to access the location=20
> >> http://my.domain.com/  (no explicit index.html) and are 
> not on the=20
> >> allowed IP list, their access is denied.  I would like the=20
> >> behaviour to=20
> >> be exactly the same as if they had specified index.html in 
> their URL.
> >> =20
> >> How can I achieve this?  I do not have permissions to change the=20
> >> httpd.conf file, so any solution needs to be workable using only  
> >> the=20
> >> .htaccess context (this excludes using <Directory > directive, as  
> >> far=20
> >> as I can see from the documentation).
> ______________________________________________________________
> __________ 
> __
> Professor Nigel Gilbert, FREng, AcSS, Pro Vice-Chancellor and 
> Professor  
> of
> Sociology, University of Surrey, Guildford GU2 7XH, UK. +44 (0)1483  
> 689173
> 
> 
Diese E-mail ist eine private und persönliche Kommunikation. Sie hat
keinen Bezug zur Börsen- bzw. Geschäftstätigkeit der SWX Gruppe. This
e-mail is of a private and personal nature. It is not related to the
exchange or business activities of the SWX Group. Le présent e-mail est
un message privé et personnel, sans rapport avec l'activité boursière du
Groupe SWX.

This message is for the named person's use only. It may contain
confidential, proprietary or legally privileged information. No
confidentiality or privilege is waived or lost by any mistransmission.
If you receive this message in error, please notify the sender urgently
and then immediately delete the message and any copies of it from your
system. Please also immediately destroy any hardcopies of the message.
You must not, directly or indirectly, use, disclose, distribute, print,
or copy any part of this message if you are not the intended recipient.
The sender's company reserves the right to monitor all e-mail
communications through their networks. Any views expressed in this
message are those of the individual sender, except where the message
states otherwise and the sender is authorised to state them to be the
views of the sender's company. 



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org