You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Pedro LaWrench <pe...@yahoo.com> on 2007/05/29 22:33:07 UTC

[users@httpd] issues with control

In my main server, I allow all with
<Directory /mydocs>
Order allow,deny
Allow all
</Directory>

Then in a virtual server (different port) I have
<Directory />
Order deny,allow
Allow from 10.1.2.3
Deny from all
</Directory>

Yet, it appears that all hosts can access /mydocs through the virtual server. 
Even with a deny for / in a virtual server config, is it true that more
specific directory entries *outside* the virtual server config will still be in
effect and take precedence?

Thanks,
PL


      ____________________________________________________________________________________Fussy? Opinionated? Impossible to please? Perfect.  Join Yahoo!'s user panel and lay it on us. http://surveylink.yahoo.com/gmrs/yahoo_panel_invite.asp?a=7 


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] issues with control

Posted by Eric Covener <co...@gmail.com>.

Now serving a self-imposed email probation of 24h for two flubbed
responses in the same thread.

-- 
Eric Covener
covener@gmail.com

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] issues with control

Posted by Eric Covener <co...@gmail.com>.

On 5/29/07, Eric Covener <co...@gmail.com> wrote:
> Isn't this effectively:
>
> Order deny,allow
> Allow from  10.1.2.3
> Deny from all
> Allow from all
>
> Mind the order that 'Order' will evaluate the merged directives.

That was all pretty poorly presented.  Your 'allow all' is evaluated
after your 'deny all' after things are merged together based on your
'Order' directive.


-- 
Eric Covener
covener@gmail.com

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] issues with control

Posted by Eric Covener <co...@gmail.com>.

On 5/29/07, Pedro LaWrench <pe...@yahoo.com> wrote:
>
> In my main server, I allow all with
> <Directory /mydocs>
> Order allow,deny
> Allow all
> </Directory>
>
> Then in a virtual server (different port) I have
> <Directory />
> Order deny,allow
> Allow from 10.1.2.3
> Deny from all
> </Directory>
>
> Yet, it appears that all hosts can access /mydocs through the virtual
> server.
> Even with a deny for / in a virtual server config, is it true that more
> specific directory entries *outside* the virtual server config will still
> be in
> effect and take precedence?



Isn't this effectively:

Order deny,allow
Allow from 10.1.2.3
Deny from all
Allow from all


Mind the order that 'Order' will evaluate the merged directives.


-- 
Eric Covener
covener@gmail.com

Re: [users@httpd] Access Question

Posted by Scott Wilcox <sc...@x0f.org>.

thank you muchly. :)

Ricky Zhou wrote:
> Scott Wilcox wrote:
>   
>> and this works fine. The thing is, I have a directory inside this path,
>> called "data" which I need to allow all users access too. Is this
>> possible, and if so, how can I do it?
>>     
> <Directory "/path/to/dir/data">
>   Allow from all
>   Satisfy Any
> </Directory>
>
> (See http://httpd.apache.org/docs/2.2/mod/core.html#satisfy)
>
> Hope this helps,
> Ricky
>
>

Re: [users@httpd] Access Question

Posted by Ricky Zhou <ri...@gmail.com>.

Scott Wilcox wrote:
> and this works fine. The thing is, I have a directory inside this path,
> called "data" which I need to allow all users access too. Is this
> possible, and if so, how can I do it?
<Directory "/path/to/dir/data">
  Allow from all
  Satisfy Any
</Directory>

(See http://httpd.apache.org/docs/2.2/mod/core.html#satisfy)

Hope this helps,
Ricky

[users@httpd] Access Question

Posted by Scott Wilcox <sc...@x0f.org>.

hey folks.

If I have the root of a virtual protected with:

<VirtualHost *:80>
        DocumentRoot /path/to/dir
        ServerName bob      
        <Directory "/path/to/dir">
                AuthType Basic
                AuthName "Network Services"
                AuthBasicProvider file
                AuthUserFile /path/to/file
                Require valid-user
                AllowOverride All
                Options Indexes
                Order allow,deny
                Allow from all
        </Directory>           
</VirtualHost>


and this works fine. The thing is, I have a directory inside this path,
called "data" which I need to allow all users access too. Is this
possible, and if so, how can I do it?

Scott.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] issues with control

Posted by Pedro LaWrench <pe...@yahoo.com>.

--- Joshua Slive <jo...@slive.ca> wrote:

> On 5/29/07, Pedro LaWrench <pe...@yahoo.com> wrote:
> > In my main server, I allow all with
> > <Directory /mydocs>
> > Order allow,deny
> > Allow all
> > </Directory>
> >
> > Then in a virtual server (different port) I have
> > <Directory />
> > Order deny,allow
> > Allow from 10.1.2.3
> > Deny from all
> > </Directory>
> >
> > Yet, it appears that all hosts can access /mydocs through the virtual
> server.
> > Even with a deny for / in a virtual server config, is it true that more
> > specific directory entries *outside* the virtual server config will still
> be in
> > effect and take precedence?
> 
> Yes. For each directory, apache checks first for <Directory> sections
> outside vhosts then for <directory> sections inside vhosts. It does
> not apply all outside <directory> sections followed by all inside
> <directory> sections.
> 
> Joshua.
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 
> 

Thanks, that is consistent with what I am seeing, though it seems a tad
dangerous.  (Looking only at the vhost config, one might believe that
everything from / on down is restricted.)  I suppose if you are using vhosts,
you should only use directory controls within them, and not put any in the main
server that may have unintended consequences.

PL


       
____________________________________________________________________________________Sick sense of humor? Visit Yahoo! TV's 
Comedy with an Edge to see what's on, when. 
http://tv.yahoo.com/collections/222

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] issues with control

Posted by Joshua Slive <jo...@slive.ca>.

On 5/29/07, Pedro LaWrench <pe...@yahoo.com> wrote:
> In my main server, I allow all with
> <Directory /mydocs>
> Order allow,deny
> Allow all
> </Directory>
>
> Then in a virtual server (different port) I have
> <Directory />
> Order deny,allow
> Allow from 10.1.2.3
> Deny from all
> </Directory>
>
> Yet, it appears that all hosts can access /mydocs through the virtual server.
> Even with a deny for / in a virtual server config, is it true that more
> specific directory entries *outside* the virtual server config will still be in
> effect and take precedence?

Yes. For each directory, apache checks first for <Directory> sections
outside vhosts then for <directory> sections inside vhosts. It does
not apply all outside <directory> sections followed by all inside
<directory> sections.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org