You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by "Joseph M. Morgan" <jo...@hotmail.com> on 2010/07/13 14:13:21 UTC
[users@httpd] Help with mod_authz_host
This is an Apache 2.2 server running within a VM on CentOS.
Both the authn_basic_module and the authn_host_module are loaded.
I have the following directive:
<Directory "/var/www/html">
Order deny,allow
Deny from 221.192.0.0/14
</Directory>
Yet, today I see in my access logs:
221.192.199.35 - - [12/Jul/2010:15:26:19 -500] -500] "GET http://www.wantsfly.com/prx2.pho?hash=abbreviated HTTP/1.0" 404 ......
Why didn't Apache block this?
Re: [users@httpd] Help with mod_authz_host
Posted by "Joseph M. Morgan" <jo...@hotmail.com>.
#ProxyRequests On
It's commented just like that. I suspect so (don't know the default off
the top of my head)
On 7/13/2010 7:18 AM, Eric Covener wrote:
> On Tue, Jul 13, 2010 at 8:13 AM, Joseph M. Morgan
> <jo...@hotmail.com> wrote:
>
>> This is an Apache 2.2 server running within a VM on CentOS.
>>
>> Both the authn_basic_module and the authn_host_module are loaded.
>>
>> I have the following directive:
>>
>> <Directory "/var/www/html">
>> Order deny,allow
>> Deny from 221.192.0.0/14
>> </Directory>
>>
>> Yet, today I see in my access logs:
>>
>> 221.192.199.35 - - [12/Jul/2010:15:26:19 -500] -500] "GET
>> http://www.wantsfly.com/prx2.pho?hash=abbreviated HTTP/1.0" 404 ......
>>
>> Why didn't Apache block this?
>>
>>
> Is ProxyRequests off?
>
>
> --
> Eric Covener
> covener@gmail.com
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See<URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Help with mod_authz_host
Posted by Eric Covener <co...@gmail.com>.
On Tue, Jul 13, 2010 at 8:13 AM, Joseph M. Morgan
<jo...@hotmail.com> wrote:
> This is an Apache 2.2 server running within a VM on CentOS.
>
> Both the authn_basic_module and the authn_host_module are loaded.
>
> I have the following directive:
>
> <Directory "/var/www/html">
> Order deny,allow
> Deny from 221.192.0.0/14
> </Directory>
>
> Yet, today I see in my access logs:
>
> 221.192.199.35 - - [12/Jul/2010:15:26:19 -500] -500] "GET
> http://www.wantsfly.com/prx2.pho?hash=abbreviated HTTP/1.0" 404 ......
>
> Why didn't Apache block this?
>
Is ProxyRequests off?
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Help with mod_authz_host
Posted by "Joseph M. Morgan" <jo...@hotmail.com>.
Works like a charm! Thanks
On 7/14/2010 4:49 AM, Tom Evans wrote:
> On Tue, Jul 13, 2010 at 5:53 PM, Joseph M. Morgan
> <jo...@hotmail.com> wrote:
>
>> Well, this one's been hitting us almost every day... I should know pretty
>> quickly.
>> One quick question though.... could I have abbreviated with "221.192/14"
>> rather than using "221.192.0.0/14". I mean, I know I can block all of
>> 221.192 using just that, but is it legal to:
>>
>> Deny from 221.192/14
>>
>>
> No, Apache doesn't like that syntax, I was just being lazy. Apache
> will allow '221.192' if you want to be super terse.
>
> Cheers
>
> Tom
>
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Help with mod_authz_host
Posted by "Joseph M. Morgan" <jo...@hotmail.com>.
On 7/13/2010 11:30 AM, Tom Evans wrote:
> On Tue, Jul 13, 2010 at 5:07 PM, Joseph M. Morgan
> <jo...@hotmail.com> wrote:
>
>> OK... trying this
>>
>> <Location />
>> Order deny,allow
>> Deny from 221.192.0.0/14
>> </Location>
>>
>> Anyone know how to test it??? Or do I just wait??? And... how will I know?
>>
>>
>>
> Ah yes, testing it. You could additionally block another IP, just for
> testing purposes. You will see denials in the error log.
>
> That will definitely block access from 221.192/14 though.
>
> Cheers
>
> Tom
>
>
Well, this one's been hitting us almost every day... I should know pretty quickly.
One quick question though.... could I have abbreviated with "221.192/14" rather than using "221.192.0.0/14".
I mean, I know I can block all of 221.192 using just that, but is it legal to:
Deny from 221.192/14
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Help with mod_authz_host
Posted by Tom Evans <te...@googlemail.com>.
On Tue, Jul 13, 2010 at 5:07 PM, Joseph M. Morgan
<jo...@hotmail.com> wrote:
> OK... trying this
>
> <Location />
> Order deny,allow
> Deny from 221.192.0.0/14
> </Location>
>
> Anyone know how to test it??? Or do I just wait??? And... how will I know?
>
>
Ah yes, testing it. You could additionally block another IP, just for
testing purposes. You will see denials in the error log.
That will definitely block access from 221.192/14 though.
Cheers
Tom
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Help with mod_authz_host
Posted by "Joseph M. Morgan" <jo...@hotmail.com>.
OK... trying this
<Location />
Order deny,allow
Deny from 221.192.0.0/14
</Location>
Anyone know how to test it??? Or do I just wait??? And... how will I know?
On 7/13/2010 10:40 AM, Tom Evans wrote:
> On Tue, Jul 13, 2010 at 3:27 PM, Joseph M. Morgan
> <jo...@hotmail.com> wrote:
>
>> On 7/13/2010 9:03 AM, Tom Evans wrote:
>>
>>> On Tue, Jul 13, 2010 at 1:13 PM, Joseph M. Morgan
>>> <jo...@hotmail.com> wrote:
>>>
>>>
>>>> This is an Apache 2.2 server running within a VM on CentOS.
>>>>
>>>> Both the authn_basic_module and the authn_host_module are loaded.
>>>>
>>>> I have the following directive:
>>>>
>>>> <Directory "/var/www/html">
>>>> Order deny,allow
>>>> Deny from 221.192.0.0/14
>>>> </Directory>
>>>>
>>>> Yet, today I see in my access logs:
>>>>
>>>> 221.192.199.35 - - [12/Jul/2010:15:26:19 -500] -500] "GET
>>>> http://www.wantsfly.com/prx2.pho?hash=abbreviated HTTP/1.0" 404 ......
>>>>
>>>> Why didn't Apache block this?
>>>>
>>>>
>>>>
>>>>
>>>>
>>> Are there other Deny/Allow blocks in your config that may be
>>> overriding this one? Does this request end up not being resolved to a
>>> on disk file, which would bypass the Directory block?
>>>
>>> Cheers
>>>
>>> Tom
>>>
>>>
>>>
>> I have the<Files ~ "^\.ht"> and the directory "/var/www/cgi-bin" as deny
>> from all but it makes no sense those would allow anything, would they?
>>
>> The directories "var/www/error" and "var/www/icons" are Allow from all
>>
>>
>> Are you hinting that I need to add a<Files> with the deny??
>>
>>
> <Directory> and<Files> blocks are applied when apache is planning to
> serve a file, which can be bypassed if it isn't strictly a file it is
> serving.
>
> For instance, proxying never ends up with apache looking at a file on
> disk, so with this config:
>
> DocumentRoot /var/empty
> <Directory /var/empty>
> Order allow,deny
> Deny from all
> </Directory>
> ProxyPass / http://app/
>
> requests would always be allowed - everything goes thru proxy, not the
> file system.
>
> If you change from the<Directory> approach to the<Location>
> approach, does it then work correctly? IE, map out exclusions in URL
> space, not filesystem space.
>
> Cheers
>
> Tom
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See<URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Help with mod_authz_host
Posted by Tom Evans <te...@googlemail.com>.
On Tue, Jul 13, 2010 at 3:27 PM, Joseph M. Morgan
<jo...@hotmail.com> wrote:
> On 7/13/2010 9:03 AM, Tom Evans wrote:
>>
>> On Tue, Jul 13, 2010 at 1:13 PM, Joseph M. Morgan
>> <jo...@hotmail.com> wrote:
>>
>>>
>>> This is an Apache 2.2 server running within a VM on CentOS.
>>>
>>> Both the authn_basic_module and the authn_host_module are loaded.
>>>
>>> I have the following directive:
>>>
>>> <Directory "/var/www/html">
>>> Order deny,allow
>>> Deny from 221.192.0.0/14
>>> </Directory>
>>>
>>> Yet, today I see in my access logs:
>>>
>>> 221.192.199.35 - - [12/Jul/2010:15:26:19 -500] -500] "GET
>>> http://www.wantsfly.com/prx2.pho?hash=abbreviated HTTP/1.0" 404 ......
>>>
>>> Why didn't Apache block this?
>>>
>>>
>>>
>>>
>>
>> Are there other Deny/Allow blocks in your config that may be
>> overriding this one? Does this request end up not being resolved to a
>> on disk file, which would bypass the Directory block?
>>
>> Cheers
>>
>> Tom
>>
>>
>
> I have the<Files ~ "^\.ht"> and the directory "/var/www/cgi-bin" as deny
> from all but it makes no sense those would allow anything, would they?
>
> The directories "var/www/error" and "var/www/icons" are Allow from all
>
>
> Are you hinting that I need to add a<Files> with the deny??
>
<Directory> and <Files> blocks are applied when apache is planning to
serve a file, which can be bypassed if it isn't strictly a file it is
serving.
For instance, proxying never ends up with apache looking at a file on
disk, so with this config:
DocumentRoot /var/empty
<Directory /var/empty>
Order allow,deny
Deny from all
</Directory>
ProxyPass / http://app/
requests would always be allowed - everything goes thru proxy, not the
file system.
If you change from the <Directory> approach to the <Location>
approach, does it then work correctly? IE, map out exclusions in URL
space, not filesystem space.
Cheers
Tom
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Help with mod_authz_host
Posted by "Joseph M. Morgan" <jo...@hotmail.com>.
On 7/13/2010 9:03 AM, Tom Evans wrote:
> On Tue, Jul 13, 2010 at 1:13 PM, Joseph M. Morgan
> <jo...@hotmail.com> wrote:
>
>> This is an Apache 2.2 server running within a VM on CentOS.
>>
>> Both the authn_basic_module and the authn_host_module are loaded.
>>
>> I have the following directive:
>>
>> <Directory "/var/www/html">
>> Order deny,allow
>> Deny from 221.192.0.0/14
>> </Directory>
>>
>> Yet, today I see in my access logs:
>>
>> 221.192.199.35 - - [12/Jul/2010:15:26:19 -500] -500] "GET
>> http://www.wantsfly.com/prx2.pho?hash=abbreviated HTTP/1.0" 404 ......
>>
>> Why didn't Apache block this?
>>
>>
>>
>>
> Are there other Deny/Allow blocks in your config that may be
> overriding this one? Does this request end up not being resolved to a
> on disk file, which would bypass the Directory block?
>
> Cheers
>
> Tom
>
>
I have the<Files ~ "^\.ht"> and the directory "/var/www/cgi-bin" as deny
from all but it makes no sense those would allow anything, would they?
The directories "var/www/error" and "var/www/icons" are Allow from all
Are you hinting that I need to add a<Files> with the deny??
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Help with mod_authz_host
Posted by Tom Evans <te...@googlemail.com>.
On Tue, Jul 13, 2010 at 1:13 PM, Joseph M. Morgan
<jo...@hotmail.com> wrote:
> This is an Apache 2.2 server running within a VM on CentOS.
>
> Both the authn_basic_module and the authn_host_module are loaded.
>
> I have the following directive:
>
> <Directory "/var/www/html">
> Order deny,allow
> Deny from 221.192.0.0/14
> </Directory>
>
> Yet, today I see in my access logs:
>
> 221.192.199.35 - - [12/Jul/2010:15:26:19 -500] -500] "GET
> http://www.wantsfly.com/prx2.pho?hash=abbreviated HTTP/1.0" 404 ......
>
> Why didn't Apache block this?
>
>
>
Are there other Deny/Allow blocks in your config that may be
overriding this one? Does this request end up not being resolved to a
on disk file, which would bypass the Directory block?
Cheers
Tom
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org