You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Jean-Luc Wasmer <jl...@wasmer.ca> on 2003/04/09 07:13:14 UTC
[users@httpd] Access control for files outside DocumentRoot
Hi,
I'm trying to control the access to _any_ file on the filesystem, eg any
file in /.
I need this because I have included files that are outside DocumentRoot and
the Allow-Deny directives need to be in a <Directory> section.
The following setting lets everybody in:
<VirtualHost *:80>
ServerName intranet.domain.com
DocumentRoot /data/htdocs/intranet
Include /usr/pkg/etc/httpd/services.conf
<Directory />
Order Allow,Deny
Allow from 192.168.0.0/255.255.255.0
Deny from All
</Directory>
</VirtualHost>
Am I doing the right thing?
JL
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Access control for files outside DocumentRoot -Solved
Posted by Jean-Luc Wasmer <jl...@wasmer.ca>.
> > I was mislead my the doc and didn't try with <Location>
> > The description should be:
> > Context: directory, location, .htaccess
>
> If you click on the word "Context" in the listing, you will get this help
> page: http://httpd.apache.org/docs-2.0/mod/directive-dict.html#Context
> which tells you that a "Directory" context includes "Location" and "Files"
> unless otherwise mentioned.
Yeah... my mistake. That's why I didn't say there was an error in the doc.
I found the doc _misleading_
They should use a different word than "directory" when referring to
Directory, Location and Files.
If I'm asking about the color of your house, I'm not expecting to have the
color of house, your garden shed and your country bungalow ;-)
Anyway, that's not a big deal.
Thanks again.
JL
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Access control for files outside DocumentRoot -
Solved
Posted by Joshua Slive <jo...@slive.ca>.
On Wed, 9 Apr 2003, Jean-Luc Wasmer wrote:
> > 1. Please read the docs on Order and consider the effect of that order
> > directive. (Hint: All access will be denied if you end with "Deny from
> > All".)
> This wasn't my original setting. I was trying anything to have an denied
> access. The server kept allowing the requests.
> Anyway, I'm not sure (according to the docs) the order (not the "Order"
> directive) of the Deny and Allow directives is relevant since Order will
> decide which to evaluate first.
Yes, I slightly misspoke there. I meant to say that all access will be
denied if you have "Deny from all" and "Order allow,deny" together, since
the "deny" will be evaluated last, hence denying all access.
> That was my second option.
> First I tried to put the Deny-Allow-Order directive directly in the
> <VirtualHost> section.
> I didn't work, so I check the docs:
For the reason this doesn't work, see:
http://httpd.apache.org/docs-2.0/sections.html#mergin
As I said, other <Directory> sections are being evaluated later,
overriding your directives.
> Context: directory, .htaccess
>
> I was mislead my the doc and didn't try with <Location>
> The description should be:
> Context: directory, location, .htaccess
If you click on the word "Context" in the listing, you will get this help
page: http://httpd.apache.org/docs-2.0/mod/directive-dict.html#Context
which tells you that a "Directory" context includes "Location" and "Files"
unless otherwise mentioned.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Access control for files outside DocumentRoot - Solved
Posted by Jean-Luc Wasmer <jl...@wasmer.ca>.
> 1. Please read the docs on Order and consider the effect of that order
> directive. (Hint: All access will be denied if you end with "Deny from
> All".)
This wasn't my original setting. I was trying anything to have an denied
access. The server kept allowing the requests.
Anyway, I'm not sure (according to the docs) the order (not the "Order"
directive) of the Deny and Allow directives is relevant since Order will
decide which to evaluate first.
> 2. These directives in <Directory /> will probably be overridden by
> directives that apply lower down in the the directory tree and thus have
> no effect at all. An easy way to solve you particular problem is to use
> this:
>
> <Location />
> Order Deny,Allow
> Deny from All
> Allow from 192.168.0.0/255.255.255.0
> </Location>
>
> This works because <Location> sections are evaluated AFTER all <Directory>
> sections.
>
> See the docs on configuration sections.
That was my second option.
First I tried to put the Deny-Allow-Order directive directly in the
<VirtualHost> section.
I didn't work, so I check the docs:
Order Directive
[...]
Context: directory, .htaccess
Deny Directive
[...]
Context: directory, .htaccess
Allow Directive
[...]
Context: directory, .htaccess
I was mislead my the doc and didn't try with <Location>
The description should be:
Context: directory, location, .htaccess
Thank you Joshua :-)
JL
> -----Original Message-----
> From: Jean-Luc Wasmer
>
> Hi,
>
> I'm trying to control the access to _any_ file on the filesystem, eg any
> file in /.
> I need this because I have included files that are outside DocumentRoot
> and the Allow-Deny directives need to be in a <Directory> section.
>
> The following setting lets everybody in:
>
> <VirtualHost *:80>
> ServerName intranet.domain.com
> DocumentRoot /data/htdocs/intranet
> Include /usr/pkg/etc/httpd/services.conf
> <Directory />
> Order Allow,Deny
> Allow from 192.168.0.0/255.255.255.0
> Deny from All
> </Directory>
> </VirtualHost>
>
> Am I doing the right thing?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Access control for files outside DocumentRoot
Posted by Joshua Slive <jo...@slive.ca>.
On Wed, 9 Apr 2003, Jean-Luc Wasmer wrote:
> Hi,
>
> I'm trying to control the access to _any_ file on the filesystem, eg any
> file in /.
> I need this because I have included files that are outside DocumentRoot and
> the Allow-Deny directives need to be in a <Directory> section.
> <Directory />
> Order Allow,Deny
> Allow from 192.168.0.0/255.255.255.0
> Deny from All
> </Directory>
Two things wrong:
1. Please read the docs on Order and consider the effect of that order
directive. (Hint: All access will be denied if you end with "Deny from
All".)
2. These directives in <Directory /> will probably be overridden by
directives that apply lower down in the the directory tree and thus have
no effect at all. An easy way to solve you particular problem is to use
this:
<Location />
Order Deny,Allow
Deny from All
Allow from 192.168.0.0/255.255.255.0
</Location>
This works because <Location> sections are evaluated AFTER all <Directory>
sections.
See the docs on configuration sections.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Access control for files outside DocumentRoot
Posted by Jean-Luc Wasmer <jl...@wasmer.ca>.
> Looks fine but you are missing an alias to the root path, if you do
> directory / on the directory directive it will think that you are
assigning
> permissions to the documentroot folder, therefore you'd need to add to the
> VHost container:
> Alias /root
> And then change the / to /root.
What is the other argument of Alias?
I tried:
Alias /root /
<Directory /root>
But I still get access to the pages (I get a 403 error only when accessing
http://intranet.domain.com/root )
I also tried:
Alias /root /
<Directory />
with the same result....
By the way, I'm running apache-2.0.44
JL
> -----Original Message-----
> From: Jean-Luc Wasmer [mailto:jl.apache@wasmer.ca]
>
> Hi,
>
> I'm trying to control the access to _any_ file on the filesystem, eg any
> file in /.
> I need this because I have included files that are outside DocumentRoot
> and the Allow-Deny directives need to be in a <Directory> section.
>
> The following setting lets everybody in:
>
> <VirtualHost *:80>
> ServerName intranet.domain.com
> DocumentRoot /data/htdocs/intranet
> Include /usr/pkg/etc/httpd/services.conf
> <Directory />
> Order Allow,Deny
> Allow from 192.168.0.0/255.255.255.0
> Deny from All
> </Directory>
> </VirtualHost>
>
> Am I doing the right thing?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Access control for files outside DocumentRoot
Posted by Jeff Cohen <li...@gej-it.com>.
Looks fine but you are missing an alias to the root path, if you do
directory / on the directory directive it will think that you are assigning
permissions to the documentroot folder, therefore you'd need to add to the
VHost container:
Alias /root
And then change the / to /root.
All the best,
Jeff Cohen
> -----Original Message-----
> From: Jean-Luc Wasmer [mailto:jl.apache@wasmer.ca]
> Sent: Wednesday, April 09, 2003 1:13 AM
> To: users@httpd.apache.org
> Subject: [users@httpd] Access control for files outside DocumentRoot
>
> Hi,
>
> I'm trying to control the access to _any_ file on the filesystem, eg any
> file in /.
> I need this because I have included files that are outside DocumentRoot
and
> the Allow-Deny directives need to be in a <Directory> section.
>
> The following setting lets everybody in:
>
> <VirtualHost *:80>
> ServerName intranet.domain.com
> DocumentRoot /data/htdocs/intranet
> Include /usr/pkg/etc/httpd/services.conf
> <Directory />
> Order Allow,Deny
> Allow from 192.168.0.0/255.255.255.0
> Deny from All
> </Directory>
> </VirtualHost>
>
> Am I doing the right thing?
>
>
> JL
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org